oso Documentation

oso is an open source policy engine for authorization that’s embedded in your application. It provides a declarative policy language for expressing authorization logic. You define this logic separately from the rest of your application code, but it executes inside the application and can call directly into it. oso ships as a library with a debugger and a REPL.

if oso.is_allowed(user, "view", expense):
    # ...
allow(user, "read", expense) if
    user.email = expense.submitted_by;

You write policies to define authorization logic. You tell oso things like who should access what, based on what you know about them and their relationship to what they are trying to access. Policies are written in a declarative policy language called Polar, then they are loaded into oso.

Using oso, you can:

  1. Separate authorization code from business logic, but keep data where it is

  2. Express policies concisely with a declarative language

  3. Start from simple building blocks, then extend the system as needed