Skip to content

Attribute Based Access Control (ABAC) configuration in SDS through Policy Conditions

Note

ABAC is supported only in Virtual Private Cloud environments.

Secure Data Sharing service provides Fine-Grained Access Control using Policies, where the Tenant Administrator configures the resources inside policies. These resources can have attributes or properties i.e. metadata key values. Similarly, users can also have their own attributes or properties. More granular and flexible access control of resources can be managed using resource/user attributes or properties. This authorization strategy is known as Attribute Based Access Control (ABAC). Tenant Administrators and Application developers can use the SDS Policy Conditions to further refine the access based on certain attribute conditions.

You can realize ABAC configuration in SDS through Policy Conditions as explained below.

Policy Conditions

Policy conditions allow you to manage access based on resource or user attribute or property values of the resource that is protected. Attribute in Policy Conditions refers to any property or metadata-key associated with a file or folder. For example, 'BusinessSensitivity', 'CountryOfOrigin' can be considered as attributes or properties or metadata-keys.

Policy condition consists of one or more logical expressions which are combined through logical conjunction operators.

Example

{
   "owner":"tenantA",
   "id":"8b64e3a0-a315-4eed-babc-58a06cabe614",
   "name":"Simulation_Files_Policy",
   "active":true,
   "description":"Policy to provide access to simulation related files.",
   "subjects":[
      "mdsp:core:identitymanagement:eu1:tenantA:usergroup:mdsp_usergroup:AllSimulationUsers"
   ],
   "rules":[
      {
         "name":"Rule1",
         "actions":[
            "mdsp:core:idl:prefix:create",
            "mdsp:core:idl:prefix:delete",
            "mdsp:core:idl:prefix:read"
         ],
         "resources":[
            "mdsp:core:idl:eu1:tenantA:prefix:/data/ten=tenantA/PLISimulationData"
         ],
         "propagationDepth":-1,
         "conditions":[
            {
               "resourceType":"mdsp:core:idl:prefix",
               "expression":"prefix.Global.countryOfOrigin eq 'IN' AND prefix.SAPData.businessSensitivity eq user.clearanceLevel"
            }
         ]
      }
   ]
}

In the above example policy, a new JSON element "conditions" has been added into the Policy Schema, which contains 2 sub-elements "resourceType" and "expression". Condition is an expression(s) with selection criteria defined on resource attributes or user attributes, based on which access to the resource(s) is determined. For example, in Integrated Data Lake (IDL), metadata keys are considered as resource attributes.

  • ResourceType represents the type of resource for which expression has been defined. Resource attributes which belong to the given resourceType can only be used in the expression. For example, if value of resourceType is mdsp:core:idl:prefix then all the metadata keys or resource attributes in underlying expression should have following format: prefix... For example: prefix.SAPData.businessSensitivity.

  • Expression is a combination of resource attributes and user attributes compared against some value. Larger expressions can be formed by joining individual expressions using logical operators (AND, OR, NOT). Details of valid resource attributes / user attributes and supported operators can be found be in the owning service. For example, metadata keys/resource attributes and supported operators around resourceType 'mdsp:core:idl:prefix' are defined in "Integrated Data Lake" (IDL) API documentation. Similarly, user attributes definitions and supported operators are defined in "Identity and Access Management" (IAM) API documentation. For more details about these API specifications, please refer to the relevant documentation.

Constraints

  • Currently, only one expression is allowed per resourceType
  • resourceType cannot be duplicated inside conditions
  • Currently, only supported resourceType is IDL prefix (mdsp:core:idl:prefix). Asset resourceType is not yet supported
  • Maximum 1000 characters are allowed in a condition "expression"
  • Policy Conditions should only be used when SDS basic policy configuration is no longer sufficient because it performs a more elaborate policy search and evaluation that demands more processing power and time
  • Any changes done in IDL metadata/User Attribute definitions or assignments, it may take up to 1 hour to reflect in Policy configuration due to caching mechanism

Supported Operators in Policy Conditions

Type of operator Operator Symbols
Logical Operator OR 'or' or '||'
Logical Operator AND 'and' or '&&'
Logical Operator NOT 'not' or '!'
Binary Operator Equal to 'eq' or '=='
Binary Operator Not equal to 'ne' or '!='
Other Parenthesis '(' and ')'

