Migrate from Oso Cloud

Map your Oso Cloud Polar policies to WorkOS FGA resource types, roles, and permissions.

Overview

This guide helps you migrate from Oso Cloud to WorkOS FGA. Oso Cloud uses the Polar language to define authorization policies with explicit fact storage. WorkOS FGA takes a different approach: hierarchical role-based access control with automatic permission inheritance configured through a Dashboard.

Key differences

Oso Cloud Concept	WorkOS FGA Equivalent
`resource` blocks	Resource Types
`roles` array	Roles
`permissions` array	Permissions
`relations`	Parent-child hierarchy
`has_role` facts	Role Assignments
`has_relation` facts	Resource registration with parent
`actor User {}`	Organization Memberships
Local Authorization	App-side traversal (see below)
Polar DSL	Dashboard configuration

Architecture shift

Oso Cloud requires you to write Polar policies and manage facts. WorkOS FGA simplifies this:

Permissions flow down automatically – A role at a parent level grants access to all children without additional facts
Roles are scoped to resource types – Each resource type has its own set of roles
Single parent per resource instance – Each resource instance has exactly one parent, creating predictable traversal paths
No policy DSL – Configure resource types, roles, and permissions in the Dashboard
Native WorkOS integration – Works seamlessly with AuthKit, SSO, Directory Sync, and IdP role assignment

WorkOS product integration

Unlike standalone authorization systems, WorkOS FGA integrates natively with the WorkOS identity platform (although it can be used standalone):

AuthKit Integration – Organization-scoped roles and permissions are embedded in access tokens for instant JWT-based checks
IdP Role Assignment – Map identity provider groups (Okta, Azure AD, Google Workspace) directly to organization-scoped roles
Directory Sync – Automatically provision and deprovision users with appropriate role assignments when group memberships change
SSO – Enterprise SSO users get role assignments based on IdP group membership during authentication

Polar syntax reference

Key patterns in Oso Polar:

roles = [...] – Define available roles on a resource
permissions = [...] – Define available permissions
relations = {...} – Define relationships to other resources
"permission" if "role" – Grant permission to role
"role" if "role" – Role inheritance
role if role on "relation" – Inherit roles from related resource

Step 1: Map resources to resource types

Extract resource blocks from your Polar policy. These become resource types in WorkOS FGA.

Create resource types for:

Business containers: organizations, workspaces, projects, environments
Shareable entities: apps, pipelines, repositories, dashboards

Exclude:

actor User {} – Use Organization Memberships as subjects instead
actor Group {} – User groups are coming soon; for now, assign roles directly to users

Example

 # Oso Cloud
actor User {}
resource Organization {}
resource Workspace {}
resource Project {}

# WorkOS FGA Resource Types
organization (built-in)
└── workspace
    └── project

Navigate to Authorization > Resource Types in the Dashboard to create your hierarchy.

Step 2: Establish hierarchy

Map Oso relations to WorkOS FGA parent-child resource type relationships.

Oso Cloud pattern

 resource Project {
  relations = { workspace: Workspace };
}

WorkOS FGA equivalent

Create a workspace resource type with organization as its parent. Create a project resource type with workspace as its parent. The parent relationship is defined at the resource type level.

When you register individual project resources instances via the API, you specify the parent workspace. Permissions flow down this hierarchy without explicit facts.

Step 3: Convert roles and permissions

Oso roles and permissions arrays map directly to WorkOS FGA roles and permissions.

Oso Cloud pattern

 resource Project {
  roles = ["viewer", "editor", "admin"];
  permissions = ["read", "write", "manage"];

  "read" if "viewer";
  "write" if "editor";
  "manage" if "admin";
  "viewer" if "editor";
  "editor" if "admin";
}

WorkOS FGA equivalent

Create roles on the project resource type:

Role	Permissions
viewer	`project:read`
editor	`project:read`, `project:write`
admin	`project:read`, `project:write`, `project:manage`

The role inheritance ("viewer" if "editor") becomes permissions bundled into roles. Higher-privilege roles include all permissions from lower-privilege roles.

Permission slug convention: Permission slugs are arbitrary text, but we recommend the pattern {resource-type}:{action} for clarity. Each permission must be explicitly scoped to a resource type in the Dashboard – see more about permissions. When a role includes permissions scoped to child resource types (like project:read on a workspace role), it grants that permission on all child resources of that type.

Step 4: Handle role inheritance via relations

Oso’s role if role on "relation" pattern is replaced by native hierarchical inheritance.

Oso Cloud pattern

 resource Workspace {
  roles = ["viewer", "editor"];
}

resource Project {
  permissions = ["read", "write"];
  relations = { workspace: Workspace };
  role if role on "workspace";
}

WorkOS FGA equivalent

Create a workspace resource type with roles that include child-type permissions:

Role (on workspace)	Permissions
viewer	`workspace:read`, `project:read`
editor	`workspace:read`, `workspace:write`, `project:read`, `project:write`

When you assign workspace:viewer to a user, they automatically get project:read on all projects within that workspace. No explicit per-project facts needed.

