FAQs

What is Oso Cloud exactly?

Oso Cloud is authorization as a service. It lets you model common authorization patterns, store authorization-relevant data, and respond to all authorization questions from your app.

Concretely, it consists of the following pieces:

• A declarative policy language (called Polar) for writing authorization logic.
• Oso Cloud, the service, which stores authorization data (like roles) and responds to permission checks and related. questions over an HTTP API. Our servers are replicated globally for <10ms latency and >99.99% uptime.
• Clients for most popular programming languages, and a CLI for interacting with our APIs.
• A UI that lets you interact with our APIs, as well as additional tooling, like a debugger.

Read On

• Where does Oso Cloud fit into your infrastructure? (opens in a new tab)

What data should I store in Oso Cloud?

When using Oso Cloud, you store your authorization policy and only the data necessary to perform authorization. Typically this is roles, permissions, groups, and any attributes that are primarily used for authorization (e.g., whether a resource is public or private).

Data to store in Oso Cloud

The table below shows some common authorization models and the types of data you'd store in Oso Cloud for each model.

Data you don’t need to store in Oso Cloud

You probably won't store all authorization-relevant data in Oso Cloud. Specifically, data that you use heavily in other parts of the application and that change often you might just keep in your application database (like relationships between files and folders). For these cases, you can just send that data as context at request time. Here are some examples:

Read on

• What data should I store in Oso Cloud? (opens in a new tab)
• When to use contextual data? (opens in a new tab)

How do you secure Oso Cloud?

We secure Oso Cloud using operational practices that create reliability for our business and mitigate security risks. Here are some of the things we do:

• Require Single-Sign-On and Two-Factor Authentication for all systems with customer data
• Enforce hardware-backed WebAuthN Two-Factor Authentication wherever possible
• Follow strict CI/CD practices and use automated tools to build, test, and release versions of Oso Cloud
• Collect and analyze logs from our critical vendors to assess security events in real time
• Maintain backups of critical infrastructure and practice our recovery procedures in the event of emergencies

We also take data privacy very seriously. While our operations practices minimize security risks, we also ensure that customer data is:

• Never shared with 3rd parties
• Kept securely within our VPCs and private AWS resources
• Stored using per-customer isolation
• Encrypted, both in flight to Oso Cloud and while at rest

Read On

• Security at Oso Cloud (opens in a new tab)

What is Polar?

Polar is the Oso policy language. It is a declarative, logic-based language that is optimized for handling the ambiguity inherent in writing authorization policies. We build and maintain Polar as a key part of our open source authorization framework.

Read On

• Polar Syntax (opens in a new tab)

Does Oso do authentication or user management?

No, Oso assumes that you have a system in place for authenticating users and that you're storing user data elsewhere (e.g., in a database, hosted service). You can use user information as parameters in rules, but Oso is not a substitute for an identity or authentication provider. For that, we quite like Stytch (opens in a new tab), as do many of our customers.

Read On

• Polar Syntax (opens in a new tab)

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →