Skip to main content
Version: 2.0.0

Create an ABAC Policy

Attribute-Based Access Control (ABAC) is a powerful and flexible access control method that uses attributes to determine access. These attributes can relate to users, resources environmental conditions. ABAC policies are particularly useful when you need fine-grained control over access decisions based on various dynamic factors.

Understanding the scenario

Imagine you’re managing a secure company network.

To protect intellectual property, you want to ensure that only employees in the R&D department who have completed mandatory cybersecurity training can access high-priority classified project documents.

This level of control goes beyond traditional roles and uses ABAC to enforce fine-grained policies based on user and resource attributes.

In this step-by-step guide, we’ll walk through creating and implementing an ABAC policy for this scenario, demonstrating the power and flexibility of attribute-based control.

Create User Attributes

User attributes form the foundation of ABAC policies. These attributes define who the user is and what conditions must be met for access.

  • Department: Which department the user belongs to.
  • Training Status: Whether the user has completed cybersecurity training.

Most user attribute values are automatically provided by your authentication provider, such as an identity management system (e.g., Okta, Auth0, Clerk etc.). These systems store and supply user details like department, role, or certification status during the authentication process.

  • Attribute 1: department (e.g., "R&D", "Sales").
  • Attribute 2: training_status (e.g., "completed", "pending").

In order to set User attributes navigate to Directory > Settings > User Attributes and then Add Attribute.

Create Resource Attributes

Resource attributes define the characteristics of the resources you want to control access to. In our example, the resources are classified project documents, and the attributes will help determine their priority and type. Additionally, we will specify the actions users can perform on these resources.

  • Priority Level: Classifies documents as "high", "medium", or "low" priority.
  • Document Type: Specifies the document category (e.g., "classified", "public").

Navigate to the Resources Panel, select Resource Attributes, and add these:

  • Attribute 1: priority_level (e.g., "high", "medium").
  • Attribute 2: document_type (e.g., "classified").

In order to set Resource attributes navigate to Policy > Edit Resource (if one exists) > ABAC Options and then Attributes.

Define a User Set

User sets are collections of users grouped by specific attributes, allowing you to apply policies efficiently. For this example:

Create a User Set that includes employees from the R&D Department who have completed cybersecurity training.

Navigate to User Sets and configure the conditions:

  • department equals Engineering.
  • training_status equals certified.

Define a Resource Set

Resource sets group resources based on their attributes, enabling precise control over access. For this scenario:

Define a Resource Set for high-priority classified documents.

Navigate to Resource Sets and configure the conditions:

  • priority_level equals high.
  • document_type equals classified.

Create your policy rules

Policy rules link user sets, resource sets, and actions to enforce access control.

Define an Engineering user as someone permitted to read standard documents but restricted from accessing highly classified documents. In contrast, an R&D Certified Employee is allowed to read both standard documents and High Priority Classified Documents.

What did you learn?

In this guide, you’ve learned how to create and implement an Attribute-Based Access Control (ABAC) policy step by step.

By leveraging ABAC, you’ve seen how to move beyond rigid roles and permissions to a dynamic system that responds to the nuances of user and resource characteristics.

FUN FACT!

Did you know that ABAC is sometimes referred to as policy-based access control? This is because ABAC doesn’t rely on static roles but instead evaluates dynamic policies in real-time. For example, it can allow a temporary contractor working remotely during a snowstorm to access certain resources—if the conditions (like their role, location, and task type) align perfectly with the policy. This adaptability makes ABAC a popular choice for modern, cloud-based systems

Woohoo! You did it. 🎉

You are officially an authorization champion.

Contents