Centralized authorization data

Each Oso environment provides a database where you can store authorization data that affects all of the authorization decisions made by the environment.

When making authorization decisions, Oso will allow the request to succeed if it can find centralized authorization data that "matches" any of the conditions expressed in the policy.

How centralized authorization data affects authorization decisions

When Oso receives an authorization request, it evaluates the policy to aggregate sets of facts (typically represented in authorization data) which, if true, let the request succeed.

After evaluating the policy, Oso always tries to find any facts that would satisfy the request in the environment's centralized authorization data.

If Oso finds the data, the request succeeds. If it doesn't, it might consult the request's context facts or, if using the distributed check API, offer Local Authorization.

When to use centralized authorization

You should store in Oso Cloud data that is necessary to perform authorization for multiple services.

If you're using roles to determine permissions, you should store has_role facts to indicate which users have which roles on which organizations or resources.
If you're using attributes that have global meaning in your application, such as a superadmin flag or banned users, you should store facts such as is_superadmin or is_banned.

In most other contexts, we recommend using Local Authorization.

For an account of when to use centralized authorization data versus other strategies, see Authorization Data.

Guides