Privacera Platform master publication

Use Macros with Attribute-Based Access Control
:

Attribute-based access control (ABAC) supports a number of macros to make it easier to write frequently-used conditions.

The following table lists macros provided by Privacera for ABAC:

Table 60. 

Name

Description

Sample Usage

USER

User accessing the resource.

USER.dept == 'finance'/department/${{USER.dept}}

TAG

Current tag - use only in tag-based policy

TAG.piiType == 'email'

UGNAMES

Name of groups the user belongs to

UGNAMES.indexOf('interns') == -1

URNAMES

Name of roles the user belongs to

URNAMES.indexOf('admin') != -1

TAGNAMES

Name of tags associated with accessed resource

TAGNAMES.indexOf('PII') != -1

TAGNAMES.indexOf('FINANCE')

UG_NAMES_Q_CSV

Quoted name of groups the user belong to, separated by comma. For example: 'grp1','grp2'

Row filter:group_name in (${{UG_NAMES_Q_CSV}})

UR_NAMES_Q_CSV

Quoted name of roles the user belong to, separated by comma. For example: 'role1','role2'

Row filter:role_name in (${{UR_NAMES_Q_CSV}})

GET_UG_ATTR_Q_CSV

Quoted attribute values of groups the user belongs to, separated by comma. For example: 'store1','store2'

Row filter:store_name in (${{GET_UG_ATTR_Q_CSV('managesStore'}})

IS_IN_GROUP

User accessing the resource belongs to a specific group

IS_IN_GROUP('sales')

IS_IN_ROLE

User accessing the resource belongs to a specific role

IS_IN_ROLE('accounts')

HAS_TAG

Resource being access has a specific tag

(HAS_TAG('PERSON_NAME'))

HAS_USER_ATTR

User accessing the resource has a specific user attribute

HAS_USER_ATTR('activities')

HAS_UG_ATTR

User accessing the resource has a specific group attribute

HAS_UG_ATTR('marketing')

HAS_TAG_ATTR

Resource being access has a specific tag attribute

(HAS_TAG_ATTR('identification'))



It is sometimes necessary to setup permissions for users who do or don't belong to any group or any role. The following macros will make it easier to create those permissions:

Table 61. 

Name

Description

Sample usage

IS_IN_ANY_GROUP

This macro can be used in policy conditions to ALLOW/DENY policy items.

If the user who is accessing the resource is a member of any group, it returns true.

IS_IN_ANY_GROUP

IS_IN_ANY_ROLE

This macro can be used in policy conditions to ALLOW/DENY policy items

If the user who is accessing the resource has any role, it returns true.

IS_IN_ANY_ROLE

IS_NOT_IN_ANY_GROUP

This macro can be used in policy conditions to ALLOW/DENY policy items

If the user who is accessing the resource does not belong to any groups, it returns true.

IS_NOT_IN_ANY_GROUP

IS_NOT_IN_ANY_ROLE

This macro can be used in policy conditions to ALLOW/DENY policy items

If the user who is accessing the resource does not have any roles, it returns true.

IS_NOT_IN_ANY_ROLE



The following macros will make it easier to check if current resource has any tags or not

Table 62. 

Name

Description

Sample usage

HAS_ANY_TAG

This macro can be used in policy conditions to ALLOW/DENY policy items

If the user who is accessing the resource has any tags, this method returns true.

HAS_ANY_TAG

HAS_NO_TAG

This macro can be used in policy conditions to ALLOW/DENY policy items

If the user who is accessing the resource does not have any tags, it returns true.

HAS_NO_TAG