Skip to content
Oblique Docs

Welcome to Oblique

Your source of truth for authorization from your HRIS to your IdP
Quickstart

Oblique serves as the single source of truth for authorization decisions in corporate environments, from HRIS to IdP.

Oblique provides a modern identity directory that helps organizations achieve more maintainable access controls. It defines entitlements based on organizational context, helps users debug their own access, and manages entitlements as code.

Why Oblique

Section titled “Why Oblique”

Traditional identity and access management systems don’t scale well. IT teams spend their time on repetitive access request tickets, users don’t understand what access to request or why they get denied, and security teams can’t get visibility into who actually has access to what.

Oblique solves this by making access controls:

  • Explainable: Get clear visibility into how and why a user has access
  • Safe: Preview changes to understand their impact, catch issues, and ensure necessary requirements are met
  • Self-serve: Empower users not only to request access, but also to debug their own access and manage how they work in teams

How does Oblique do this? We’ve built Oblique around five core principles that make access controls more understandable and manageable.

Principles

Section titled “Principles”

Oblique follows five core principles when managing access, that may be different from what you’re familiar with in existing systems:

  • Requests: Changes are made through a request workflow
  • Justifications: Every access change should have a justification
  • Expiry: Expiry makes exceptions easier to manage
  • Ownership: Resources and groups need owners to delegate authority to manage them
  • Soft deletion: Objects are soft deleted to preserve audit logs

Requests

Section titled “Requests”

To make changes to access controls at scale, you need a way for individual users to request access changes—not only to specific apps they need access to, but also to create teams or change team membership. All of these changes are made through requests.

Making changes through a request workflow allows you to verify that requirements are met prior to making a change, including any checks you need, and provide a record of who made the change and why.

Not all changes need an explicit approval: changes can be automatically applied based on the checks you set for each request.

Justification

Section titled “Justification”

You need context to understand why a user or group has access to a resource. As part of every access change you make in Oblique—whether that change is direct or indirect—you can provide a justification for that change.

Most justifications should be inferred, and not explicitly provided. For example, if a user is added to a team, the justification is that the user is a member of the team; or if a user’s role changes, the justification is that the user’s role has changed. Where additional justification is needed, it should be specific about the business need.

That justification is stored in the audit log. When you review existing access controls as part of user access reviews, or when you review changes to access controls over time, you can understand why these changes happened.

Expiry

Section titled “Expiry”

Not all access controls need to be permanent; in fact, ad hoc requests are often temporary. In Oblique, you can set an expiry date for entitlements. When the expiry date is reached, Oblique will automatically revoke the entitlement.

This helps “clean up” access controls automatically over time: if access is no longer needed, it can be removed. We recommend that as a general principle, you should expire individual access to resources, as this is an exception, and shouldn’t be long-lived. For any long-lived access, create and grant a group access instead.

Users receive advance warning before access expires, and if access is still needed, they can request extensions with updated justification.

Ownership

Section titled “Ownership”

To scale management of access controls, responsibility for making access control changes needs to be shared. In Oblique, each resource and group has owners, and you can assign this ownership to a user or group. By default, Oblique Admins are the owners of all resources and groups.

When you assign ownership, you’re saying that the user or group is responsible for maintaining that object. Having an owner is useful when you need to understand who is responsible for a particular resource or group, audit its access, or make changes to access. This also helps you spread the responsibility of managing access controls from the IT and security teams to individuals who might have more context.

We recommend making two users or a group owners of all objects. Having multiple owners is important so that if someone leaves the organization, it’s clear who the next owner is.

Soft deletion

Section titled “Soft deletion”

When you need to remove a resource, group, or user, you can soft delete it in Oblique. When you soft delete an object, it’s no longer available for granting new access, but it remains in the audit log. Oblique’s audit logs are a record of all changes made to access controls. They allow you to understand what changes have happened over time, and who made them.

This allows you to review what changes happened over time, in context with what the object’s state was at the time of the change. Soft deletion preserves the integrity and completeness of your audit trail.