The next version of the Oso Roles library (sqlalchemy-oso-preview 0.0.2) is out! This library is in early access while we continue to iterate on it. Check it out here.
Simpler initialization
The SQLAlchemyOso object is now available to initialize the Oso Roles library. This object exposes Oso, OsoRoles and sqlalchemy-oso functionality through one initialization flow.
from sqlalchemy_oso import SQLAlchemyOso
from sqlalchemy.ext.declarative import declarative_base
Base = declarative_base()
oso = SQLAlchemyOso(Base)
oso.enable_roles(User, sessionmaker)
You can find an example in our Getting Started guide.
Write policies to conditionally enable permissions based on roles
You can now access Oso-managed user-to-role assignments created through the role-management API in policies using Roles.user_in_role(user, role, resource). user_in_role allows you to write a policy that enables actions conditionally depending on both the role assignment for the user and properties of the resource being accessed.
For example, in the context of our sample application, GitClub, the below rule allows a user to create a Repository if they have the org_owner role and the repository they're creating is public.
allow(user: User, "create", resource: Repository) if
resource.is_public = true and
Roles.user_in_role(user, "org_owner");
New management API for accessing a user's direct role assignments
assignments_for_user returns all direct role assignments for a single user.
1x1 roles setup with an Oso engineer
Our team is available to get you started with the Oso Roles library. If you'd like to try out the new library, or are interested in learning how you'd use it in your application schedule a 1 on 1 with one of our engineers!
For more details on these and other changes, read the changelog.
If you ever have questions, we're available to talk about how to get from one version to the next, or to discuss anything you'd like about the product, your use case, or authorization more generally – join us on Slack.
