Use Policy Metadata

Given a policy using resource blocks like:


actor User { }
resource Organization {
roles = ["admin", "member"];
permissions = [
"read", "add_member", "repository.create",
"repository.read", "repository.delete"
];
# role hierarchy:
# admins inherit all member permissions
"member" if "admin";
# org-level permissions
"read" if "member";
"add_member" if "admin";
# permission to create a repository
# in the organization
"repository.create" if "admin";
# permissions on child resources
"repository.read" if "member";
"repository.delete" if "admin";
}

The roles and permissions declarations are used within the policy for validation. The permission assignment "read" if "member" validates that "read" and "member" are both declared within permissions and roles respectively.

This information is also available to the application using the policy metadata API. There are two common use cases for this:

  1. For client-side validation of permissions, roles, and resources.
  2. For building a UI to manage permissions, roles, and resources.

Fetching Metadata


metadata = oso.getPolicyMetadata();
console.log(metadata.resources.Repository.roles);
// outputs ["owner", "member"]