Using Attribute-based access control (ABAC)

Attribute-based access control (ABAC) is an authorization model that evaluates attributes, rather than roles, to determine access. For instance, with ABAC, the policy server can grant or deny decryption based on attributes contained in the authentication JWT token issued by the identity provider (e.g., user location, age, data sensitivity).

The IDP compares the following attributes:

The custom claims delivered to the user by the IDP in the authentication JWT token,
The attributes of the 'decrypt' route (i.e., body dataAttributes). The attributes can be either attached to the data in the Stormshield SDK or sent along with the data request using the optional "policy" property.

If the attributes do not match, access is denied and the user is not allowed to decrypt the data.

The policy.rego file below is an example of ABAC policy on the 'decrypt' route that compares the location custom claim of the authentication JWT token and the location attribute in the request:

Copy

package cse
import future.keywords.if

# Deny by defaultdefault
allow := false

# Allow all routes except decrypt
allow if {
    not input.endpoint in ["decrypt"]
}

allow if { 
    input.endpoint in ["decrypt"]
    some attribute in input.policy.body.dataAttributes    
    attribute.location == input.authentication.customClaims.location
}

In this example, if:

the 'decrypt' request contains the attribute location:France,
the JWT token contains the custom claim location:France,

then, decryption is allowed.

However, if:

the 'decrypt' request contains the attribute location:France,
the JWT token contains the custom claim location:Germany

then, decryption is denied.