Authorization Data

To make authorization decisions, Oso uses two components:

  • Your environment's policy, which describes the logic you want to use
  • Authorization data, which describes your application's current state

When choosing where and how to manage your authorization data, Oso offers the following options:

Authorization dataDescription
Local authorizationOso lets you describe how facts in your policy are represented in your local database, and then lets you perform the final authorization steps locally.
Centralized in OsoEach Oso Cloud environment provides a database in which you may store authorization data.
Context factsAuthorization requests let you provide additional facts, known as context facts.

When to use each type of authorization data

In general, Oso suggests using local authorization with the following exceptions.

Context facts

Use context facts for authorization data that can only be determined by the requestor's environment.

Centralized in Oso

Centralized data in Oso when:

  • Increasing the load on the database containing the authorization data poses a problem. For example, making authorization decisions within the database requires expensive joins for tables you don't want to index.
  • If you cannot or don't want to provide the service access to the database containing the authorization data.