Get Started
Beginner's Guide


Welcome to Oso! Let's get you started on the journey to supercharge authorization in your application.

Before we get started

You'll need a couple of things for this tutorial:

  1. An Oso Cloud account. You can get one at (opens in a new tab).
  2. A sample application that you can modify and launch locally. We have clients for Node, Python, Go, Ruby, and .NET.

Building your first policy

The first thing you need on this journey is a policy. A policy contains the authorization logic that Oso Cloud will use to determine access. A minimal policy comprises an Actor, the subject of an authorization query, and a Resource, the object of an authorization query, with at least one permission.

For example, you may want to control "read" access for users to Repositories in your multi-tenant application.

actor User {}
resource Repository {
    permissions = ["read"];
We will use this example for the remainder of the guide, but feel free to pick your own Actor, Resource, and permission(s).

Once you have constructed a policy, upload it using the Rules Editor (opens in a new tab) page. That's it! In practice, your policy will have some more bells and whistles; we'll add those in due time, but this is enough to get things rolling.

Optional reading:

Adding Oso Cloud to your application

You're ready to add Oso Cloud to your application, so load up the application code in your favorite IDE.

  1. Generate a new read-write token from the Settings (opens in a new tab) page and initialize your environment.
  2. Follow the steps on the Install (opens in a new tab) page to integrate Oso Cloud into your application. The sample code uses hardcoded values for the Actor and Resource IDs. In practice, you'll retrieve these from contexts available to your application; the hardcoded values are good enough for now, and we'll use them in our examples.

Launch your application and attempt to access the endpoint now protected by Oso Cloud. You'll get an exception. That's because you still need to grant the permission to the Actor! You can see information about this denied request on the Logs (opens in a new tab) page.

Granting permissions

You grant permissions by adding facts. Facts are the authorization-relevant data that Oso Cloud will use to determine access.

Following our example, if we want to allow User:123 to "read" Repository:456, we need to add the following fact:

has_permission User:123 "read" Repository:456

You can do this using the Data (opens in a new tab) page.

Now, try reaccessing the endpoint. No exceptions!


Congratulations, you've successfully added enforcement to your application.

Optional reading:

From example, to practice

Updating the authorization logic

Most use cases do not have individual permissions assigned to each Actor on each Resource; that would be too many to manage! Instead, it's common to assign a "role" that has the desired permission(s); this is referred to as Role-Based Access Control (RBAC). Follow the Roles example to update your policy to support roles. Note: you do not need to update your application code after you've made the changes!

Example Solution
actor User {}
resource Repository {
    roles = ["member"];
    permissions = ["read"];
    "read" if "member";
has_role User:123 "member" Repository:456

Continuing the journey

  1. Learn the steps for building authorization with Oso Cloud
  2. Review successful and failed authorization checks (opens in a new tab)
  3. Explore additional models

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →