Sharing Assets With OBAC

Sharing Access outside your Tenant

Caution: You will only have access to the Access Policies screen if you are a Root User in your organization.
Warning: To use OBAC you will need to share with an external organization.

Organization-Based Access Control (OBAC) policies have a lot in common with Attribute-Based Access Control (ABAC) policies; they apply the same controls with two different classes of Actor.

Where they differ is that OBAC shares only with Root Users of an External Organization; the External Root User must then apply ABAC to establish appropriate access for their own organization’s Non-Root Users.

Adding External Organizations to Allow Sharing

In order to share Assets and their details with another Organization or Tenant, we must first import the ID of the External Organization.

Finding Your Own ID

  1. As a Root User, navigate to Access Policies
Managing Policies
  1. Select the Subjects Tab and your Organization’s ID will be contained within the Self box.

This string is the one you should share with a 3rd Party who wants to share their data with you.

Managing Policies

Importing another Organization’s ID

  1. As a Root User, navigate to Access Policies.
Managing Policies
  1. Select the Subjects Tab and then Import Subject.
Importing a Subject
  1. You will be presented with a form; the Subject String is the ID of the Organization with which you wish to share Asset evidence. The Name is a Friendly Name for you to label the imported organization.
Adding the Subject

Creating an OBAC Policy

OBAC creation uses many of the same steps, filters, controls, and forms as ABAC Policies.

It is possible to mix-and-match ABAC and OBAC Permission Groups in the same policy if you so wish.

  1. Navigate to the Access Policies section on the Sidebar of the RKVST Dashboard.
Managing Policies
  1. Here you will see any existing policies, select Add Policy.
Adding a Policy
  1. When you add a policy the following form will appear:
Policy Web Form
  1. Here you can begin applying filters to your Policy for the right assets. In this case, we’re going to filter for any Assets in the UK Factory Location created earlier.
Filtering for specific Assets and Locations
  1. Next, we select the Permissions Tab to set which Organizations can read and write certain Asset attributes, as well as Event visibility.
Default view of Policy Permissions
  1. In our case, we want the Organization actor, which implies OBAC. Type the Friendly Name of the Organization we wish to share with into the box and we should see a prepopulated drop-down search.
Note: You will need to have imported another Organization’s ID before you can specify a policy to share information with that Organization.
Adding a specific User to a Policy
  1. When the relevant controls are in place, we then add the Permission Group to the policy.

Note we have included RKVST-significant atributes: arc_display_name and arc_display_type which brings visibility to the Name and Type of Asset being shared.

Permitted Attributes on an Asset
  1. Once complete, submit the policy and check the Asset is shared appropriately; Mandy should only be able to see the Name and Type of Asset as well as the Asset’s custom Weight attribute.
Mandy's view as a Root User of the External Organization

By comparison, our Root User, Jill, can see the full details of the Asset:

Jill's view as a Root User
  1. If Mandy wishes to share what she can to Non-Root Users within her organization, it is her responsibility to create an ABAC Policy as she would any other Asset she has access to.

There are many possible fine-grained controls and as such ABAC and OBAC Policy Creation is an extensive topic. To find out more, head over to the IAM Policies API Reference.

Edit this page on GitHub