Sharing Assets With OBAC
Sharing Access outside your Tenant
Caution: You will only have access to theAccess Policies
screen if you are a Root User in your organization.
Warning: To use OBAC you will need to share with an external organization.
Organization-Based Access Control (OBAC) policies have a lot in common with Attribute-Based Access Control (ABAC) policies; they apply the same controls with two different classes of Actor.
Where they differ is that OBAC shares only with Root Users of an External Organization; the External Root User must then apply ABAC to establish appropriate access for their own organization’s Non-Root Users.
Adding External Organizations to Allow Sharing
In order to share Assets and their details with another Organization or Tenant, we must first import the ID of the External Organization.
Finding Your Own ID
- As a Root User, navigate to
Access Policies
- Select the Subjects Tab and your Organization’s ID will be contained within the
Self
box.
This string is the one you should share with a 3rd Party who wants to share their data with you.
Importing another Organization’s ID
- As a Root User, navigate to
Access Policies
.
- Select the Subjects Tab and then
Import Subject
.
- You will be presented with a form; the
Subject String
is the ID of the Organization with which you wish to share Asset evidence. TheName
is a Friendly Name for you to label the imported organization.
Creating an OBAC Policy
OBAC creation uses many of the same steps, filters, controls, and forms as ABAC Policies.
It is possible to mix-and-match ABAC and OBAC Permission Groups in the same policy if you so wish.
- Navigate to the
Access Policies
section on the Sidebar of the RKVST Dashboard.
- Here you will see any existing policies, select
Add Policy
.
- When you add a policy the following form will appear:
- Here you can begin applying filters to your Policy for the right assets. In this case, we’re going to filter for any Assets in the
UK Factory
Location created earlier.
- Next, we select the
Permissions
Tab to set which Organizations can read and write certain Asset attributes, as well as Event visibility.
- In our case, we want the
Organization
actor, which implies OBAC. Type the Friendly Name of the Organization we wish to share with into the box and we should see a prepopulated drop-down search.
Note: You will need to have imported another Organization’s ID before you can specify a policy to share information with that Organization.
- When the relevant controls are in place, we then add the Permission Group to the policy.
Note we have included RKVST-significant atributes: arc_display_name
and arc_display_type
which brings visibility to the Name and Type of Asset being shared.
- Once complete, submit the policy and check the Asset is shared appropriately; Mandy should only be able to see the Name and Type of Asset as well as the Asset’s custom
Weight
attribute.
By comparison, our Root User, Jill, can see the full details of the Asset:
- If Mandy wishes to share what she can to Non-Root Users within her organization, it is her responsibility to create an ABAC Policy as she would any other Asset she has access to.
There are many possible fine-grained controls and as such ABAC and OBAC Policy Creation is an extensive topic. To find out more, head over to the IAM Policies API Reference.