Writing Your First Policy
2. Add Authorization data to Oso Cloud

2. Add Authorization data to Oso Cloud

In the previous section you uploaded a policy to Oso Cloud. However, policies are only effective if they have data to enforce. What does this mean? Simply put, you must tell Oso Cloud some concrete facts about who and what exists in your application. Oso Cloud then uses that information, along with your policy, to make authorization decisions.

In this section you will:

  • Identify what data you’ll need for authorization.
  • Write authorization data as facts.
  • Use the Facts page (opens in a new tab) to store authorization data in Oso Cloud.

Identify Data Needed for Authorization

Look at the rules related to a particular resource to get a sense of the data you'll need for authorization. In the example policy we provided, there are two rules contained in the Organization resource block.

actor User {}
resource Organization {
    # Rule definitions for roles that
    # are part of your Organization.
    "employee_view" if "employee";
    "admin_view" if "admin";

Both rules are created from the same type of information: a permission assigned to a role. What is not obvious from rule statements alone, is who these rules will apply to.

In Polar, when you write rules for roles inside a resource block, any defined actor can be the who for the given rule. In this case there is one defined actor type: User.

Putting this all together yields the following information needed for authorization:

  • Who the user is
  • What organization they are part of
  • What role they have within the organization

Action Items

Write Authorization Data as Facts

The table below provides concrete examples of the information identified as necessary for authorization. You can use this information to write the facts you'll store in Oso Cloud.

PaulaOrg 1admin
GregOrg 1employee
AshleyOrg 4employee

Use the Facts Page to Store Facts in Oso Cloud

Navigate to the Facts page (opens in a new tab) in your Oso Cloud environment.

Click the “Add a fact” button.

This opens a new modal window where you can add a fact.

We’ve written the user, organization, and role information as facts that you can copy and paste one by one into the modal window in Oso Cloud. Each fact describes the role a particular user has within a particular organization. Tell Oso Cloud that:

  1. Paula has the role admin within the Org 1 organization.

    has_role User:paula "admin" Organization:org_1
  2. Greg has the role employee within the Org 1 organization.

    has_role User:greg "employee" Organization:org_1
  3. Ashley has the role employee within the Org 4 organization.

    has_role User:ashley "employee" Organization:org_4

Action Items

When you’ve finished your Facts page will now display all the facts stored in Oso Cloud.

Additional Resources

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →