Access Control via ABAC

Setup your access control policies via Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is an advanced, flexible authorization model that grants or denies access to resources based on a combination of attributes rather than fixed roles or identities.

All Objects Grid access control is managed by your ABAC Policy. There is one ABAC Policy per Organization Account.

When registered, your Organization Account is initially created with a default ABAC policy that grants full access to the creator (administrator) and denies access to everyone else:

package abac
import rego.v1

default allow := false

allow if {
  is_administrator
}

is_administrator if {
  some tag 
  tag = input.subject.tags[_]
  tag.name == "administrator"
  tag.val == "yes"
}

For ObjectsGrid, the objects' tags are the "attributes" in Attribute-Based Access Control.

The next step is for the administrator to strategize and come up with a ABAC Policy that satisfies their organization's needs.

There are 2 levels of access control: API operation level and Object level. The object type is define in each Object doc. The operation names are defined in each object's respective REST API doc. Most of the time you will find the following 5 CRUDL operations: - "create", - "retrieve", - "update", - "delete", - "list" Some specialized objects might contain additional operations. Each Object doc contains its respective REST API doc.

For example, if the administrator wants to grant access to all users to read "coffee" Object types: Note that all users upon creation get a default tag "organization" with your organization account id as value.

package abac
import rego.v1

default allow := false

allow if {
  is_administrator
}

is_administrator if {
  some tag 
  tag = input.subject.tags[_]
  tag.name == "administrator"
  tag.val == "yes"
}

allow if {
 required_tags_present
 input.action == "retrieve"
 input.objectType == "coffee"
}

required_tags_present if {
 some t
 t = input.subject.tags[_]
 t.name == "organization"
 t.val == "org-???-????"
}

Example: Assign ownership of the object to its creator and grant them full access. That way you are delegating access control management to the respective object owner.

package abac
import rego.v1

default allow := false

allow if {
  is_owner
}

is_owner {
  input.meta.createdBy == input.subject.id
}

ABAC Policies are very flexible, and in effect they can become quite complex. They require extensive testing to ensure you are getting the expected results. Feel free to register a new organization account that you can use for testing, before promoting you ABAC Policy changes to your production organization account. Keep the previous ABAC Policy version handy, in case you need to roll-back.

PreviousAuthentication and Authorization NextGraphQL API Examples

Last updated 2 months ago

Was this helpful?

package abac import rego.v1 default allow := false allow if { is_administrator } is_administrator if { some tag tag = input.subject.tags[_] tag.name == "administrator" tag.val == "yes" }

package abac import rego.v1 default allow := false allow if { is_administrator } is_administrator if { some tag tag = input.subject.tags[_] tag.name == "administrator" tag.val == "yes" } allow if { required_tags_present input.action == "retrieve" input.objectType == "coffee" } required_tags_present if { some t t = input.subject.tags[_] t.name == "organization" t.val == "org-???-????" }