Step 5: Map permission patterns

Oso Cloud Pattern	WorkOS FGA Equivalent
`"permission" if "role"`	Permission included in role
`"role" if "role"`	Higher role includes lower role’s permissions
`role if role on "relation"`	Native inheritance (automatic)
`"permission" if "role" on "relation"`	Include permission in parent role
Custom Polar rules	Check conditions in app code
`and` expressions	Check multiple conditions in app code
`not` expressions	Permission exclusions (coming soon)

Replacing Local Authorization

Oso’s Local Authorization generates SQL queries that you run against your database. WorkOS FGA takes a different approach: keep high-cardinality data in your database and traverse to FGA-managed resources in your application code.

Why this approach?

Simpler architecture – No SQL generation or policy-database mapping configuration
Clearer boundaries – FGA handles coarse-grained access, your app handles fine-grained filtering
Better performance – Single parent traversal path, no complex joins
No config drift – Authorization logic lives in your code, not a separate YAML file

Example: file access via parent project

Instead of configuring Local Authorization mappings, look up the parent resource and check access there:

 async function canUserAccessFile(
  organizationMembershipId: string,
  fileId: string,
): Promise<boolean> {
  // 1. Look up the file to find its parent project
  const file = await db.files.findUnique({ where: { id: fileId } });
  if (!file) return false;

  // 2. Check access at the project level (FGA-managed)
  const { authorized } = await workos.authorization.check({
    organizationMembershipId,
    permissionSlug: 'project:view',
    resourceTypeSlug: 'project',
    resourceExternalId: file.projectId,
  });

  return authorized;
}

This replaces Oso’s Local Authorization YAML configuration:

 # Oso Local Authorization config (no longer needed)
facts:
  has_relation(File:_, parent, Project:_):
    query: SELECT id, project_id FROM files
  has_role(User:_, String:_, Project:_):
    query: SELECT user_id, role, project_id FROM project_memberships

sql_types:
  File: UUID
  Project: UUID

With this approach, traversal logic lives in your application code where it’s easier to test, debug, and version alongside your business logic.

High-cardinality entities

Not everything belongs in FGA. We recommend using FGA for lower-cardinality resources (organizations, workspaces, projects) and handling high-cardinality entities (files, messages, comments) in your application.

Syncing millions of entities into FGA creates reconciliation overhead, race conditions, and consistency challenges. Instead, check access at the parent container level and filter entities in your application.

For detailed guidance on this pattern, see High-Cardinality Entities.

Migration steps

Analyze Polar policy – Identify resource blocks, roles, permissions, and relations
Define resource types in the WorkOS Dashboard matching your resources
Define permissions for each type (e.g., read, write, manage)
Create roles that bundle permissions, including child-type permissions for inheritance
Register resources via API when entities are created in your app
Migrate facts – Convert has_role to role assignments, has_relation to resource registration
Replace Oso checks with WorkOS FGA check API calls
Replace Local Authorization with app-side traversal for high-cardinality entities

API migration

Oso Cloud authorize (JavaScript):

 const authorized = await oso.authorize({ type: 'User', id: 'alice' }, 'read', {
  type: 'Project',
  id: 'proj_123',
});

WorkOS FGA Check (JavaScript):

 const { authorized } = await workos.authorization.check({
  organizationMembershipId: 'om_01HXYZ', // available in a session token or via the API
  permissionSlug: 'project:read',
  resourceTypeSlug: 'project',
  resourceExternalId: 'proj_123',
});

Example migration

Oso Cloud policy

 actor User {}

resource Organization {
  roles = ["admin", "member"];
  permissions = ["manage", "read"];

  "read" if "member";
  "manage" if "admin";
  "member" if "admin";
}

resource Workspace {
  roles = ["viewer", "editor"];
  permissions = ["read", "write"];
  relations = { organization: Organization };

  role if role on "organization";
  "viewer" if "member" on "organization";
  "editor" if "admin" on "organization";
  "read" if "viewer";
  "write" if "editor";
}

resource Project {
  relations = { workspace: Workspace };

  "read" if "viewer" on "workspace";
  "write" if "editor" on "workspace";
}

WorkOS FGA equivalent

Resource type hierarchy:

 organization (built-in)
└── workspace
    └── project

Roles for organization:

Role	Permissions
member	`organization:read`, `workspace:read`, `project:read`
admin	All member permissions + `organization:manage`, `workspace:write`, `project:write`

Roles for workspace:

Role	Permissions
viewer	`workspace:read`, `project:read`
editor	`workspace:read`, `workspace:write`, `project:read`, `project:write`

Key insights:

role if role on "organization" – Replaced by org roles including workspace/project permissions
"viewer" if "member" on "organization" – Org member role includes workspace:read
No explicit Polar rules needed – Inheritance happens automatically

Next steps

Resource Types – Design your hierarchy
Roles and Permissions – Configure inheritance patterns
AuthKit Integration – Embed permissions in access tokens
IdP Role Assignment – Map IdP groups to roles
Assignments – Migrate your facts to role assignments
Access Checks – Replace Oso authorize calls