Attribute Based Access Control (ABAC)

Modified on Thu, 3 Aug, 2023 at 2:27 PM

Introduction what is ABAC?

Attribute-based access control (ABAC) is a model of authorisation that evaluates attributes, rather than roles, to determine access. It is a method of implementing access control policies that is highly adaptable and can be customized using a wide range of attributes, making it suitable for different environments. 


ABAC provides access to users based on who they are rather than what they do, allowing for the assignment of consistent subject and object attributes into security policies. 

This eliminates the need for explicit authorizations to individuals’ subjects needed in a non-ABAC access method, reducing the complexity of managing access lists and groups.


ABAC in Torsion


Security Rules are the essential part of ABAC within the Torsion system. They provide data owners with the ability to customise the security settings of their data, allowing them to control who can access and interact with their sensitive information. 



Each Security Rule consists of one or more Security Rule Dimensions. A Security Rule Dimension is a link to a user source field, such as 'Job Title' or 'City.' The Security Rule Dimension then has a set of options that correspond to the data in that user source field. For example, a Security Rule Dimension linked to 'Job Title' may have a set of options such as 'HR Manager', 'IT Manager', 'Accountant', and so on. To create a Security Rule, an administrator must select one or more Security Rule Dimensions and their corresponding options. For example, a Security Rule may be created with the Dimension 'Job Title' and the option 'HR Manager', meaning that the Security Rule applies to all users with the Job Title 'HR Manager'.



Security Rules in Torsion are criteria which describe a set of people in the organisation. 


EXAMPLE:  Users whose Job Title equals 'HR Manager'


Adding a Security Rule Dimension


A Security Rule Dimension must first be created before those Business Users with the ability to manage permissions on Information Resources can create Security Rules. To accomplish this, use the "Add Security Rule Dimension" wizard.

Title, Description and Logo

Users can see the Title, Description, and Logo, which should be a simple and descriptive term for what the Security Rule Dimension Rule represents. Titles must be unique, and Torsion will not allow duplicate Security Rule Dimensions to be created.


The Preposition

When creating Security Rules, the preposition is used to build a description. e.g. setting the preposition to be 'in' for the Country someone is based would create a descriptive rule which says "As a person in United States of America". The preposition is necessary for creating meaningful descriptions that make sense in a normal sentence.


Auto Enable
By selecting Auto Enable, you ensure that this Security Rule Dimension is automatically enabled for new Storage Areas.


User Source

The User Source specifies where Torsion should get data for a Security Rule Dimension. A User Source field can only be used in one Security Rule Dimension at a time and must be configured to be used for Security Rule Dimensions.

EXAMPLE: The User Source is M365's Azure Active Directory and the Attribute Field is City



Option Groups

Option Groups allow for the logical grouping of options that are similar. If the User Source field is "Department," and there are three departments called "IT Desktop Support," "IT Helpdesk," and "IT Development," creating an Option Group called "IT" would allow users to quickly select all relevant Departments.


Important!

Option Groups should only be used as a convenient way to group options together. The addition or removal of options from a group has no effect on permissions.


See below for instructions on how to create a Security Dimension Option that contains any number of possible options.


Options

Security Dimension Options are all of the values that are available to users when creating a Security Rule. It is made up of all of the User Source's possible values and can contain one or more values.


For example, if "United States of America", "USA", and "United States" are listed as the country for a number of users in your Active Directory, administrators can select all of these values and map them to a single option called "United States of America", making permissions assignment simpler and more precise.


Furthermore, if you create an option called "Everyone in IT" and use the values "IT Desktop Support," "IT Helpdesk," and "IT Development" as possible values, Torsion will ensure that only the appropriate people have access.


Existing Security Dimension Options can be changed or deleted from this page. If the delete button is greyed out, it means that it is currently in use somewhere in your Information Estate. View References can help you figure out where it's being used.


Details

Finally, before committing any changes, this tab provides a summary of what is to be created/altered. Review this page before proceeding. Once you press ‘OK’, Torsion will enact those changes.

Depending on the size of your Information System, and the number of new Security Dimension Options, this may take a while, as Torsion calculates all of the relevant permutations. At this point, it is perfectly safe to continue to do other tasks.


Deleting a Security Rule Dimension




The 'Manage' dialogue is used to delete Security Rule Dimensions. 


The 'Delete Security Rule Dimension' button may be greyed out and disabled when you open the dialogue. 



If this is the case, use View References to see where it is being used and remove any Security Rules before continuing. Once all instances have been eliminated, the Security Rule can be deleted.


Managing Activation of Security Rule Dimensions



Torsion Console Administrators can choose which Security Rule Dimensions are available in each Storage Area by clicking the "Manage Activation for Storage Areas" button. 



Administrators may not want to enable Security Rules in specific locations, or may only want to allow "City" in a specific Storage Area. Check boxes can be selected or deselected to give users fine-grained control over what appears to them.





NOTE: Removing a specific Security Rule Dimension from a Storage Area has no effect on permissions but prevents it from being used in any future rules.


Ordering Dimensions



The order in which the Security Rule Dimensions appear in the Sharing & Security Dialog is determined by the order in which they appear in the Security Rule Dimensions Tab. 



To change the ordering, click 'Manage Ordering' and then drag and drop the Security Rule Dimensions on the page before clicking OK to save your changes.



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article