Attribute Expression ABAC Label
A simple guide to the Koverse Attribute Expression ABAC Label
The Attribute Expression ABAC Label is a more powerful security label than the Single Attribute ABAC Label. The Attribute Expression will allow you to incorporate your own logic into your Attributes, by creating compound Attributes using expressions and logical operators in addition to the standard supported Attributes which are alphanumeric, colon, hyphen, period, and underscore characters only (A-Z 0-9 : - . _).
At this time, the following logical operators are supported:
- AND: &
- OR: |
- GROUPING: ( )
In order to use this functionality, you will need to create an Expression in your data, underneath the Attribute Field you have chosen, which will apply to multiple attributes.
For example, if you have two Attributes defined under your chosen Attribute Field, Attribute1 and Attribute2, you can create a couple different kinds of expressions:
Attribute1&Attribute2
If the above Attribute appears under your Attribute Field in your data, only users that have access to both Attribute1 and Attribute2 can see the associated data.
Attribute1|Attribute2
If the above Attribute appears under your Attribute Field in your data, users that have access to Attribute1 or Attribute2 can see the associated data.
Let’s see an example of this. Take a look at the data below:
Let’s say there is a User that has been assigned to Attribute2, but they are not assigned to Attribute1. This is what they will see in Koverse:
Note that they cannot see the information in Row 2 or Row 4. That is because the user does not have Attribute1 assigned to them. Row 2 requires them to be assigned to Attribute1 only, while Row 4 requires them to be assigned to Attribute1 and Attribute2.
The grouping function can be used as well to create a more complex expression. For example if you have the Attributes “A,” “B,” “C,” and “Z” in your data, you could create an Attribute Expression that looks like this:
(A|B|C)&Z
In order to view the data associated with the above Attribute, a user must have access to A or B or C and always Z.