Skip to main content

ABAC

Attribute-Based Access Control (ABAC) is another security model you can use in Mission Control when RBAC falls short. It is a security model that conditionally grants access to resources based on attributes. In Mission Control, these attributes relate to the resource that the user accesses: example:

  • the tags
  • the namespace
  • name patterns (example: begins with test-)
info

The models are not mutually exclusive. Mission Control supports both RBAC and ABAC.

Example use cases:

  • Allow a person to run a playbook but only if the playbook is on a certain namespace
  • Deny a person from running a playbook in the Kubernetes category
  • Allow a notification to run a particular playbook.
deny-person-playbook.yaml
---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: deny-user-foo-playbook-run
spec:
  description: deny user food to run any playbook
  subject:
    person: foo@bar.com
  actions:
    - playbook:*
  deny: true
  object:
    playbooks:
      - name: "*" # this is a wildcard selector that matches any playbook