Crate oso

source ·
Expand description

oso policy engine for authorization


oso is a policy engine for authorization that’s embedded in your application. It provides a declarative policy language for expressing authorization logic. You define this logic separately from the rest of your application code, but it executes inside the application and can call directly into it.

For more information, guides on using oso, writing policies and adding to your application, go to the oso documentation.

For specific information on using with Rust, see the Rust documentation.


The oso Rust library is still in early development relative to the other oso libraries.


To get started, create a new Oso instance, and load Polar policies from either a string or a file:

let mut oso = Oso::new();
oso.load_str(r#"allow(actor, _action, _resource) if actor.username = "alice";"#)?;

You can register classes with oso, which makes it possible to use them for type checking, as well as accessing attributes in policies. The PolarClass derive macro can handle some of this

use oso::{Oso, PolarClass};

let mut oso = Oso::new();

#[derive(Clone, PolarClass)]
struct User {
    pub username: String,

impl User {
    fn superuser() -> Vec<String> {
        return vec!["alice".to_string(), "charlie".to_string()]

        .add_class_method("superusers", User::superuser)

oso.load_str(r#"allow(actor: User, _action, _resource) if

let user = User {
    username: "".to_owned(),
assert!(oso.is_allowed(user, "foo", "bar")?);

For more examples, see the oso documentation.





  • Oso is the main struct you interact with. It is an instance of the Oso authorization library and contains the polar language knowledge base and query engine.


  • Represents an action used in an allow rule. When the action is bound to a concrete value (e.g. a string) this returns an Action::Typed(action). If any actions are allowed, then the Action::Any variant is returned.
  • An enum of the possible value types that can be sent to/from Polar.