For an introduction to Attribute-Based Access Control concepts, see the ABAC overview.
Prerequisites
- Admin access to manage attributes and the feature policies you want to scope
- One or more resource roles to assign attributes to
Step 1: Open Attributes
In the sidebar, go to Settings > Attributes.Step 2: Create an Attribute
- Click Create a new Attribute
- Define a Name (and any other required fields on the form)
- Choose which resource roles this attribute applies to—this is the set of roles that will match when you scope rules by this attribute
- Save your changes
Step 3: Scope a Policy by Attribute
When you create or edit a rule in a supported feature, you can attach it to an attribute instead of selecting many resource roles individually.- Open the feature you need (for example, Guardrails, Live Data Masking, Access Control, or Access Requests)
- Create a new rule or policy, or edit an existing one
- Fill in the rest of the form the way you usually would (patterns, actions, approvals, and so on—whatever that screen asks for)
- In the scope or assignment section, choose attribute-based scope (or the equivalent label) and pick the attribute you created
- Save your changes
Step 4: Verify
- Run a query or command from a resource role that should match the rule
- Run one from a resource role that should not match
- Confirm the outcome (for example, blocked vs allowed) matches what you expect
Troubleshooting
I don’t see attribute-based options in a feature
Check:- Your role can manage that feature
- The feature version you use includes attribute-based scope (options appear in the rule or policy screen when available)
- Attributes exist and are assigned to the resource roles you expect
A policy didn’t apply to a resource role
Check:- The resource role has the attribute you used in the rule
- No conflicting rule with a narrower resource role selection is overriding your expectation
- Filters on the Resources or Resource Roles lists show the attribute you think you set