Checking Authorization Decisions
Oso Cloud provides a set of Check APIs for accessing authorization decisions. They consist of the following commands:
authorizeauthorize-resourceslistactions
There are four main ways you access the Check APIs:
| Method of Calling the Check API | Best used for... |
|---|---|
Calling authorize via the Explain Page (opens in a new tab) | • Testing and development • Troubleshooting |
Calling authorize, authorize-resources, list, and actions via the CLI | • Testing and development • Troubleshooting |
Calling authorize, authorize_resources, list, and actions via the HTTP API | • Implementing authorization enforcement |
Calling authorize, authorize_resources, list, and actions via a language-specific client (Node.js, Python, Go, Ruby, or .NET) | • Implementing authorization enforcement |
The various options for calling the Check APIs helps facilitate your development process — at whatever stage it might be in. At times you may be working in the Dashboard (opens in a new tab) to try new ideas using the Policy Builder and Editor. In that case, adding facts and running authorization checks from Dashboard might be most convenient option. However, to integrate Oso Cloud into your app for authorization enforcement, you'll need to use a language-specific client.
Get Started with Check APIs
Prerequisites
Use the sample policy and authorization data below to begin checking authorization decisions. You can also go back to Application Modeling Basics. There, you'll find more authorization patterns to explore using the Check APIs.
Example Policy
actor User {}# Top level resource.resource Organization { permissions = [ "read", "write" ]; roles = [ "member", "admin" ]; # Rules assigning permissions to roles. "read" if "member"; "read" if "admin"; "write" if "admin";}
Supporting Facts
-
oso-cloud tell has_role User:neil admin Organization:org_1 -
oso-cloud tell has_role User:neil admin Organization:org_2 -
oso-cloud tell has_role User:neil member Organization:org_3
Action Items
Checking Permissions
Use the authorize command in the Oso client to return a boolean authorization decision.
Can the user neil perform the read action on the organization: "org_1"?
oso-cloud authorize User:neil read Organization:org_1Returned Values
Given the policy and supporting facts, Oso Cloud will return true.
Listing Authorized Resources
Given a set of resources, use the authorized-resources command in the Oso client to return a decision listing the
subset of resources where a given permission is allowed.
Can the user neil perform the write action on any of the following organizations: "org_1", "org_2", or "org_3"?
oso-cloud authorize-resources User:neil write \
Organization:org_1 \
Organization:org_2 \
Organization:org_3Returned Values
Given the policy and supporting facts, Oso Cloud will return the list: [Organization:org_1, Organization:org_2].
Listing Authorized Resources of a Given Type
Use the list command in the Oso Client to return all resource ids of a specific type where a given permission is
allowed.
On what organizations can the user neil perform the read action?
oso-cloud list User:neil read OrganizationReturned Values
Given the policy and supporting facts, Oso Cloud will return the list: [org_1, org_2, org_3].
Listing Authorized Actions
Use the actions command in the Oso Client to return all the permissions available to an actor on a given resource.
What actions can the user neil perform on the organization: "org_1"?
oso-cloud actions User:neil Organization:org_1Returned Values
Given the policy and supporting facts, Oso Cloud will return the list: [read, write].
Additional Resources
- See how the list API is used efficiently filter data
- See how the Check API is used with a complete application
Talk to an Oso Engineer
If you'd like to learn more about using Oso Cloud in your app or have any questions about this guide, connect with us on Slack. We're happy to help.