Attribute-Based Access Control

Implementing ABAC

How it works

ABAC works in tandem with Relationship-Based Access Control, or ReBAC. When creating a relation, you can specify a query parameter that will return users based on arbitrary attributes of your definition. For example, if you have a country attribute on your user, you can specify a query that will return all users that have the same country to create a relation.

Check out the ReBAC Docs to learn about creating a schema and relations.

The query field mentioned above takes a AuthzUserQuery type which is defined as follows:

type AuthzUserQuery = {
  tenants?: string[];
  roles?: string[];
  text?: string;
  statuses?: UserStatus[];
  ssoOnly?: boolean;
  withTestUser?: boolean;
  customAttributes?: Record<string, any>;
};

And the relation that takes this query is defined as follows:

type AuthzRelation = {
  resource: string;
  relationDefinition: string;
  namespace: string;
  target?: string;
  targetSetResource?: string;
  targetSetRelationDefinition?: string;
  targetSetRelationDefinitionNamespace?: string;
  query?: AuthzUserQuery;
};

Finally, the code to create a relation with a query is as follows:

const relations: AuthzRelation[] = [{
        resource: 'some-doc',
        relationDefinition: 'owner',
        namespace: 'doc',
        target: 'u1',
    },
    {
        resource: 'regional-doc',
        relationDefinition: 'viewer',
        namespace: 'doc',
        query: {
            tenants: ['tenant1', 'tenant2'],
            roles: ['role1', 'role2'],
            ssoOnly: true,
            withTestUser: false,
            customAttributes: {
                'country': 'USA',
                'department': 'sales'
            }
        }
    }
 
];
 
await descopeClient.management.authz.createRelations(relations);
Was this helpful?

Previous

Overview

Next

Overview of Connectors

On this page

Implementing ABACHow it works