Use Cases

Who uses Oso, and how

Startups to the Fortune 100 use Oso to power their apps' authorization  – from RBAC to nested hierarchies and custom roles, for REST and GraphQL, one service to a fleet of microservices.

Hear from our customers

“Arc is a banking platform, so getting authorization right is critical. We knew our requirements could get complex – we’ve already got 40 permissions across 9 roles – and we wanted to lean on the experts.”

Raven Jiang
CTO, Arc

“Oso is excellent and well worth taking a look at. The rollout at Intercom has been very slick."

Brian Scanlan
Engineer, Intercom

Common Use Cases



Take the first step – separate users by organization to keep their data separate from each other. Get the multi-tenancy policy.

Roles (RBAC)

Group permissions by feature, project, or whatever criteria make sense for your app. Read the RBAC guide.

Files & folders

Configure access at the resource level. E.g., Mark a specific file as private so no one can read it except admins. Get the files & folders policy.

Ownership & sharing

Let users access and modify any resource that they created, and share resources with others. Get the ownership & sharing policy.

Custom roles

Let your users create their own roles based on their requirements. Get the custom roles policy.


Gate access to features based the tier your customer has paid for. Get the entitlements policy.



Share roles across services, and use service-local attributes when you need to. Read the microservices guide.


Enforce coarse checks at the router down to fine-grained checks at the subgraph level. Read the guide on GraphQL.


UI authorization

Show or hide elements in your UI based on your users’ permissions. Learn about authorization in the UI.

List endpoints

Beyond just, "Can this user access this resource, yes or no?" ask, "What are all the things resources this user can access.” Read the data filtering guide.

Authorizing mutations

Control who can create, update, and delete resources. See an example.

Ask arbitrary questions

Sometimes you need ask arbitrary questions like, “Who are all the users that can write to this repo?” Read the Query guide.


When you get an unexpected result, inspect the specific logic and data used to generate an authorization decision. Learn about debugging with Explain.


See logs of authorization decisions to confirm that your system is working as you expect it to. Try it in the sandbox.

Who ♥️ Oso

Migrated 9-year-old Ruby authorization code to Oso in <3 weeks, adding new features and driving authorization bugs down to zero
Moved from monolith to microservices authorization for International Supply Chain portal (16,000 manufacturing partners) in 3 weeks
Built RBAC for ML monitoring and explainability product in weeks
Built resource-specific roles authorization to comply with ITAR regulations in 1 week, upselling enterprise customers by $100K.

What Oso Doesn't Do

Authentication & User Management

Oso assumes that you have a system in place for authenticating users and that you're storing user data elsewhere (e.g., in a database, hosted service). You can use user information as parameters in rules, but Oso is not a substitute for an identity or authentication provider.

Infrastructure Authorization

While you can express your infrastructure policies using Oso, you'd need to build your own access gateway, proxy, or integration points to enforce them. This is possible but not documented. For this reason, you shouldn't view Oso as a replacement for things like AWS IAM or VPN tunnels.

Get started building.