4 Steps to Authorization: Learning the Basics
2. Authorization Data
What are Facts?

What are Facts?

Facts are Oso Cloud's data model. It's what allows you to express the data within your application that is required for authorization. Communicating the data needed for authorization can be challenging because it often resides in many places, has multiple uses, and is conflated with other data. Facts provide some structure to the authorization problem — they ask you to express your data in the smallest possible chunks. They also support the most common patterns found in role-based, relationship-based, and attribute-based authorization models.

Regardless of the authorization pattern you'll support with facts, all facts have the same structure: a name and arguments. Each name comes from a rule written in your policy. Each argument references either a resource in your application (by its type and identifier), or a literal value, like a string.

<FACT_NAME> (<ARG_1>, <ARG_2>, ..., <ARG_5>)

NOTE: The name of a fact comes from rules written in your policy. Each fact can have up to 5 arguments.

Here’s an example fact that says that Alice has an “admin” role on the Acme organization:

has_role(User:alice, "admin", Organization:acme)

Here another fact that says that the “Anvils” repository is public:


In the next section, you'll learn how to write facts for a variety of authorization patterns.

Additional Resources

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →