ObjectsGrid
  • Documentation
    • Core Concepts
    • Usage Guide
      • Quick Start
      • Authentication and Authorization
      • Access Control via ABAC
      • GraphQL API Examples
      • Login with Google app setup
    • OBJECTS GRID Objects
      • Generic Object
        • GenericObjects REST API
      • ProductCatalog Object
      • ProductGroup Object
      • Product Object
      • Meta Object
      • Tags Object
    • Private Objects
      • Auth
        • Tokens REST API
      • ABAC Policy
        • ABACPolicies REST API
      • Organization Account
        • OrganizationAccounts REST API
      • User Account
        • UserAccounts REST API
      • Service Account
        • ServiceAccounts REST API
      • Access Logging
        • AccessLogEntries REST API
  • Support
    • Terms and Conditions
  • Blogs
    • Attribute Based Access Control
    • ABAC vs RBAC
Powered by GitBook
On this page

Was this helpful?

  1. Documentation
  2. Usage Guide

Access Control via ABAC

Setup your access control policies via Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is an advanced, flexible authorization model that grants or denies access to resources based on a combination of attributes rather than fixed roles or identities.

All Objects Grid access control is managed by your ABAC Policy. There is one ABAC Policy per Organization Account.

When registered, your Organization Account is initially created with a default ABAC policy that grants full access to the creator (administrator) and denies access to everyone else:

package abac
import rego.v1

default allow := false

allow if {
  is_administrator
}

is_administrator if {
  some tag 
  tag = input.subject.tags[_]
  tag.name == "administrator"
  tag.val == "yes"
}

For ObjectsGrid, the objects' tags are the "attributes" in Attribute-Based Access Control.

The next step is for the administrator to strategize and come up with a ABAC Policy that satisfies their organization's needs.

There are 2 levels of access control: API operation level and Object level. The object type is define in each Object doc. The operation names are defined in each object's respective REST API doc. Most of the time you will find the following 5 CRUDL operations: - "create", - "retrieve", - "update", - "delete", - "list" Some specialized objects might contain additional operations. Each Object doc contains its respective REST API doc.

For example, if the administrator wants to grant access to all users to read "coffee" Object types: Note that all users upon creation get a default tag "organization" with your organization account id as value.

package abac
import rego.v1

default allow := false

allow if {
  is_administrator
}

is_administrator if {
  some tag 
  tag = input.subject.tags[_]
  tag.name == "administrator"
  tag.val == "yes"
}

allow if {
 required_tags_present
 input.action == "retrieve"
 input.objectType == "coffee"
}

required_tags_present if {
 some t
 t = input.subject.tags[_]
 t.name == "organization"
 t.val == "org-???-????"
}

Example: Assign ownership of the object to its creator and grant them full access. That way you are delegating access control management to the respective object owner. 

package abac
import rego.v1

default allow := false

allow if {
  is_owner
}

is_owner {
  input.meta.createdBy == input.subject.id
}

ABAC Policies are very flexible, and in effect they can become quite complex. They require extensive testing to ensure you are getting the expected results. Feel free to register a new organization account that you can use for testing, before promoting you ABAC Policy changes to your production organization account. Keep the previous ABAC Policy version handy, in case you need to roll-back.

PreviousAuthentication and AuthorizationNextGraphQL API Examples

Last updated 17 days ago

Was this helpful?

Please refer to the for more details.

If you need support with your use case, or you need additional examples documented here, please .

ABAC Policy Object
contact us