Skip to main content
Version: 2.0.0

ABAC Policy Creation within the Permit UI


Follow-along Example

There are several steps we want to consider when creating an ABAC Policy with the use of the UI.

Running through building this policy will be best with the aid of a simple example that we can follow.

example

Students at Stanford University who study full-time are the only ones that can rent University bicycles after 5pm.

Create User Attributes

In order to create user attributes, we need to navigate to the Directory panel. We click the Settings button, and there on the User Attributes side panel and we have the option to add attribute.

User Attribute Creation Window

We can define and add attributes based on our example. In this case, we have two user attributes, the university a student attends, and if the student is-full-time.

Defined User Attributes Example

Once we are happy with the definitions, we need to save the newly created user attributes.

Create Tenant Attributes

Just like user attributes, in order to create tenant attributes, we need to navigate to the Users panel. We click the Tenant Attributes button, and have the option to add a new tenant attribute.

Tenant Attribute Creation Window

In this example , we have three tenant attributes, whether the tenant is-paying, its service tier, and how many users the tenant is paying for.

Defined Tenant Attributes Example

Once we are happy with the definitions, we need to save the newly created user attributes.

Define a User Set

Now that we have created our attributes, we can go ahead and define a user set. Within each user set, we can add conditions that will be applied to each user.

User Set Window

A user set, as explained previously, is a set of condition groups that match specific characteristics of either the user or its tenant. As per our above example, a user set for us is Students at Stanford University who study full-time.

User Set Example

This is a very simple example of a user set. You can create a user set with several condition groups and multiple conditions within each group. If you would like to learn more about creating conditions, please refer to Available Operators.

Enforcing Tenant Boundaries with user sets

Please be aware that tenant-boundaries are not enforced automatically for user sets (unlike for RBAC-based or ReBAC based policies). It means that with userset conditions you can allow a user to access resources outside their tenant.

You can manually enforce tenant boundaries inside a userset by adding a condition on the built-in user.roles attribute.

Another option is by adding a condition on tenant-attributes (e.g: tenant.subscription == "pro" is an example for such a condition). In which case you would also need to reference the resource.tenant attribute in the resource set and compare it to the user's tenant.

Create a New Resource

A resource is what we will be assigning our actions too, and giving each user set the permissions to perform certain actions. First, we have to create a new resource.

Resource Window

As per our above example, our resource will be a bicycle, and because we are referring to a bicycle that can be rented out, the attribute will be time.

Resource Adding Attributes Example

We have given the resource two actions. A user is able to ride and rent a bicycle.

Define a Resource Set

Now that we have set up our resource with specific characteristics, we can go onto defining a resource set. Following in the footsteps of our defined example above, the condition that we will be building for our resource is renting University bicycles after 5pm.

Resource Set Window

Our conditions for this set will be setting time using the comparison greater-than to 5pm.

Resource Set Example

Apply Permissions to create an ABAC Policy

Now that we have set up all the attributes for users and resources, along with the user and resource set, we apply permissions directly from the dashboard.

We have a Full-Time Stanford Student role, where a resource is renting bicycles after 5pm. It's as simple as ticking the right option!

Giving Permissions

Remember to always save your changes!

Saving Permissions

Congratulations! You have set up your ABAC policy.

UI supports Complexity

Conditions can be very complex and difficult, but all of that complexity is supported within the UI. Below is an example of what the UI looks like when several condition groups with many conditions are required.

Many Group Example