Managing Access to an Asset With ABAC
Sharing Access within your Tenant
Caution: You will only have access to theAccess Policies
screen if you are a Root User in your Organization.
Attribute-Based Access Control (ABAC) policies can be used to control access to Assets, their Attributes, and Events within a single Organization.
Specifically, ABAC policies are created by Root Users to share information with Non-Root Users in the same Tenancy.
ABAC policies can be granular, with users allowed to see only single Attributes at a time, if wished.
It is possible to control policies based on types of Assets, their Location, and whether Users can read or write any information in an Asset.
By default, no Non-Root Users will see any existing Assets and Events unless a Root User explicitly creates an ABAC policy to allow it.
Creating an ABAC Policy
Consider the Shipping Container Asset we created. There may be many people within an organization who need access to specific Attributes of the container.
We shall create a policy for someone who needs to share some standard dimensions of the Shipping Container, inspect the cargo, and create Inspect
Events.
- Navigate to the
Access Policies
section on the Sidebar of the RKVST Dashboard.
- Here you will see any existing policies and can select
Add Policy
.
- When adding a Policy, you will see this form:
- Here you can apply policy filters to the correct Assets.
In this case, we shall apply the policy to any Asset in the UK Factory
Location created earlier, as well as the type of Asset (Shipping Container
).
- Next, we select the
Permissions
Tab to set Users’ Asset and Event attribute access policy.
- In this example, the
User
actor implies an ABAC policy, identified by email. Type the relevant email address and hit Enter; you may also see a dropdown list of users within your tenancy.
- Once all relevant details are complete, add the Permission Group to the policy. You may add multiple permission groups per policy if you wish.
Note we have included RKVST-sigificant attributes: arc_display_name
, arc_description
, and arc_home_location_identity
.
arc_*
attributes have special significance in RKVST; in this case, respectively, allowing visibility to the Name, Description, and Location of the Asset. Other arc_*
attributes are also available.
- Once complete, select
Create Policy
and check the Asset is appropriately shared.
Bill should only be allowed to see the Asset’s Name, Location, Length, and Weight Attributes.
For comparison with our Root User, Jill:
We can see that Bill can only view the Attributes specified in the policy. He can also see the Event where we updated the Location.
Our Root User Jill, can see every detail associated with the Asset.