FAQs

What are Oso Cloud's key features?

Oso Cloud is Authorization as a Service (opens in a new tab). It helps you model common authorization patterns, test your configuration, and make authorization decisions at runtime.

Concretely, it consists of the following pieces:

  1. Oso Cloud, the service (built in Rust 🦀) that responds to authorization questions over an HTTP API. Oso Cloud hosts your authorization logic and stores any data that you choose to centralize (like roles).

  2. Polar, our declarative configuration language for expressing authorization logic.

  3. Facts, a concise, expressive data format that is optimized for authorization operations.

  4. Workbench, a visual editor for writing and testing authorization logic in Polar.

  5. Clients for Node.js, Python, Go, Ruby, .NET, Java

  6. Tools to give you short and tight feedback loops, like a VS Code extension, unit tests, a debugger, and logging.

Is Oso Cloud based on Google Zanzibar?

No.

We borrow some ideas from Zanzibar – e.g., facts are a kind of extension of tuples in Zanzibar. But fundamentally Oso is a logic engine under the hood, and it’s been this way since the first version of Oso in 2020. This design decision has proven key to making Oso flexible. This flexibility shows up in a number of ways – i.e., to express any scenario required in Polar, to query Oso along any dimension, and to get observability out of the platform. It also means Oso is not beholden to any of the semantic or architectural limitations of Zanzibar implementations.

Why do I need an authorization service?

Consider Oso Cloud if your team:

  • Manages applications composed of multiple services or microservices
  • Struggles to understand or debug authorization decisions
  • Is considering writing your own authorization service
  • Is preparing to rewrite your authorization code

To learn more about whether or not Authorization as a Service is a good fit for your application, read What is a good use case for Oso? (opens in a new tab)

What questions can Oso Cloud answer?

Oso Cloud can answer everything from simple yes/no permission checks to sophisticated questions about recursively inherited permissions. Some examples of questions you can answer with Oso are:

  • Can User X perform Action Y on Resource Z?
  • What are all of the Resources that User X can perform Action Y on?
  • What are all of the Actions that User X can perform on Resource Z?
  • What are all of User X’s Roles on any Organization?
  • What Groups is User X a member of?

...and just about any other authorization question you can think of.

How does Oso Cloud represent authorization data?

Oso Cloud represents data as facts that describe the authorization characteristics of objects in your application. Some examples of facts in a GitHub-style application are:

  • Bob can edit the "docs" repo: has_permission(User{"bob"}, "edit", Repository{"docs"}).
  • Bob is an owner of the Acme organization: has_role(User{"bob"}, "owner", Organization{"acme"}).
  • The Anvils repository belongs to the Acme organization: has_parent(Repository{"anvils"}, Organization{"acme"}).
  • The Oso repository is public: is_public(Repository{"oso"}).

Read On

What is Polar?

Polar is Oso's configuration language. It is a declarative, logic-based language that is optimized for handling the ambiguity inherent in writing application authorization policies. Most folks can learn the basics in an hour. We build and maintain Polar as a key part of our authorization framework.

Read On

How does Oso Cloud answer authorization questions?

When your application asks an authorization question, like "can User:1 read Org:1?", Oso Cloud uses your policy and facts to determine whether there is a match for has_permission(User:1, "read", Org:1):

Oso Cloud answers authorization questions using your Polar policy and your facts.

Under the hood, Oso Cloud queries the Polar policy engine to determine all of the combinations of facts whose existence would grant that particular permission to the actor — in other words, all of the ways that the actor might have that permission. Then it determines whether there is a set of facts that actually grants the permission.

  • for data that you store in Oso Cloud, Oso Cloud queries its fact store directly
  • for data that you store locally, Oso Cloud tells your application how to search for the facts in your application database

Where does Oso Cloud fit into your infrastructure?

Oso Cloud is a managed service, meaning that Oso, Inc. runs it for you. We handle deployment, upgrades, and maintenance. Your applications talk to Oso Cloud over an HTTP API to perform authorization checks, query authorization-related data, or make changes to data stored in Oso Cloud. We provide native clients for many popular languages, or your app can communicate directly with the HTTP API.

Basic Architecture of Oso Cloud: Your Apps all talk to Oso Cloud over an HTTP API

Does Oso do authentication or user management?

No, Oso assumes that you have a system in place for authenticating users and that you're storing user data elsewhere (e.g., in a database, hosted service). You can use user information as parameters in rules, but Oso is not a substitute for an identity or authentication provider.

Read On

How secure is Oso Cloud?

We secure Oso Cloud using operational practices that create reliability for our business and mitigate security risks. Here are some of the things we do:

  • Require Single-Sign-On and Two-Factor Authentication for all systems with customer data
  • Enforce hardware-backed WebAuthN Two-Factor Authentication wherever possible
  • Follow strict CI/CD practices and use automated tools to build, test, and release versions of Oso Cloud
  • Collect and analyze logs from our critical vendors to assess security events in real time
  • Maintain backups of critical infrastructure and practice our recovery procedures in the event of emergencies

We also take data privacy very seriously. While our operations practices minimize security risks, we also ensure that customer data is:

  • Never shared with 3rd parties
  • Kept securely within our VPCs and private AWS resources
  • Stored using per-customer isolation
  • Encrypted, both in flight to Oso Cloud and while at rest

Read On

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →