ABAC Policy Creation within the Permit UI
Follow-along Example
There are several steps we want to consider when creating an ABAC Policy with the use of the UI.
Running through building this policy will be best with the aid of a simple example that we can follow.
Students at Stanford University who study full-time are the only ones that can rent University bicycles after 5pm.
Create User Attributes
In order to create user attributes, we need to navigate to the Directory panel. We click the Settings button, and there on the User Attributes side panel and we have the option to add attribute.
We can define and add attributes based on our example. In this case, we have two user attributes, the university a student attends, and if the student is-full-time.
Once we are happy with the definitions, we need to save the newly created user attributes.
Create Tenant Attributes
Just like user attributes, in order to create tenant attributes, we need to navigate to the Users panel. We click the Tenant Attributes button, and have the option to add a new tenant attribute.
In this example , we have three tenant attributes, whether the tenant is-paying, its service tier, and how many users the tenant is paying for.
Once we are happy with the definitions, we need to save the newly created user attributes.
Define a User Set
Now that we have created our attributes, we can go ahead and define a user set. Within each user set, we can add conditions that will be applied to each user.
A user set, as explained previously, is a set of condition groups that match specific characteristics of either the user or its tenant. As per our above example, a user set for us is Students at Stanford University who study full-time.
This is a very simple example of a user set. You can create a user set with several condition groups and multiple conditions within each group. If you would like to learn more about creating conditions, please refer to Available Operators.
Please be aware that tenant-boundaries are not enforced automatically for user sets (unlike for RBAC-based or ReBAC based policies). It means that with userset conditions you can allow a user to access resources outside their tenant.
You can manually enforce tenant boundaries inside a userset by adding a condition on the built-in user.roles
attribute.
Another option is by adding a condition on tenant-attributes (e.g: tenant.subscription == "pro"
is an example for such a condition).
In which case you would also need to reference the resource.tenant
attribute in the resource set and compare it to the user's tenant.
Create a New Resource
A resource is what we will be assigning our actions too, and giving each user set the permissions to perform certain actions. First, we have to create a new resource.
As per our above example, our resource will be a bicycle, and because we are referring to a bicycle that can be rented out, the attribute will be time.
We have given the resource two actions. A user is able to ride and rent a bicycle.
Define a Resource Set
Now that we have set up our resource with specific characteristics, we can go onto defining a resource set. Following in the footsteps of our defined example above, the condition that we will be building for our resource is renting University bicycles after 5pm.
Our conditions for this set will be setting time using the comparison greater-than to 5pm.
Apply Permissions to create an ABAC Policy
Now that we have set up all the attributes for users and resources, along with the user and resource set, we apply permissions directly from the dashboard.
We have a Full-Time Stanford Student role, where a resource is renting bicycles after 5pm. It's as simple as ticking the right option!
Remember to always save your changes!
Congratulations! You have set up your ABAC policy.
UI supports Complexity
Conditions can be very complex and difficult, but all of that complexity is supported within the UI. Below is an example of what the UI looks like when several condition groups with many conditions are required.