Centralized authorization data
Each Oso environment provides a database where you can store authorization data that affects all of the authorization decisions made by the environment.
When making authorization decisions, Oso will allow the request to succeed if it can find centralized authorization data that "matches" any of the conditions expressed in the policy.
How centralized authorization data affects authorization decisions
When Oso receives an authorization request, it evaluates the policy to aggregate sets of facts (typically represented in authorization data) which, if true, let the request succeed.
After evaluating the policy, Oso always tries to find any facts that would satisfy the request in the environment's centralized authorization data.
If Oso finds the data, the request succeeds. If it doesn't, it might consult the request's context facts or, if using the distributed check API, offer Local Authorization.
When to use centralized authorization
You should store in Oso Cloud data that is necessary to perform authorization for multiple services.
- If you're using roles to determine permissions, you should store
has_role
facts to indicate which users have which roles on which organizations or resources. - If you're using attributes that have global meaning in your application, such
as a superadmin flag or banned users, you should store facts such as
is_superadmin
oris_banned
.
In most other contexts, we recommend using Local Authorization.
For an account of when to use centralized authorization data versus other strategies, see Authorization Data.
Guides
- Sync application data to Oso Cloud
- Export centralized authorization data
- Migrate policies + centralized authorization data
Centralized Authorization Data API
The centralized authorization data API lets you manage the data stored in your Oso Cloud environment, such as adding and deleting facts.
Check API
The check API lets you perform authorization decisions based on data stored in your centralized authorization data store. The methods are documented for each SDK:
Distributed Check API
Checks using Oso's distributed check API still consider centralized authorization data. For more information about the distributed check API, see Local Authorization.