Concepts
Deep Dive Tutorials
Writing Your First Policy
3. Perform Authorization Checks

3. Perform Authorization Checks

Congratulations! If you've made it this far, you can start using your policy and data for authorization enforcement.

In this section you will:

  • Install the Oso Cloud CLI.
  • Use Oso Cloud to perform authorization checks.
  • Validate an authorization allowed result.
  • Validate an authorization denied result.

Writing Authorization Checks

Authorization checks ask specific questions about what actions an actor is allowed to perform. The types of checks that you can make come directly from the rules you write in your policy.

Take another look at the policy we presented in the first section Model Your Application’s Authorization. Here are the two rules stated in the resource block:


resource Organization {
...
# You can read these rules as
# A user has THIS <permission> IF they have THIS <role>.
"employee_view" if "employee";
"admin_view" if "admin";
}

Although each rule has a unique permission and role, they both enforce the same model: granting a permission based on the user’s role.

In the second section, Add Authorization Data to Oso Cloud, you added facts to Oso Cloud. These facts stored information about user roles within an organization.

Now in this section, you'll write authorization checks that ask a direct question to Oso Cloud about user permissions: does a user have permission (fill in the blank) within this organization? Here's how you'll structure the authorization check to Oso Cloud:


# <USER> <PERMISSION> <RESOURCE>
User:paula "admin_view" Organization:org_1

Continue using this structure to run authorization checks against your policy.

Run the Authorization Check Using the Oso Cloud CLI

If you haven't already installed the Oso Cloud CLI, follow the instructions on the Install page (opens in a new tab) in the dashboard. Once you have the Oso Cloud CLI installed, use the authorize command to perform your authorization checks.

Below are 5 example authorization checks you can perform. The results of these checks depend on the facts provided in the previous section: Add Authorization data to Oso Cloud.

  1. Does the user Paula have admin view permissions within the Org 1 organization?


    oso-cloud authorize User:paula "admin_view" Organization:org_1

  2. Does the user Greg have employee view permissions within the Org 1 organization?


    oso-cloud authorize User:greg "employee_view" Organization:org_1

  3. Does the user Ashley have employee view permissions within the Org 4 organization?


    oso-cloud authorize User:ashley "employee_view" Organization:org_4

  4. Does the user Ashley have admin view permissions within the Org 4 organization?


    oso-cloud authorize User:ashley "admin_view" Organization:org_4

  5. Does the user Ashley have employee view permissions within the Org 1 organization?


    oso-cloud authorize User:ashley "employee_view" Organization:org_1

Action Items

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →

4. Monitor and Debug Your Authorization