Condition Sets
Condition sets give you the flexibility of ABAC with the simplicity of RBAC.
Condition sets are sets of objects that represent logical elements in your system.
There are currently two types of condition sets that you can work with:
- User Set - defined as a set of users that match all the specified conditions.
- Resource Set - defined as a set of resources that match all the specified conditions.
Example of a User Set
All users who are located in the United States and have the role of an Employee.
We will call this us_based_employees.
Example of a Resource Set
All resources that are of the type repository and are private.
We will call this private_repos.
We can then picture a matrix of assignment between user sets and resource sets. We placed a checkbox to indicate that us_based_employees can perform any action on the private_repos resource.
| Admin | Employee | Employee in the US | |
|---|---|---|---|
| Private Repositories | X | ||
| Marketing Materials |
Creating a Condition Set
We will now view code examples of a condition set written for the above defined User and Resource Sets.
User Set - US Based Employees
Notice how we want both conditions to be true, so we ended up using the allOf logical operator.
We have also specified the type of the condition set to be userset.
{
"key": "us_based_employees",
"name": "US based employees",
"type": "userset",
"conditions": {
"allOf": [
{
"user.role": {
"equals": "employee"
}
},
{
"user.location": {
"in": [
"US"
]
}
}
]
}
}
Resource Set - Private Repositories
In this example of a resource set condition, the type changed to resourceset.
{
"key": "private_repositories",
"name": "Private Repositories",
"type": "resourceset",
"conditions": {
"allOf": [
{
"resource.type": {
"equals": "repository"
}
},
{
"resource.access": {
"equals": [
"private"
]
}
}
]
}
}
We have now successfully defined two condition sets. Let's learn how we can use them together and create a condition set rules.
Condition Set Hierarchy
Condition sets can have an optional parent condition set. A condition set with a parent applies all conditions from its parent in addition to its own conditions (logical AND). Condition Sets can have multiple levels of hierarchy, and the resulting conditon will apply rules from all of a Condition Set's parents.
Using the Condition Set created in the previous step, we will define a Condition Set for private repositories that have been archived.
{
"key": "private_archived_repos",
"name": "Private Archived Repositories",
"type": "resourceset",
"parent_id": "private_repositories",
"conditions": {
"allOf": [
{
"resource.type": {
"equals": "repository"
}
},
{
"resource.archived": {
"equals": [
"true"
]
}
}
]
}
}