ABAC Usage

Varsha Neelesh
Varsha Neelesh
  • Updated

This article gives a few examples on how you can use ABAC to provide or restrict access to users on resources.

How It Works

Role based and ABAC based access work hand in hand. The most restrictive policies among the two take precedence. If you want to provide access to the entire resource, its best to use Role based. But if the use case warrants allowing access to a subset of records or attributes on an entity for example ABAC based access control works best. To do so, we need to create policies that allow access to a subset of resource. If a data steward needs WRITE access only to an attribute in an entity in Data Studio, you also need to create policies to deny access to other entities and attributes explicitly in ABAC. It is not enough to create ALLOW policies. You also need to create policies that deny access.

Usage

Let us take one example. As an admin, I want a DataSteward to be able to approve changes on Account attributes. Hence, I want this user to be able to update the "Approval" attribute on Account to approved/rejected. But I want to restrict this user from editing any other attribute on Account. Below are the steps needed to achieve the desired outcome.

Policy that allows edit on "approval" attribute on Account to DataSteward -
 
  • Create attribute “Data Steward” resource type User, resource User . Create value for this attribute with “Account Approver, resource will be user's email
Screenshot 2026-03-05 at 12.45.13 PM.png
Screenshot 2026-03-05 at 12.45.25 PM.png
Screenshot 2026-03-05 at 12.50.18 PM.png
Screenshot 2026-03-05 at 12.50.27 PM.png

  • Create attribute “Account Approval” resource type Entity Attribute, resource Account.approval. Create value for this attribute with “Account Approver”

    Screenshot 2026-03-05 at 12.52.31 PM.png
Screenshot 2026-03-05 at 12.51.43 PM.png
Screenshot 2026-03-05 at 12.51.33 PM.png
  • Create Policy resource type Entity Attribute, resource Account.Approval. Condition Account.Approval.Account Approval Editor equals User.Data Steward
Screenshot 2026-03-05 at 12.53.23 PM.png


Policy that restricts edit all other attributes on Account for DataSteward -
 
  • Create attribute “Account Attributes” resource type Entity Attribute, resource Account.All Attributes . Create value for this attribute with “true”
Screenshot 2026-03-05 at 12.55.11 PM.png
Screenshot 2026-03-05 at 12.55.35 PM.png
  • Create Policy resource type Entity Attribute, resource Account.All Attributes. Condition User.Data Steward is empty
Screenshot 2026-03-05 at 12.56.34 PM.png


Testing

Now log into the system as the user to whom the policies were applied. Try to edit the attributes on Account.
 
Edit Approval attribute - Success
Screenshot 2026-03-05 at 12.57.07 PM.png
 
Edit Other attributes - Failure
Screenshot 2026-03-05 at 1.54.00 PM.png

Note: To restrict access to other entities for this user, you need to define more policies for all entities that need restriction
Share this

Was this article helpful?

0 out of 0 found this helpful