Concepts

Oblique provides an authorization system that lets you specify who should have access to what, and why they have that access.

Oblique uses a few core objects to represent the entities in your organization:

Users: Individuals who can access resources, such as employees
Groups: Collections of users that can be either attribute-based with automatic membership based on user properties, or manually managed team groups
Resources: Objects in external systems that require access control, like Okta groups
Entitlements: Positive access grants that define a relationship between a subject and a resource, which can include expiry dates and justifications. A user or group has access to a resource when they have one or more entitlements that grant access to that resource.
Integrations: External systems connected to Oblique to sync objects and push access decisions

Users

Users are individuals in an organization who can access resources. Not all users are employees—they may also be contractors or interns.

Attributes

Attributes represent properties of a user, which define their identity in an organization. For example, location, department, or employment type are user attributes.

Attributes can come from multiple integrations.

Manage users Learn how to manage users and user attributes.

Groups

Groups represent collections of users. Users who belong to a group become members of the group.

Groups can be attribute-based groups or team groups, but not both.

Attribute-based groups

Attribute-based groups use a set of attributes to define membership.

Attribute-based groups help define employees who have similar functional roles or job requirements. For example, an attribute-based group “Support” would include all users in the Support cost center. A group “San Francisco employees” would include all users in San Francisco who work full-time.

Attribute-based groups:

Automatically update when attributes change. Oblique automatically adds all users with the specified set of attributes to the group. You can’t manage attribute-based group membership manually.
Require a user to match all attributes exactly. You can’t create an attribute-based group for users who have attribute A or attribute B, who don’t have attribute C, or other more complex queries.
Are an intersection, not a union. A user must have all the attributes in the group to be added to the group.

Team groups

Team groups get defined manually, by adding or removing users from the group.

Team groups help define groups of users who work together. For example, a group “Go to market team” would include all users who belong to the Sales team, and also those in Marketing, Product, or other departments.

You manually add or remove users from a team group.

Manage groups Learn how to manage groups.

Resources

Resources are things that users can be granted access to—they control access within an organization. Resources are objects in other systems that require access control.

Currently, Oblique manages resources which represent groups in other systems, for example, Okta groups, so that you can use Oblique to maintain consistent group membership across systems.

Manage resources Learn how to manage resources.

Entitlements

Entitlements define that a user or group can access a resource. Each entitlement represents a unique relationship between a subject, of one or many groups or users, and a resource.

An entitlement is a specific link between a user or group and a resource. A user or group has access to a resource when they have one or more entitlements that grant access to that resource. Including multiple users or groups in a single entitlement lets you grant access more efficiently, and manage access for these subjects at the same time.

Entitlements function as positive grants: they grant access to something rather than deny access. Oblique doesn’t support deny entitlements.

Grant access Learn how to grant access to resources in Oblique.

Expiration

Entitlements can be indefinite or have expiration dates.

Giving a user access to a resource directly creates an anti-pattern because this approach proves harder to understand, maintain, and audit. We recommend giving users temporary access. To grant indefinite access, give a group access to a resource and then add users to that group.

Requests

Changes to access controls are made through requests. A request can be adding or removing an entitlement, and creating or updatig a group. A user might request access to a resource, but they might also request to join a team, granting them access to the team’s resources.

Request access changes Learn how to make and manage access request changes in Oblique.

Request states

Requests can be in one of the following states:

Open: The change request is open. It has not been applied or closed. A request can be open with all, some, or no checks completed.
Applied: The change request has been applied.
Closed: The change request has not been applied, and has been closed by the requester or a reviewer. The request is maintained in Oblique for audit purposes, and can no longer be edited.
Obsoleted: The change request has not been applied, and has been marked as redundant due to changes made by another request.

Checks

Requests need to pass checks before they can be applied. Checks are specific requirements which need to be met before a request can be applied, such as an approval from a specific user or group, or verification of a specific condition. Requests might also have no checks or be auto-applied.

Once a request passes all checks, it’s automatically applied.

Justification

Requests can include a justification that explains why someone is making a particular request, such as requesting access to a specific resource. This helps with compliance and auditing by providing context for access changes and decisions.

Management

Your instance of Oblique has one or more Admins, who can make changes in Oblique, including make access changes. Oblique’s audit logs record all changes made in Oblique, including access changes, for audit purposes.

