Syncari provides mechanisms to ensure that users in your organization can access only the information, features, and functions required for them, by providing both the traditional Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC).
ABAC is a type of access control that grants or denies access to resources based on attributes of the user and the resource. It goes beyond traditional role-based access control (RBAC) by allowing for more granular and flexible access policies. ABAC uses policies and rules to evaluate attributes and determine whether a user can perform a specific action on a resource.
In this post, we explore how Syncari's attribute-based access control works in greater depth and consider the ways that adopting ABAC could benefit your organization.
Permissions are instance-specific. So, if your organization includes multiple instances of Syncari (e.g., sandbox, production, and testing), you’ll apply policies specific to each instance.
Key Concepts of ABAC
ABAC involves 3 main key concepts:
- Attributes
- Values
- Policies
Attributes: ABAC relies on attributes, which are characteristics or properties associated with the subject (user) and object (resource).
Examples of attributes includes: Department attribute for the User and a Department attribute for the Resource
Values: Value refers to the specific data or characteristics associated with an attribute. ABAC uses these attribute values to make access control decisions. Example of values includes setting a value, 'MARKETING' to the department attribute of a Syncari user with email ID: abc@xyz.com and setting a value, 'MARKETING' to a Syncari resource such as the Leads Entity.
Policies: Policies determine access to resources based on attributes of the user and the resource. It does so by allowing users to create conditions that map an attribute of the Resource to an attribute of the User w.r.t an operator.
Example: Creating a policy to restrict user access to Entities based on Department attribute: [resource.Department Equal user.Department]
Viewing Attributes, Values, Policies and Permissions
The Access Control / Attribute Based page in Settings shows the Attributes, Policies and Values as Tabs.
To view ABAC settings:
- Click Settings in the left navigation panel.
- Expand Access Control from the sub panel, and then select Attribute Based.
- Clicking on Attribute, Policies, Values Tabs navigate the user to the respective Tables that shows existing Attributes, Policies and Values.
Creating an Attribute
- Click Settings in the left navigation pane.
- Expand Access Control from the sub panel, and then select Attribute Based.
- Click the Add Attribute button above the top right corner of the Attributes Table.
- After the Create Attribute form shows up, provide a suitable name for the Attribute.
- In Syncari, an Attribute can be created corresponding to any available resource like users, entities, data sets etc. All these resources are broadly classified into 5 types, which are available in the Resource Type drop down:
- User
- Global
- Entity
- Entity Data
- Dataset
- Once a Resource Type is selected, all resources under the selected type get populated in the Resource drop down, which the user can then select.
- Users can then select the data type of the Attribute and if it supports Multiple values before submitting and creating an Attribute.
Assigning a Value
- Click Settings in the left navigation pane.
- Expand Access Control from the sub panel, and then select Attribute Based.
- The user gets redirected to the ABAC landing page. Click on Values Tab to view the Values Table.
- Click the Add Value button above the top right corner of the Values Table.
- Select the Resource Type from the drop down to filter down the resources available.
- Select the desired Resource under the selected type from the Resource drop down.
- All Attributes created that are associated with the selected resource shows up below. Users can assign desired values to these attributes.
Creating a Policy
- Click Settings in the left navigation pane.
- Expand Access Control from the sub panel, and then select Attribute Based.
- The user gets redirected to the ABAC landing page. Click on Policies Tab to view the Policies Table.
- Click the Add Policy button above the top right corner of the Policies Table.
- Once a user makes the Resource Type and Resource Selections, the Policy mapper is made available.
Policy Application
Once a policy is created, it gets applied to all users who have a value assigned to the user attribute that is involved in the policy and the resource associated with the policy can be restricted or made available to the user. This also implies that for all users who do not have any value assigned yet, ABAC rules do not apply and he is able to access the resource based on the RBAC rules applicable.
Creating a new ABAC rule
Let us consider creating a new ABAC rule by mapping an Attribute called Department on a User to an Attribute called Department on an Entity. The steps involved are:
Step 01: Creating User Attribute called Department
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click Add Attribute button
Fill the form with the following data: Name: Department | Resource Type: User | Resource: User | Data Type: Text
Click Save button
The user gets redirected to the Attributes Table view with the newly created Attribute in the table.
Step 02: Creating Entity Attribute called Department
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click Add Attribute button
Fill the form with the following data: Name: Department | Resource Type: Entity | Resource: All Entities | Data Type: Text
Click Save button
The user gets redirected to the Attributes Table view with the newly created Attribute appearing in the table.
Step 03: Adding a value to the Department Attribute for a specific user
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click on Values Tab
Click on Add Value button
Fill the form with the following data: Resource Type: User | Resource: admin@syncari.com | Department: MARKETING
Click Save button
The user gets redirected to the Values Table view with the newly created value in the table.
Step 04: Adding a value to the Department Attribute for a specific Entity
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click on Values Tab
Click on Add Value button
Fill the form with the following data: Resource Type: Entity | Resource: Lead | Department: MARKETING
Click Save button
The user gets redirected to the Values Table view with the newly created value in the table.
Step 05: Adding a Policy that permits users to View Entities based on equal value in the Department attribute
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click on Policies Tab
Click on Add Policy button
Fill the form with the following data: Name: Department based access policy | Resource Type: Entity | Resource: All Entities | Condition: All Entities.Department Equals User.Department | Permission: READ
Click Save button
The user gets redirected to the Policies Table view with the newly created value in the table.
Navigating back to Schema Studio or Data Studio shows that only for users whose department attribute matches an entity can view that entity:
Step 06: Adding new values for user and entity
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click on Values Tab
Click on Add Value button
Fill the form with the following data: Resource Type: User | Resource: saraths@syncari.com | Department: Engg
Access the Attribute Based page (Settings > Access Control > Attribute Based).
Click on Values Tab
Click on Add Value button
Fill the form with the following data: Resource Type: Entity | Resource: Lead | Department: Engg
Click Save button
Step 07: Login as the other user:
Due to the existing policy, the new user ‘saraths’ who had a Department attribute value Engg is only able to view the entity - Ticket which also has the Department attribute value of Engg.