Bootstrapping root-level resources

When implementing authorization, you face a classic "chicken-and-egg" dilemma: how do you authorize users to create new resources when authorization typically depends on permissions that are granted after those resources exist?

This challenge is particularly relevant in Polar policies, which are typically structured around a root-level resource that serves as the foundation for all other resources. This root-level resource usually takes one of two forms:

For multi-tenant SaaS applications: resource Organization
For consumer applications: actor User

All other resources in the system are then defined and managed in relation to this root-level resource. However, you need to provide an authorization path to create these root-level resources––which we call "boostrapping."

Use the global block to allow some role to create root-level resources.

For example, creating a global role for "admin" with the "create_org" permission will let you authorize requests to create an Organization, even if no other resources exist.

actor User { } global { roles = ["admin"]; permissions = ["create_org"]; "create_org" if "admin"; } resource Organization {} test "global admins can create Organizations" { setup { has_role(User{"alice"}, "admin"); } assert allow(User{"alice"}, "create_org"); }
Seed your authorization data with data providing some users the global role you defined. Typically, this will be a user of your team who should have privileges elevated beyond most other users.

For example, the above policy would require data like:

has_role(User{"alice"}, "admin")

The absence of the third argument is used as a convention to refer to gloabl roles.
In your application, use the explicit authorization API, akin to the CLI command.

For example, you would authorize requests using the above policy and authorization data through the CLI using:

oso-cloud authorize User:alice create_org

Bootstrapping root-level resources

See also