Manage Admins Learn how to manage Admins and change the organization Owner.

View audit logs Learn how to view audit logs and understand audited events.

Owners

Resources and team groups have owners, who can help with managing access to those resources and teams. Owners can include users or groups. Owners help identify who manages each resource or team, and help scale access management by delegating responsibility for access changes to those with more context.

By default, Oblique Admins are owners of all objects, whether additional owners exist.

Deletion

When you delete a group, user, or resource, Oblique automatically revokes all associated entitlements and doesn’t permit adding new entitlements.

Objects are soft deleted in Oblique, so that you can still see them in audit logs. You can’t grant access to deleted objects, or restore them.

Integrations

Integrations connect Oblique with external systems in your organization to synchronize data and manage access. Oblique can both pull information from and push access decisions back to integrations.

Oblique pulls users, user attributes, and resources from integrations into Oblique. Integrations are the authoritative source of truth for users and user attributes. The source of truth for resources depends on the management mode you’ve configured for a given resource.

Supported integrations Learn more about supported integrations.

Management modes

Resources in integrations can operate in different management modes, depending on whether you want Oblique to take control of access management or not.

Integrations can exist in one of two connection states:

Connected: The integration is connected to Oblique, and you can sync its resources in Oblique.
Disconnected: The integration isn’t connected to Oblique, and you can’t sync its resources in Oblique.

Resources can exist in one of three management modes:

Pull from the integration, keeping the integration as the source of truth. In this mode, Oblique stays read-only and helps explain and understand entitlements.
Push to the integration, making Oblique the source of truth. In this mode, Oblique pushes any changes in effective access for a resource to the integration and corrects any drifts that occur.
Paused. In this mode, although an integration connects to Oblique, the specific resource doesn’t sync. It could have never synced, or it could have synced and no longer syncs.

Resources start as “Pull” by default. You can change individual resources to “Push” mode when you want Oblique to take control of their access management. You configure management mode per resource, giving you flexibility in how you adopt Oblique across your organization.

Pull from the integration

When you configure a resource to “Pull” from the integration, the integration stays the authoritative source for access control:

Any changes to entitlements in the integration, such as adding or removing access, appear in Oblique
Oblique displays imported entitlements but doesn’t change them. These entitlements have the label Imported.

This mode works well when you want visibility into existing access without making changes.

Push to the integration

When you configure a resource to “Push” to the integration, Oblique becomes the authoritative source for access control:

Changes made in Oblique push to the integration automatically
Any manual changes made directly in the integration get corrected to match Oblique’s configuration
You still see imported entitlements for reference, but Oblique manages the effective access

This mode gives you full control over access management through Oblique.

Paused

Resources in this state connect to Oblique but don’t actively sync access changes. These resources either had sync enabled before, or have never synced.

Details about access to the resource don’t sync with Oblique. As long as the integration connects to Oblique, Oblique still syncs the existence of the resource.

Management status

Syncing between Oblique and integrated systems happens automatically and regularly. The frequency depends on the integration.

An integration could have different information about a resource than what Oblique shows, for example, if syncing gets delayed, or syncing encounters an issue. The management status reflects this difference: Synced, Pending, Error, or Paused.

Resources also have management status. Resources are Synced if they’re up to date with the integration, and Pending if they have changes that haven’t yet been synced.

An integration or resource must be syncing to have a sync state. If an integration is Disconnected, or a resource is Paused, then it has no sync state.

Synced

The integration is up to date with Oblique. All changes made in the integration appear in Oblique, and all changes made in Oblique have synced to the integration. An integration is Synced if all of its resources are Synced.

Pending

The integration is not up to date with Oblique. Any changes made in Oblique haven’t yet synced to the integration. An integration is Pending if any of its resources are Pending.

Error

The integration can’t sync with Oblique. This could be due to an error, rate limit, or other issue with the integration.

Paused

The integration temporarily isn’t syncing. Any changes made in Oblique aren’t attempting to sync to the integration, and any changes made in the integration haven’t synced to Oblique. You should pause an integration if it’s experiencing issues, and you want to temporarily stop syncing it to resolve the issue. For example, if a bad change is made in the integration, pause it to prevent changes from syncing.

To permanently stop syncing and remove the integration from Oblique, you can disconnect it.

Manage integrations Learn how to manage integrations and sync changes to resources.

Push access changes Learn how to push access changes to resources in integrations.