Concepts
Deep Dive Tutorials
4 Steps to Authorization: Learning the Basics
3. Authorization Enforcement
Checking Authorization Decisions

Checking Authorization Decisions

Oso Cloud provides a set of Check APIs for accessing authorization decisions. They consist of the following commands:

  • authorize
  • authorize-resources
  • list
  • actions

There are four main ways you access the Check APIs:

Method of Calling the Check APIBest used for...
Calling authorize via the Explain Page (opens in a new tab)• Testing and development
• Troubleshooting
Calling authorize, authorize-resources, list, and actions via the CLI• Testing and development
• Troubleshooting
Calling authorize, authorize_resources, list, and actions via the HTTP API• Implementing authorization enforcement
Calling authorize, authorize_resources, list, and actions via a language-specific client (Node.js, Python, Go, Ruby, or .NET)• Implementing authorization enforcement

The various options for calling the Check APIs helps facilitate your development process — at whatever stage it might be in. At times you may be working in the Dashboard (opens in a new tab) to try new ideas using the Policy Builder and Editor. In that case, adding facts and running authorization checks from Dashboard might be most convenient option. However, to integrate Oso Cloud into your app for authorization enforcement, you'll need to use a language-specific client.

Get Started with Check APIs

Prerequisites

Use the sample policy and authorization data below to begin checking authorization decisions. You can also go back to Application Modeling Basics. There, you'll find more authorization patterns to explore using the Check APIs.

Example Policy


actor User {}
# Top level resource.
resource Organization {
permissions = [
"read",
"write"
];
roles = [
"member",
"admin"
];
# Rules assigning permissions to roles.
"read" if "member";
"read" if "admin";
"write" if "admin";
}

Supporting Facts

  1. oso-cloud tell has_role User:neil admin Organization:org_1
  2. oso-cloud tell has_role User:neil admin Organization:org_2
  3. oso-cloud tell has_role User:neil member Organization:org_3

Action Items

Checking Permissions

Use the authorize command in the Oso client to return a boolean authorization decision.

Can the user neil perform the read action on the organization: "org_1"?

oso-cloud authorize User:neil read
Returned Values

Given the policy and supporting facts, Oso Cloud will return true.

Listing Authorized Resources

Given a set of resources, use the authorized-resources command in the Oso client to return a decision listing the subset of resources where a given permission is allowed.

Can the user neil perform the write action on any of the following organizations: "org_1", "org_2", or "org_3"?

oso-cloud authorize-resources User:neil write \
    Organization:org_1 \
    Organization:org_2 \
    Organization:org_3
Returned Values

Given the policy and supporting facts, Oso Cloud will return the list: [Organization:org_1, Organization:org_2].

Listing Authorized Resources of a Given Type

Use the list command in the Oso Client to return all resource ids of a specific type where a given permission is allowed.

On what organizations can the user neil perform the read action?

oso-cloud list User:neil read
Returned Values

Given the policy and supporting facts, Oso Cloud will return the list: [org_1, org_2, org_3].

Listing Authorized Actions

Use the actions command in the Oso Client to return all the permissions available to an actor on a given resource.

What actions can the user neil perform on the organization: "org_1"?

oso-cloud actions User:neil Organization:org_1
Returned Values

Given the policy and supporting facts, Oso Cloud will return the list: [read, write].

Additional Resources

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →

4. Testing, Monitoring, and Debugging Authorization