> ## Documentation Index
> Fetch the complete documentation index at: https://mintlify.hoop.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Attribute-Based Access Control

> Apply policies to groups of resource roles using attributes instead of listing every resource role

<Frame>
  <img src="https://mintcdn.com/hoopdev/R8C-9uJV2xf0pJz-/images/learn/features/abac.png?fit=max&auto=format&n=R8C-9uJV2xf0pJz-&q=85&s=13acfbf9e2542dcb4b4c4b728389abb5" alt="Attribute-Based Access Control" width="1800" height="1064" data-path="images/learn/features/abac.png" />
</Frame>

## What You'll Accomplish

Attribute-Based Access Control (ABAC) lets you scope policies using **attributes** on resource roles. You can:

* Target many resource roles with a single rule by matching a shared attribute
* Reduce long, brittle lists of individual resource roles in policy configuration
* Keep using explicit per-resource-role assignment where that still fits your team
* Manage attributes in one place, including batch-style updates

***

## How It Works

<Steps>
  <Step title="Configure attributes">
    For each attribute, define what it represents and which resource roles it applies to.
  </Step>

  <Step title="Scope policies by attribute">
    When you configure a supported policy, choose attribute-based scope so one rule can match every resource role that carries that attribute.
  </Step>

  <Step title="Use alongside other rules">
    You can still assign policies to specific resource roles directly; both approaches can be used together.
  </Step>
</Steps>

***

## Where You’ll See Attributes

| Area                      | What you can do                                                                                                                         |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| **Settings > Attributes** | Create, edit, and review attributes and which resource roles they apply to                                                              |
| **Resource roles**        | Set attributes in the **Details** section of a resource role                                                                            |
| **Feature configuration** | Where a feature supports it, scope rules using attributes (for example, Guardrails, Live Data Masking, Access Control, Access Requests) |

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Name attributes for policy intent" icon="tag">
    Prefer stable, meaningful names (for example, `prod-data-store`) so rules stay understandable as teams change.
  </Card>

  <Card title="Keep assignments current" icon="arrows-rotate">
    When resource roles change, update attribute assignments so policies still match the right scope.
  </Card>

  <Card title="Start with a small scope" icon="bullseye">
    Pilot attribute-based rules on a narrow attribute, then expand once outcomes look right in sessions and audits.
  </Card>

  <Card title="Pair with per-resource-role rules when useful" icon="layer-group">
    Use attribute-based scope for broad patterns and explicit resource role picks for exceptions—both can coexist.
  </Card>
</CardGroup>

***

<Note>
  Ready to set it up? The [ABAC configuration guide](/setup/configuration/abac-configuration) walks through creating attributes, scoping a feature policy by attribute, and verifying the result.
</Note>

## Next Steps

<CardGroup cols={2}>
  <Card title="Access Control" icon="lock" href="/learn/features/access-control">
    Restrict who can use which resources
  </Card>

  <Card title="Guardrails" icon="shield" href="/learn/features/guardrails">
    Block dangerous queries with pattern-based rules
  </Card>

  <Card title="Live Data Masking" icon="mask" href="/learn/features/live-data-masking">
    Redact sensitive data in query results
  </Card>

  <Card title="Access Requests" icon="clock" href="/learn/features/access-requests/jit">
    Require approvals for sensitive access
  </Card>
</CardGroup>
