Defining Attributes
Attributes are the foundation of Attribute-Based Access Control (ABAC). They are key-value pairs that define characteristics of users, resources, and tenants, enabling you to create flexible and dynamic access control policies. By defining and managing attributes, you can create sophisticated authorization rules based on any combination of these characteristics.
Types of Attributes
Permit supports attributes on three different objects:
- User Attributes - Characteristics of the actor performing an action, to be used in user sets.
- Resource Attributes - Characteristics of the resource the action is being performed on, to be used in resource sets.
- Tenant Attributes - Characteristics of the tenant containing the actor and the resource. Can be used in user sets of users that appear in the tenant.
Defining Attributes
Attributes can be assigned in three ways:
- Assign attributes to users and tenants directly from the UI or the API
- Push user and resource attributes in the permit.check call
- Write a short custom Rego function that generates all types of attributes on the fly
Note that not all attribute sources are available for all attribute types, for example resource attributes can only be pushed in permit.check and as a custom Rego function.
Define Stored User Attributes
After creating the attribute definitions, you can define user-specific attributes.
To define user-specific attributes, in the Users screen, click the user's options button and select Manage Metadata.
From this window you can edit the user attributes as JSON.
Note that to add new attributes you need to first create attribute definitions.
Define Stored Tenant Attributes
After creating the attribute definitions, you can define tenant-specific attributes.
To define tenant-specific attributes, in the Users screen, open the tenant list, click the tenant's edit button.
Then, select Edit Tenant Attributes.
From this window you can edit the user attributes as JSON.
