Condition Sets
Condition sets give you the flexibility of ABAC with the simplicity of RBAC.
Condition sets are sets of objects that represent logical elements in your system.
There are currently two types of condition sets that you can work with:
- User Set - defined as a set of users that match all the specified conditions.
- Resource Set - defined as a set of resources that match all the specified conditions.
Example of a User Set
All users who are located in the United States and have the role of an Employee.
We will call this us_based_employees.
Example of a Resource Set
All resources that are of the type repository and are private.
We will call this private_repos.
We can then picture a matrix of assignment between user sets and resource sets. We placed a checkbox to indicate that us_based_employees can perform any action on the private_repos resource.
| Admin | Employee | Employee in the US | |
|---|---|---|---|
| Private Repositories | X | ||
| Marketing Materials |
Creating a Condition Set
We will now view code examples of a condition set written for the above defined User and Resource Sets.
User Set - US Based Employees
Notice how we want both conditions to be true, so we ended up using the allOf logical operator.
We have also specified the type of the condition set to be userset.
{
"key": "us_based_employees",
"name": "US based employees",
"type": "userset",
"conditions": {
"allOf": [
{
"user.role": {
"equals": "employee"
}
},
{
"user.location": {
"in": [
"US"
]
}
}
]
}
}
Resource Set - Private Repositories
In this example of a resource set condition, the type changed to resourceset.
{
"key": "private_repositories",
"name": "Private Repositories",
"type": "resourceset",
"conditions": {
"allOf": [
{
"resource.type": {
"equals": "repository"
}
},
{
"resource.access": {
"equals": [
"private"
]
}
}
]
}
}
We have now successfully defined two condition sets. Let's learn how we can use them together and create a Condition Set Rule.