What is Oso Cloud?
Oso Cloud offers Authorization as a Service. It centralizes your authorization logic and exposes APIs for answering authorization questions. You call it from your application code when you need to authorize a request.
In contrast to other Authorization as a Service solutions, you don't have to send your application data to Oso Cloud. You choose what data, if any, you want to centralize. Everything else stays in your application databases. This makes it possible to incorporate Authorization as a Service without the overhead of a data replication process.
How does Oso Cloud work?
You store your application's authorization policy in Oso Cloud. When your application needs to authorize an action, it makes a request to Oso Cloud. Our servers are replicated globally, so this request is always handled close to your application.
Oso Cloud then evaluates the request against your policy. The response from Oso Cloud depends on whether you leave your authorization data in your application databases or centralize it in Oso Cloud.
Leave data in your application databases
If you leave your data in your application databases, Oso Cloud tells your application how to evaluate the request at the client.
Centralize data in Oso Cloud
If you centralize your data in Oso Cloud, Oso Cloud evaluates the request at the server.
What makes Oso Cloud different from other authorization services?
Oso Cloud is purpose built for application authorization. Its implementation is opinionated, but flexible. This is reflected in three key features:
Policy language
Oso Cloud's policy language, Polar, is optimized for expressing application authorization logic, but it doesn't impose an authorization model. You're free to use whatever makes sense for your application: RBAC, ReBAC, ABAC, or a mixture of all. This distinguishes Oso Cloud from pure RBAC or ReBAC (Zanzibar) solutions that require you to reinterpret your authorization logic in terms of roles and relationships.
Data model
Oso Cloud provides a prescriptive data model, called facts. Facts express your application data in a format that complements Polar, so evaluation is fast and efficient. This distinguishes Oso Cloud from pure policy engines, which accept arbitrary data structures, but require special policy logic to transform the data during evaluation.
Data management
The primary benefit of authorization services is that they let you centralize your authorization logic. This gives all of your services a consistent view of the authorization model. But they also require you to centralize your authorization data by synchronizing it to the service. Some organizations find this a deterrent to adoption.
Oso Cloud supports centralizing your data, but doesn't require it. It provides a mechanism for making authorization decisions with data stored directly in your application databases. This lets you take advantage of Authorization as a Service without needing to manage a data replication process. It's also a great way to kick the tires.
Learn more about using data in your application databases.
Ready to get started?
- ⛳ Play a round of Oso golf (opens in a new tab) (inspired by Regex golf) to get familiar with Oso's policy and fact model.
- Write your first policy with our quickstart guide.
Talk to an Oso engineer
If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.