Authorization Data
To make authorization decisions, Oso uses two components:
- Your environment's policy, which describes the logic you want to use
- Authorization data, which describes your application's current state
When choosing where and how to manage your authorization data, Oso offers the following options:
| Authorization data | Description |
|---|---|
| Centralized in Oso | Each Oso Cloud environment provides a database in which you may store authorization data. |
| Local authorization | Oso lets you describe how facts in your policy are represented in your local database, and then lets you perform the final authorization steps locally. |
| Context facts | Authorization requests let you provide additional facts, known as context facts. |
When to use each type of authorization data
| If the data | We suggest |
|---|---|
| Affects authorization for a single service | Local authorization |
| Changes frequently | Local authorization |
| Has high cardinality | Local authorization |
| Affects authorization for multiple services | Centralized in Oso |
| Comes from the request environment | Context facts |