Using Attributes to Control Permissions

Overview

Maturity Level: Resource-specific Authorization

Prerequisites

In this tutorial we examine how to dynamically grant permissions and restrict permissions based on attributes. This discussion builds upon existing patterns listed in the prerequisites above. Please review as needed.

In some use cases modifying permissions based on attributes presents itself as a toggle within your application. For example, a certain resource may have a privacy setting. If a user is able to modify the resource as being either public or private, then your authorization logic needs to handle both states appropriately and immediately whenever the privacy status is changed.

In other cases you may have an attribute with multiple states. In this case, the application is not just toggling between two states, but rather selecting among many options. Each state will come with its own set of rules for how it affects access to resources. Handling each one appropriately requires modifying basic authorization patterns to achieve the desired results during enforcement.

In this section you will:

  • Start with a basic policy
  • Model an attribute that toggles state
  • Model an attribute that has several states
  • Consider the best way to add facts to support rules regarding the attributes modeled
  • Examine how attribute states affect authorization decisions

Talk to an Oso Engineer

If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.

Get started with Oso Cloud →