Authorization Enforcement Basics
Authorization enforcement is the ability of an application to allow or deny access to resources based on authorization decisions. These decisions are the results from questions you ask Oso Cloud. Authorization decisions require both policy rules and facts to be evaluated.
| Authorization Question | Policy Rules | Available Facts | Authorization Decisions |
|---|---|---|---|
| Can Bob edit the Document "Company Roadmap"? | • Org managers can edit Documents | • Bob is an org manager | Yes, Bob can edit "Company Roadmap" |
| What are all the resources Alice can read? | • Any user can read public resources • Roles and permissions are inherited from parent resources | • Alice is a guest user • "Community Resources" is a public folder | Alice can read all docs and folders within "Community Resources" |
| What are all the permissions Bob has within the org? | • Org managers can: read, edit, and delete resources | • Bob is an org manager | Bob can: read, edit, and delete resources. |
Oso Cloud provides a set of Check APIs that gives your applications access to these authorization decisions in real time. Your app's authorization enforcement is built around these APIs.
In this section we will:
- Review the Oso Cloud Check API
Talk to an Oso Engineer
If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.