Skip to main content

Defining Attributes

Attributes are the foundation of Attribute-Based Access Control (ABAC). They are key-value pairs that define characteristics of users, resources, and tenants, enabling you to create flexible and dynamic access control policies. By defining and managing attributes, you can create sophisticated authorization rules based on any combination of these characteristics.

Types of Attributes

Permit supports attributes on three different objects:

  • User Attributes - Characteristics of the actor performing an action, to be used in user sets.
  • Resource Attributes - Characteristics of the resource the action is being performed on, to be used in resource sets.
  • Tenant Attributes - Characteristics of the tenant containing the actor and the resource. Can be used in user sets of users that appear in the tenant.

Defining Attributes

Attributes can be assigned in three ways:

  1. Assign attributes to users and tenants directly from the UI or the API
  2. Push user and resource attributes in the permit.check call
  3. Write a short custom Rego function that generates all types of attributes on the fly

Note that not all attribute sources are available for all attribute types, for example resource attributes can only be pushed in permit.check and as a custom Rego function.

Define Stored User Attributes

After creating the attribute definitions, you can define user-specific attributes.

To define user-specific attributes, in the Users screen, click the user's options button and select Manage Metadata. User Attribute Definition Window

From this window you can edit the user attributes as JSON. User Attribute Definition Window

Note that to add new attributes you need to first create attribute definitions.

Define Stored Tenant Attributes

After creating the attribute definitions, you can define tenant-specific attributes.

To define tenant-specific attributes, in the Users screen, open the tenant list, click the tenant's edit button. Tenant Attribute Definition Window

Then, select Edit Tenant Attributes. Tenant Attribute Definition Window

From this window you can edit the user attributes as JSON. Tenant Attribute Definition Window