ABAC Attributes¶
Privacera leverages Apache Ranger's support for Attribute-Based Access Control (ABAC) to enable fine-grained, context-aware data access policies. ABAC allows you to define policies using user and group attributes, making access control dynamic and scalable across large, distributed environments.
Supported Attribute Types¶
Apache Ranger supports the following types of attributes:
1. User Attributes¶
Policies can reference attributes associated with the authenticated user. These are typically defined in external identity providers and synchronized into Privacera.
Syntax: ${{USER.<attribute_name>}}
Examples:
${{USER.department}} == 'finance'${{USER.location}} == 'us-west'
There are few default attributes that are available by default:
${{USER._name}}: The username of the authenticated user.${{USER._emailAddress}}: The email address of the authenticated user.
2. Group Membership¶
You can also define policies based on the groups the user belongs to.
Function: IS_IN_GROUP('<group_name>')
Examples:
IS_IN_GROUP('pii_access')!(IS_IN_GROUP('contractors'))
Where Attributes Can Be Used¶
You can use user and group attributes in the following policy types:
| Policy Type | Attribute Support |
|---|---|
| Resource Access Policies | ✅ User Attributes, ✅ Group Membership |
| Row-Level Filter Policies | ✅ User Attributes, ✅ Group Membership |
| Column Masking Policies | ✅ User Attributes, ✅ Group Membership |
| Tag-Based Policies | ✅ User Attributes, ✅ Group Membership |
Defining Attributes¶
User attributes must be synchronized to Privacera via supported identity systems such as:
- LDAP/AD
- SAML
- SCIM
- Custom REST Sync
- Privacera Portal
Once synchronized, they can be referenced directly in Ranger policies using the ${{USER.<attribute>}} and IS_IN_GROUP() syntax.
Best Practices¶
- Use attribute-based policies to minimize the number of static rules.
- Combine attributes with tag-based policies to enforce layered access control.
- Prev : ABAC Overview
- Next ABAC Macros