How a global telecom unified infrastructure access and compliance with Oso

Access Control Without Borders

A leading global telecommunications provider needed to solve a complex, large-scale authorization problem: managing access to critical network infrastructure—devices, firewalls, and other elements—while complying with regional privacy laws and enterprise audit requirements. They needed a solution that could unify authorization across highly distributed systems without tightly coupling to specific authentication providers. 

Those requirements led them to Oso. What follows is a look at the challenges they tackled, how they evaluated their options, why Oso stood out, and the outcomes that followed.

Authorization at Global Scale: The Challenge

Every geography had its own legal requirements around data handling, identity access, and auditability. Internal teams frequently submitted network change requests, and each request had to be validated—based not just on who made it, but where they were, what systems were involved, and how the data might flow across jurisdictional lines.

Adding to the complexity, the company’s infrastructure spanned multiple directory systems. One region might authenticate users through Active Directory, while another used an entirely different identity provider. The team needed a policy service that could handle that heterogeneity while providing strong enforcement and explainability.

What They Needed in an Authorization Solution

The security team identified four critical requirements:

• Declarative policy modeling that abstracts away identity source and system specifics.
  
• Observability to simulate policy behavior before rollout.
  
• Auditability and traceability for compliance, debugging, and investigations.
  
• Adaptability across identity systems and hybrid deployment environments.

A major concern with legacy, homegrown authorization systems was the scattering of access logic across the codebase. This made it difficult to verify how the system would behave under different conditions. The team needed centralized, understandable policy logic they could trust.

A Rigorous Evaluation Process

To ensure the solution met both functional and security requirements, the team ran a structured, three-phase evaluation of Oso:

• Step 1: Review and verify the code.They began by auditing Oso’s SDKs to ensure the implementation met internal security standards and passed static analysis and vulnerability scans.
  
• Step 2: Build a sample application. The team created a proof-of-concept to model real-world authorization requests. This allowed them to validate policy logic under realistic scenarios.
  
• Step 3: Test observability and auditability. Finally, they verified whether authorization decisions could be simulated, traced, and debugged—ensuring the system would support compliance and operational transparency.
  

Why Oso Was the Right Fit

Oso offers a powerful blend of policy expressiveness, system abstraction, and deployment flexibility. By modeling access through a relationship-based access control (ReBAC) system, the team is able to centralize logic that otherwise would have been duplicated across applications.

Policies are written in Polar—Oso’s declarative language—allowing the team to define outcomes based on attributes like geography or role, without needing to hardcode how or where those attributes were retrieved.

Oso is deployed on-premises, integrated into both monolithic and microservice-based architectures. Application teams never interact with it directly. Instead, they query an internal API—asking questions like can this user take this action?—with Oso handling everything at the backend.

Results: Security, Velocity, and Composability

Since deploying Oso, the organization has seen three key outcomes:

1. 100% Policy Enforcement, Zero Breaches. Through extensive penetration testing and real world deployment, there have been zero instances where a user was able to access something they weren’t authorized to. Authorization failures simply haven’t happened.
   
2. Improved Development Speed. The ability to simulate and explain authorization outcomes before deployment has accelerated development and reduced risk. Product and security leaders can ask, what happens if X?, and get a reliable answer instantly—no guesswork or ambiguity required.
   
3. Reusable Authorization Across Teams. Oso’s focus on doing authorization—and only authorization—has made it a reusable component across multiple systems. Teams don’t need to build bespoke access logic for each new application, which has simplified development and reduced cognitive load.
   

Lessons for Engineering Leaders

This implementation reinforced three core lessons for other teams dealing with authorization at scale:

• Be clear on the role authorization plays in your system—whether it’s a source of truth or a bridge between systems.
  
• Treat policies as living assets, not one-time configs. Build a lifecycle around testing, validation, and monitoring.
  
• Design for abstraction. Your access logic shouldn’t be tied to specific identity providers or application layers. Declarative, centralized policies help ensure long-term maintainability.
  

Getting Started

Authorization may be complex, but it doesn’t have to be chaotic. With a focused, auditable system like Oso, teams can deliver security, compliance, and clarity—without slowing down development.

If your organization operates in multiple regions, across varied systems, or under strict compliance requirements, consider how confident you are in your current authorization approach. If you’d like help evaluating options, book a meeting with an Oso engineer—we’ll walk you through how to model, test, and enforce policies with confidence.