ABAC Attributes¶

Privacera leverages Apache Ranger's support for Attribute-Based Access Control (ABAC) to enable fine-grained, context-aware data access policies. ABAC allows you to define policies using user, group, and role attributes, making access control dynamic and scalable across large, distributed environments.

Supported Attribute Types¶

Apache Ranger supports the following types of attributes:

1. User Attributes¶

Policies can reference attributes associated with the authenticated user. These are typically defined in external identity providers and synchronized into Privacera.

Syntax: ${{USER.<attribute_name>}}

Examples:

• ${{USER.department}} == 'finance'
• ${{USER.location}} == 'us-west'

There are few default attributes that are available by default:

• ${{USER._name}}: The username of the authenticated user.
• ${{USER._emailAddress}}: The email address of the authenticated user.

2. Role Attributes¶

Policies can now reference attributes associated with roles assigned to users. This enables centralized attribute management at the role level, simplifying access control by managing attributes on roles rather than individual users.

Syntax:

• GET_UR_ATTR('<attribute_name>') - Get value of role attribute
• GET_UR_ATTR_Q('<attribute_name>') - Get quoted value of role attribute
• HAS_UR_ATTR('<attribute_name>') - Check if role has attribute
• URATTR['<RoleName>'].<attribute_name> - Access specific role's attribute value

Examples:

• GET_UR_ATTR('department') == 'finance'
• HAS_UR_ATTR('data_clearance')
• URATTR['Role-1'].location == 'us-west'

There are few default attributes that are available by default:

• URATTR['<RoleName>']._name: The name of the role (automatically added for all roles)

Benefits of Role Attributes:

• Simplified Management: Define attributes once at the role level instead of for each user
• Consistency: All users with a role automatically inherit the same attribute values
• Dynamic Updates: Changing a role's attributes automatically affects all users with that role
• Reduced Administrative Overhead: Fewer attribute assignments to manage

3. Group Membership¶

You can also define policies based on the groups the user belongs to.

Function: IS_IN_GROUP('<group_name>')

Examples:

• IS_IN_GROUP('pii_access')
• !(IS_IN_GROUP('contractors'))

Where Attributes Can Be Used¶

You can use user, role, and group attributes in the following policy types:

Defining Attributes¶

User Attributes¶

User attributes must be synchronized to Privacera via supported identity systems such as:

• LDAP/AD
• SAML
• SCIM
• Custom REST Sync
• Privacera Portal

Once synchronized, they can be referenced directly in Ranger policies using the ${{USER.<attribute>}} syntax.

Role Attributes¶

Role attributes can be defined and managed directly in Privacera Portal. Unlike user attributes, role attributes are managed centrally and do not require external identity provider synchronization.

How to Define Role Attributes:

1. Navigate to the Roles section in Privacera Portal
2. Select a role or create a new one
3. Add custom attributes to the role (e.g., department, data_clearance, region)
4. Assign users to the role

Once defined, role attributes can be referenced in policies using the ${{ROLE.<attribute>}} syntax.

Example Use Cases:

• Assigning department-level access by defining department attribute on roles
• Implementing tiered data access by defining data_clearance levels on roles
• Regional data restrictions by defining region attribute on roles

Best Practices¶

• Use attribute-based policies to minimize the number of static rules.
• Combine attributes with tag-based policies to enforce layered access control.
• Prefer role attributes over user attributes when multiple users need the same attribute values - this reduces administrative overhead.
• Use user attributes for individual-specific properties (e.g., email, employee ID).
• Use role attributes for job function or group-based properties (e.g., department, clearance level).