Centralized Authorization Data
Each Oso environment provides a database where you can store authorization data that affects all of the authorization decisions made by the environment.
When making authorization decisions, Oso will allow the request to succeed if it can find centralized authorization data that "matches" any of the conditions expressed in the policy.
How centralized authorization data affects authorization decisions
When Oso receives an authorization request, it evaluates the policy to aggregate sets of facts (typically represented in authorization data) which, if true, let the request succeed.
After evaluating the policy, Oso always tries to find any facts that would satisfy the request in the environment's centralized authorization data.
If Oso finds the data, the request succeeds. If it doesn't, it might consult the request's context facts or, if using the local check API, offer Local Authorization.
When to use centralized authorization
You should store in Oso Cloud data that is necessary to perform authorization for multiple services.
- If you're using roles to determine permissions, you should store
has_role
facts to indicate which users have which roles on which organizations or resources. - If you're using attributes that have global meaning in your application, such
as a superadmin flag or banned users, you should store facts such as
is_superadmin
oris_banned
.
In most other contexts, we recommend using Local Authorization.
For details about centralized authorization data versus other strategies, see Authorization data.
Guides
- Sync application data to Oso Cloud
- Export centralized authorization data
- Migrate policies + centralized authorization data
Centralized Authorization Data API
The centralized authorization data API lets you manage the data stored in your Oso Cloud environment.
Each SDK provides the following operations:
Action | API names | Description |
---|---|---|
Transaction | batch , bulk | (Recommended for writes + deletes) Atomically perform inserts and deletes. Note that we recommend using this API when updating data, as modifications appear atomically. |
Write | insert , tell | Write authorization data to Oso. |
Delete | delete | Delete authorization data from Oso. |
Read | get | Return centralized authorization data. This API only returns authorization data centralized in Oso. It does not perform any sort of inference, which is what differentiates it from querying. |
Check API
The check API lets you perform authorization decisions based on data stored in your centralized authorization data store. The methods are documented for each SDK:
Local Check API
Checks using Oso's local check API still consider centralized authorization data. For more information about the local check API, see Local Authorization.