Sharing Assets With OBAC

Sharing Access outside your Tenant

Caution: You will only have access to the Access Policies screen if you are a Root User in your organization.

Warning: To use OBAC you will need to share with an external organization.

Organization-Based Access Control (OBAC) policies have a lot in common with Attribute-Based Access Control (ABAC) policies; they apply the same controls with two different classes of Actor.

Where they differ is that OBAC shares only with Root Users of an External Organization; the External Root User must then apply ABAC to establish appropriate access for their own organization’s Non-Root Users.

Adding External Organizations to Allow Sharing#

In order to share Assets and their details with another Organization or Tenant, we must first import the ID of the External Organization.

Finding Your Own ID#

1. As a Root User, navigate to Access Policies

2. Select the Subjects Tab and your Organization’s ID will be contained within the Self box.

This string is the one you should share with a 3rd Party who wants to share their data with you.

Importing another Organization’s ID#

1. As a Root User, navigate to Access Policies.

2. Select the Subjects Tab and then Import Subject.

3. You will be presented with a form; the Subject String is the ID of the Organization with which you wish to share Asset evidence. The Name is a Friendly Name for you to label the imported organization.

Creating an OBAC Policy#

OBAC creation uses many of the same steps, filters, controls, and forms as ABAC Policies.

It is possible to mix-and-match ABAC and OBAC Permission Groups in the same policy if you so wish.

1. Navigate to the Access Policies section on the Sidebar of the RKVST Dashboard.

2. Here you will see any existing policies, select Add Policy.

3. When you add a policy the following form will appear:

4. Here you can begin applying filters to your Policy for the right assets. In this case, we’re going to filter for any Assets in the UK Factory Location created earlier.

5. Next, we select the Permissions Tab to set which Organizations can read and write certain Asset attributes, as well as Event visibility.

6. In our case, we want the Organization actor, which implies OBAC. Type the Friendly Name of the Organization we wish to share with into the box and we should see a prepopulated drop-down search.

Note: You will need to have imported another Organization’s ID before you can specify a policy to share information with that Organization.

7. When the relevant controls are in place, we then add the Permission Group to the policy.

Note we have included RKVST-significant atributes: arc_display_name and arc_display_type which brings visibility to the Name and Type of Asset being shared.

8. Once complete, submit the policy and check the Asset is shared appropriately; Mandy should only be able to see the Name and Type of Asset as well as the Asset’s custom Weight attribute.

By comparison, our Root User, Jill, can see the full details of the Asset:

9. If Mandy wishes to share what she can to Non-Root Users within her organization, it is her responsibility to create an ABAC Policy as she would any other Asset she has access to.

There are many possible fine-grained controls and as such ABAC and OBAC Policy Creation is an extensive topic. To find out more, head over to the IAM Policies API Reference.

Edit this page on GitHub