Enforce an Oso Policy

To use an Oso policy in your app, you’ll need to “enforce” it. A policy is useless without an app that consults the policy on user actions. For most apps, policies can be enforced on multiple “levels”:

Resource-level: is the user allowed to perform this action on a particular resource?
Field-level: which fields on this object can the user read? Which ones can they update?
Request-level: should this user even be able to hit this endpoint, regardless of the resources it involves?

Oso provides an API to enforce authorization at all levels, each of which are described in this guide.

An Oso instance provides the following methods to enforce to make it easy to enforce your policy in a number of situations:

authorize(actor, action, resource): Ensure that an actor can perform an action on a certain resource. Read about resource-level enforcement.
authorize_request(actor, request): Ensure that an actor is allowed to access a certain endpoint. Read about request-level enforcement.
authorize_field(actor, action, resource, field): Ensure that a actor can perform a particular action on one field of a given resource. Read about field-level enforcement.
authorized_actions(actor, resource): List the actions that actor is allowed to take on resource.
authorized_fields(actor, action, resource): List the fields that actor is allowed to perform action upon.

We recommend starting out by reading about resource-level enforcement.

Connect with us on Slack

If you have any questions, or just want to talk something through, jump into Slack. An Oso engineer or one of the thousands of developers in the growing community will be happy to help.