There are two components you need to make an authorization decision:
- Logic (also known as models), i.e., the rules that govern who is allowed to do what
- Data, i.e., who actually has what permissions, roles, etc.
This post is about authorization data and how to use it in Oso Cloud.
In Oso Cloud, you represent authorization data in a format called facts. Facts have a name and arguments. Each argument either references a resource in your application (by its type and identifier), or a literal value, like a string. This format is designed to easily support the most common authorization models (e.g., RBAC, ReBAC) but is also generic enough to support anything that may come up.
Here are some example facts you might store for common authorization models:
Add a fact
Once you have a draft policy in place to represent your authorization logic, the next step is to add some facts. You can do that in the Facts page in Oso Cloud.
Go to the Facts page
Click the “Add a fact” button.
This opens a new modal window. Type in a fact, following the formatting guidelines in the modal. Then click “Add fact.”
Note: You can only enter facts that match the rules in your policy. If you try to add an invalid fact, you will get an error message. Learn more about writing facts here.
View Your Facts
After you’ve added a fact, go back to the Facts page and you’ll should see the fact right there. Any facts that you add to Oso Cloud will appear on this page (or will be searchable from here).
If you fat-fingered the last fact, or perhaps need to revoke a user’s permissions, you can of course delete facts too.
Find the fact you want to delete on the Facts page. Hover over it, and you’ll see a “Delete” button appear. Click on the delete button to delete the fact.
If you want to go looking for a specific fact (or set of Facts) that you don’t see on the Facts page, you can also search through them.
Enter a type/id pair into the search bar.
You’ll see Filtered results displayed immediately that match the inputs.
For convenience, you can also click on any argument within a fact to auto-populate the search bar with that term.
APIs & CLI
The Facts UI is a handy way to interact with the data you store in Oso Cloud, especially when getting started. You can also manage facts through Oso Cloud’s APIs using our client libraries and CLI. The APIs are not only useful for reproducibility, they also support additional capabilities not currently exposed in the UI, such as:
- Performing bulk actions on facts
- Sending facts as context with requests (instead of storing them in Oso Cloud).
Give it a try
To get started with facts, go to the Facts page. If you don’t have a policy, start with the Policy Builder and see the guide in related topics below.