Skip to main content

Building Your First ABAC Policy

Attribute-Based Access Control (ABAC) allows you to create sophisticated access policies based on attributes of users, resources, and the environment. In this guide, we'll walk you through creating an ABAC policy step by step.


Our Example Scenario

Throughout this guide, we'll work with a practical example that demonstrates ABAC's power:

Example Policy

"Students at Stanford University who study full-time are the only ones that can rent University bicycles after 5pm."

This policy involves multiple attributes:

  • User attributes: university, is_full_time
  • Resource attributes: time
  • Action: rent

Let's build this policy together!

1

Step 1: Creating User Attributes

User attributes define characteristics of your users that influence their access rights.

  1. Navigate to the Directory panel
  2. Click the Settings button
  3. In the User Attributes side panel, click Add Attribute

User Attributes

For our bicycle rental example, we need two user attributes:

  • university: The university the student attends
  • is_full_time: Whether the student is enrolled full-time

User Attribute Created

Remember to click Save after defining your attributes.

2

Step 2: Creating Tenant Attributes

Tenant attributes apply to entire organizations or groups within your system.

  1. Navigate to the Users panel
  2. Click the Tenant Attributes button
  3. Click Add New Tenant Attribute

Tenant Attributes

Example tenant attributes might include:

  • is_paying: Whether the tenant has an active subscription
  • tier: Service tier level
  • user_count: Number of licensed users

Tenant Attributes Created

Don't forget to click Save your tenant attributes.

3

Step 3: Defining Dynamic Role (User Set)

Dynamic roles are groups of users that share common attribute values. Think of them as dynamic sets that automatically include users based on their attributes.

To access the creation of ABAC rules, navigate to Policy > ABAC Rules.

User Sets

For our example, we'll create a user set for Full-time Stanford Students:

  1. Click Create New ABAC Dynamic role
  2. Enter the Title and click Add Condition
  3. Set these conditions:
    • user.university = "Stanford"
    • user.is_full_time = true

User Set Example

Tenant Boundaries in User Sets

Important security considerations:

  • Tenant boundaries are not automatically enforced for user sets
  • To enforce tenant boundaries, either:
    • Add a condition on user.roles
    • Use tenant attributes and compare resource.tenant in resource sets
4

Step 4: Creating Resources

Resources are the objects or services you want to protect. Each resource can have attributes and allowed actions.

  1. Navigate to the Policy screen and the Resources Tab
  2. Click Add Resource

For our bicycle rental system:

  1. Create a bicycle resource
  2. Add the time attribute
  3. Define two actions:
    • ride
    • rent

Resource Creation Resource Creation

Resource Creation

5

Step 5: Defining Dynamic Resource (Resource Set)

Dynamic Resources group resources based on their attributes. In our example, we need to identify Bicycles available after 5pm

Create the condition:

  • resource.time > "17:00"

Resource Set Example

ABAC Sets

Advanced: Comparing Resource and User Attributes

You can create conditions that compare resource attributes with user attributes using (ref) operators:

User/Resource Condition Example

6

Step 6: Applying Permissions

The final step is connecting your user sets with resource sets through permissions.

  1. Navigate to the Policy screen
  2. Find your Full-Time Stanford Student User Set
  3. Locate the Bicycles after 5pm Resource Set
  4. Check the appropriate permission boxes

Giving Permissions

Don't forget to click Save your changes!

Important Note

You cannot use the key type for any attribute you create, as it is a reserved keyword.

Complex Policy Support

The Permit.io UI supports complex policies with multiple condition groups and conditions:

Many Group Example