Skip to main content

Creating an Attribute Based Access Control Policy

We're going to create an ABAC policy that will interact with our PeopleFinder application. First, open the Aserto Console and navigate to the Policies tab. Click on the "Add a Policy" button:

add-a-policy

Create a new policy based on the policy-peoplefinder-abac template, and name it peoplefinder-abac.

policy-from-template

Open the policy once it is created, and open the peoplefinder.POST.api.users.__id module.

console-policy-peoplefinder-post

As you can see, this policy is slightly different from the RBAC policy we created before: instead of referencing the data object (which is based on the definitions in the data.json file) and the roles defined there, it uses the user's attributes to determine whether they are equal to a specific value.

In this module, we check whether the user's department attribute is equal to Operations. If the check yields a true value, the user will be allowed to perform the POST operation on the /api/users/:id resource - which means they'll be able to update the title and department attributes of another user.

This policy will result in a dynamic behavior of the authorization model: any user assigned to the Operations department at runtime will now have the permission to make updates to other users as well.

Let's update our PeopleFinder application to point to this new policy to see it in action.