Model Attribute-Based Access Control (ABAC)

The ABAC pattern controls access based on resource attributes like status, visibility, or classification. Use ABAC when permissions depend on dynamic properties rather than fixed roles. When to use ABAC:

Resources have different visibility levels (public, private, confidential)
Access depends on resource state (draft, published, archived)
Geographic or time-based restrictions apply
Complex conditional logic combines multiple attributes

RBAC vs ABAC: Use RBAC for stable organizational roles. Use ABAC when access rules change based on resource properties or context.

Public or private resources

Control access based on resource visibility. Public resources are readable by anyone, private resources require specific permissions.

actor User { }
resource Repository {
  permissions = ["read"];

  "read" if is_public(resource);
}

test "public repositories" {
  setup {
    is_public(Repository{"anvil"});
  }

  assert allow(User{"alice"}, "read", Repository{"anvil"});
}

Ensure your application sets the appropriate attribute when creating resources.

Common ABAC patterns

Explore these additional attribute-based patterns:

Pattern	Description
Entitlements	Grant access based on subscription tiers or purchased features
Time-based access	Grant roles and permissions that are time-bounded and can expire
Conditional roles	Assign roles based on conditions like default roles and feature toggles

Next steps

With your ABAC policy defined:

Add facts: Store resource attributes and user context in Oso Cloud
Make authorization requests: Check permissions in your application code
Test scenarios: Verify policies work with different attribute combinations

Get Started

Develop

Deploy and Manage

Model Attribute-Based Access Control (ABAC)

Public or private resources

Common ABAC patterns

Next steps

Get Started

Develop

Deploy and Manage

​Public or private resources

​Common ABAC patterns

​Next steps

Public or private resources

Common ABAC patterns

Next steps