Attribute-Based Access Control
Attribute-Based Access Control (ABAC) in the Data Catalog evaluates access decisions based on attributes of the user, the data entity, and the operation context. ABAC policies provide fine-grained control beyond traditional role-based access by matching user attributes against data classification levels, tags, and custom metadata.
How ABAC Works
The governance policy evaluator processes ABAC rules by comparing user attributes from the authentication context against policy conditions defined on data entities.
User Request
|
v
Extract User Attributes (roles, department, clearance)
|
v
Identify Target Entity (table, column, database)
|
v
Load Applicable ABAC Policies
|
v
Evaluate Each Rule Against Attributes
|
v
Allow / Deny / WarnABAC Rule Types
| Rule Type | Description | Example |
|---|---|---|
ROLE_REQUIRED | User must have one of the specified roles | Requires DATA_ANALYST role |
PERMISSION_REQUIRED | User must have all specified permissions | Requires read:pii permission |
ATTRIBUTE_MATCH | User attribute must match a condition | Department equals Engineering |
EXPRESSION | Custom expression evaluation | ${user.clearance} == 'TOP_SECRET' |
Attribute Match Operators
| Operator | Description |
|---|---|
equals | Exact string match |
contains | Substring match |
starts_with | Prefix match |
ends_with | Suffix match |
regex | Regular expression match |
Policy Scope
ABAC policies can be scoped to specific parts of the data catalog.
| Scope | Description |
|---|---|
GLOBAL | Applies to all data entities |
DATA_SOURCE | Applies to a specific data source |
DATABASE | Applies to a specific database |
SCHEMA | Applies to a specific schema |
TABLE | Applies to specific tables |
COLUMN | Applies to specific columns |
TAG | Applies to entities with specific tags |
CLASSIFICATION | Applies to entities with a classification level |
Enforcement Modes
| Mode | Behavior |
|---|---|
MONITOR | Log violations only, do not block |
WARN | Warn the user but allow the operation |
SOFT_ENFORCE | Block by default with an override option |
HARD_ENFORCE | Strictly block the operation |
Example ABAC Policy
{
"name": "PII Access Control",
"policyType": "ACCESS_CONTROL",
"scopeType": "CLASSIFICATION",
"scopeEntities": ["PII", "SENSITIVE"],
"enforcementMode": "HARD_ENFORCE",
"rules": [
{
"name": "Require PII Role",
"ruleType": "ROLE_REQUIRED",
"parameters": {
"roles": ["PII_VIEWER", "DATA_STEWARD"]
},
"enabled": true,
"order": 1
},
{
"name": "Department Check",
"ruleType": "ATTRIBUTE_MATCH",
"parameters": {
"attribute": "department",
"value": "Compliance",
"operator": "equals"
},
"enabled": true,
"order": 2
}
]
}Evaluation Context
When evaluating ABAC policies, the following user context is available.
| Field | Description |
|---|---|
userId | Authenticated user identifier |
userRoles | List of assigned roles |
userPermissions | List of granted permissions |
userAttributes | Key-value map of custom attributes (department, clearance, etc.) |
Violation Severity
When a policy rule fails, the violation severity is determined by the enforcement mode and rule type.
| Severity | Trigger |
|---|---|
CRITICAL | Hard-enforced policy violation |
HIGH | Access control or classification rule failure |
MEDIUM | Soft-enforced policy violation |
LOW | Monitor-only or warn-mode violation |