Oso Use Case: A Common Way to Handle Authorization Across Many Apps at Bjerk.io
We sat down with Simen A. W. Olsen of Bjerk.io, an expert software consultancy. He's used Oso in three projects now, each very different from the other: Indiv, Tabetalt, and nestjs-oso.
Could you tell us about Indiv?
The Norwegian government takes responsibility for helping keep people on their feet and get back on their feet when they get hurt. Vocational rehabilitation — that is, helping people get back to work after injury or disability — comes with many complex legal requirements in Norway. Indiv is an app for handling the requirements for these kinds of vocational programs, and for managing the required reporting to the government.
How do you use Oso with Indiv?
Each company that uses Indiv has very different requirements, so without Oso we would have had to write custom authorization code for each organization. To make that simpler, we expose Oso's policy language, Polar, to our users — who themselves are system admins. We start by providing a default Polar policy, and from there teach our users basic Polar syntax to make their own modifications. Most users are happy to get our default setup, which has a few default roles that we tailored to be easy to understand. Other users want special configuration, so they write the Polar policy themselves. Since a user’s authorization policy only applies to their tenant, we can give them complete access to their policy.
Here’s the default policy we give to someone in Indiv:
allow(actor: Actor, "list", resource: Journal) if role(actor, "program-manager") or role(actor, "admin") or ( resource.userId > "" and ( role(actor, "supervisor", "user", resource.userId) or role(actor, "work-supervisor", "user", resource.userId) ) );
Indiv exposes nearly every resource in our system to Oso. We even bundle feature toggles with permissions — a system we call "Capabilities" — to provide easy on-off access to different parts of the system, which has worked well for our users.
We would have to do so much work to make all this happen if we didn't use Oso!
How about Tabetalt?
Tabetalt is a headless e-commerce platform. You just make API calls to the software — there's no UI. The platform's usability from a developer perspective is very important, so we're focused on making a great experience for engineers using our API.
How does Tabetalt use Oso?
We use Oso to handle authorization for the store owners, and it just works. The biggest thing we've built with Oso is our tenancy model — multi-tenancy is just so much easier with Oso. Because of Oso’s level of abstraction, building a multi-tenant system is as simple as an if-statement. The current tenant is available through the User class, which we’ll always have in our Polar policy.
Here’s a policy similar to the one we’re using in production:
allow(user: User, "read", product: Product) if user.tenantId = product.tenantId and ( product.status = "active" or role(user, "admin") );
You also built nestjs-oso. What is it, and what led you to build it?
We use both Nest.js and Oso extensively at Bjerk.io, and found we needed a tool that simplified using them together. nestjs-oso handles a lot of the common Oso setup code, like registering classes and loading the policy file. You can use Next.js-style decorators to load classes, or you can access Oso's native API whenever you need to.
Do you have any final words of advice for our readers?
Get involved in the Oso community! It’s very welcoming and is great to be a part of. The easiest way is to join the Community Slack. Hope to see you there!****