• About
  • FAQs


What is Oso Cloud exactly?

Oso Cloud is authorization as a service. It lets you model common authorization patterns, store authorization-relevant data, and respond to all authorization questions from any of your apps.

Concretely, it consists of the following pieces:

  • A declarative policy language (called Polar) for writing authorization logic.
  • Oso Cloud, the service, which stores authorization data (like roles) and responds to permission checks and related. questions over an HTTP API. Our servers are replicated globally for <10ms latency and >99.99% uptime.
  • Clients for most popular programming languages, and a CLI for interacting with our APIs.
  • A UI that lets you interact with our APIs, as well as additional tooling, like a debugger.

Learn More

What data should I store in Oso Cloud?

When using Oso Cloud, store your authorization policy and only the data necessary to perform authorization. For example, you might store information that states the user Alice is the owner of a Document. Or, you might store the fact that a certain resource in your application is public.

Data to store in Oso Cloud

The table below shows some common authorization models and the types of data you should store in Oso Cloud for each model.

Authorization ModelPolicy RulesExample Data You’ll Store
Role BasedRules granting permissions to particular roles.User Alice has the role admin in organization Acme.
Relationship BasedRules defining relationships between objects.Team Projects is the parent workspace for project Beta.
Attribute BasedRules defining attributes of an object.User Eric is a contractor.

Data you don’t need to store in Oso Cloud

Sometimes it makes sense not to store all authorization-relevant data in Oso Cloud. For these cases, we provide mechanisms to send contextual data when authorization is needed. Contextual data is not stored and only exists for the duration of the request. Here are some examples where data values frequently change. You can send this data as contextual data when performing authorization.

Use CasePolicy RulesContextual Data
Time Sensitive Document AccessRules granting read permissions during a specified date range.Send time/date data along with authorization requests.
Activity Based Credit Card LimitsRules increasing/decreasing spending limits based on a planned user activity.Send activity data — the user is traveling, event planning, ect. — along with authorization requests.

Learn More

How do you secure Oso Cloud?

We secure Oso Cloud using operational practices that create reliability for our business and mitigate security risks. Here are some of the things we do:

  • Require Single-Sign-On and Two-Factor Authentication for all systems with customer data
  • Enforce hardware-backed WebAuthN Two-Factor Authentication wherever possible
  • Follow strict CI/CD practices and use automated tools to build, test, and release versions of Oso Cloud
  • Collect and analyze logs from our critical vendors to assess security events in real time
  • Maintain backups of critical infrastructure and practice our recovery procedures in the event of emergencies

We also take data privacy very seriously. While our operations practices minimize security risks, we also ensure that customer data is:

  • Never shared with 3rd parties
  • Kept securely within our VPCs and private AWS resources
  • Stored using per-customer isolation
  • Encrypted, both in flight to Oso Cloud and while at rest

Learn More

What is Polar?

Polar is the Oso policy language. It is a declarative, logic-based language that is optimized for handling the ambiguity inherent in writing authorization policies. We build and maintain Polar as a key part of our open source authorization framework.

Learn More

Talk to an Oso Engineer

Our team is happy to help you get started with Oso Cloud. If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, schedule a 1x1 with an Oso engineer.

Get started with Oso Cloud →