Supported Data Types in Policy Conditions

Data Type Symbols
Enum SOME_VALUE
String "some_value"

Error Handling Scenarios in Policy Conditions

1.Sample Invalid Expression: prefix. global.country : eq 'GB'

Here ':' is unsupported character in the expression

Error response:

{
    "errors": [
        {
            "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression",
            "message": "Malformed Expression provided. Please correct the expression syntax and try again.",
            "messageParameters": [
                {
                    "name": "offendingSymbol",
                    "value": ":"
                },
                {
                    "name": "expression",
                    "value": "prefix.global.country : eq 'GB"
                },
                {
                    "name": "resourceType",
                    "value": "mdsp:core:idl:prefix"
                }
            ],
            "logRef": "6478534b8ef9a8ef16a7eda2ce3e7231"
        }
    ]
}

In case unsupported characters are found in expression.

2.Sample Invalid Expression: prefix.global.country eq !'GB'

Here Not(!) Operator is incorrectly placed in the expression.

Error response:

{
    "errors": [
        {
            "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression",
            "message": "Malformed Expression provided. Please correct the expression syntax and try again.",
            "messageParameters": [
                {
                    "name": "resourceType",
                    "value": "mdsp:core:idl:prefix"
                },
                {
                    "name": "expression",
                    "value": "prefix.global.country  eq !'GB"
                },
                {
                    "name": "offendingSymbol",
                    "value": "!"
                }
            ],
            "logRef": "647854481fcbb128ef84d7798151c1f5"
        }
    ]
}

System considers expression as invalid at the start as per grammar, so sends (!) as offending symbol

3.Sample Invalid Expression: (prefix.global.country eq 'GB' and prefix.global.country eq 'GB'

prefix.global.country eq 'GB' and (prefix.global.country eq 'GB'

If closing parenthesis is missing prefix.global.country eq 'GB' and After part of valid expression if any known keyword is used by mistake.

Error response:

{
    "errors": [
        {
            "code": "mdsp.core.resourceaccessmanagement.validation.malformedExpression",
            "message": "Malformed Expression provided. Please correct the expression syntax and try again.",
            "messageParameters": [
                {
                    "name": "resourceType",
                    "value": "mdsp:core:idl:prefix"
                },
                {
                    "name": "offendingSymbol",
                    "value": "<EOF>"
                },
                {
                    "name": "expression",
                    "value": "prefix.global.country eq 'GB' and (prefix.global.country eq 'GB'"
                }
            ],
            "logRef": "647991aaf9e2343b6dabf18ca31a2608"
        }
    ]
}

Missing ) parenthesis shows offending symbol as EOF by the system which can be manually updated.

After part of valid expression if any known keyword is used mistakenly, system gives EOF as offending symbol.

4.Sample Invalid Expression: pref.global.country eq 'GB'

user11.country eq 'GB'

Invalid start of compound Expression.

Error response:

{
    "errors": [
        {
            "code": "mdsp.core.resourceaccessmanagement.validation.invalidExpression",
            "message": "metaDataKey/userAttribute in the given expression pref.global.country should start with prefix/user respectively.",
            "messageParameters": [
                {
                    "name": "resourceType",
                    "value": "mdsp:core:idl:prefix"
                },
                {
                    "name": "expression",
                    "value": "pref.global.country  eq 'GB'"
                }
            ],
            "logRef": "647855e952352a455f14cea5e581ae05"
        }
    ]
}

Compound Expression can either start with prefix or user.

5.Sample Invalid Expression: user.xxxx eq 'IN'

Invalid User Attribute.

Error response:

{
    "errors": [
        {
            "code": "mdsp.core.resourceaccessmanagement.validation.invalidUserAttribute",
            "message": "Invalid user attribute xxxxx found in part of given expression user.xxxxx",
            "messageParameters": [
                {
                    "name": "userAttribute",
                    "value": "xxxxx"
                },
                {
                    "name": "expression",
                    "value": "user.xxxxx  > 'IN'"
                },
                {
                    "name": "resourceType",
                    "value": "mdsp:core:idl:prefix"
                }
            ],
            "logRef": "64788932907235062517cb154df5c348"
        }
    ]
}

Last update: July 1, 2024

Except where otherwise noted, content on this site is licensed under the Development License Agreement.