A bear playing hopscotch

Model Your Authorization with the Policy Builder

One of the main things we do is talk with engineers about their authorization needs. In those discussions, we realized they needed help in both how to think their app’s authorization as well as the modeling itself. As much as we enjoy helping in this way, most engineers would rather create a policy without having to schedule a call. So, we developed a self-service tool: The Policy Builder.

From the thousands of conversations that we’ve had with engineering teams, we collected the top 10 most common authorization patterns we see, and put them into a single page. You can select any combination of patterns and out pops an example policy.

Untitled

For example, suppose you want to build the next Figma-killer. To start, you’d want to support:

  • Multiple customers (multi-tenancy)
  • Sharing files and folders
  • User groups

When you go to the Policy Builder, there are 3 patterns that line up. Select each of those patterns, and on the right you’ll see an example policy:

Untitled

From there, you can use the policy as is, or make edits to customize it for your application. Let’s look at each piece of the policy.

The multitenancy policy lets you support multiple customers by adding roles to organizations (aka customers):

resource Organization {
    roles = ["admin", "member"];

    "member" if "admin";
}

Next is the sharing snippet. By default the Policy Builder uses Organizations and Repositories as the resources. You can change this to Organizations and Folders, so it lines up better with the Figma-killer app model:

resource Folder {
    # ... snip ...

    roles = ["reader", "admin"]; ## << to share, assign a role on the folder

      # permission to share
    "invite" if "admin" ;
}

The groups policy is last. It says that a user has a role if they’re in a group, and the group has the role.

# Actors inherit roles from groups
has_role(user: User, role: String, resource: Resource) if
    group matches Group and
    has_group(user, group) and
    has_role(group, role, resource);

If you want to add support for more authorization models in the future, you can add them to this file (through the Policy Builder or on your own). The models build on each other, so you can start with simpler ones and add the rest when needed.

But for now, you have a complete policy that’s ready to go. To try it out, go to https://ui.osohq.com/policy/

Want us to remind you?
We'll email you before the event with a friendly reminder.

Write your first policy