Attribute Based Access Controls (ABAC)

  • Updated

Overview

For organizations who want to be able to hide content based on a user's group, department or other static attributes, Attribute Based Access Controls (ABAC) allow an organization to define security profiles that filter content based on easy-to-use search definitions. This feature ensures that certain content is accessible only to people with the correct attributes. ABAC represents a pivotal advancement for organizations requiring precise control over content visibility based on user attributes such as group, department, or other static factors, allowing easier control of users on the platform.

The benefits of using the RecordPoint ABAC feature include:

  • Reduced administrative overhead: With ABAC, organizations can automate content visibility based on user attributes, significantly reducing the time and effort required for manual access management. This streamlined approach allows administrators to concentrate on more strategic tasks, ultimately improving operational efficiency.
  • Enhanced security: ABAC offers a robust security framework by ensuring that only users with the appropriate attributes can access sensitive content. This granular control minimizes the risk of unauthorized access, safeguarding valuable information and helping to maintain compliance with regulatory standards.
  • Scaled usage of the RecordPoint Platform: By enabling organizations to manage access based on specific user attributes, ABAC supports broader and more efficient use of the RecordPoint platform across a diverse range of use cases. As businesses grow and evolve, this feature facilitates dynamic access control, ensuring that the right people have access to the right information at all times.
ABAC determines which records are visible to a user, while Role-Based Access Control (RBAC) continues to determine what actions that user can take on those records.
By design, visitors—users without an evaluated ABAC security profile at request time—have no access to records by default.

Getting Started

Access to the ABAC module may require an additional subscription, depending on your current licensing model. If you wish to obtain access to the ABAC module, kindly contact your RecordPoint Account Manager.
Role Required  To create or manage ABAC security profiles, you need to be assigned to either the Application Administrator or Records Manager role in the RecordPoint platform.
To grant visibility to any set of records, create Security Profiles that explicitly allow access for targeted users or groups; visitors without a resolved profile will not see records until such a profile is applied.

To build an ABAC Security Profile and restrict the set of records a user can view/action, perform the following:

  1. Click on the Settings icon in the top right hand corner of the RecordPoint Platform.
  2. Under Security, click on Profiles in the left hand navigation pane.

  3. Click the New button to create a new Security Profile or click the link in the name column of a Security Profile from the grid.

    d1351996-fca8-448e-adbe-c179476f77ae.png
  4. The Security Profile page will open.
    • The Name field is required. This will be the identifier for the Security Profile.

    • The Description field is optional. This is additional info you can add to a Security Profile describing it in more detail

      image-20241028-021900.png
  5. To leverage ABAC, first navigate to the Data Trimming tab of the Security Profile. Here, the admin must create an advanced search query that defines what type of content users within this group are allowed to see
    • The Restricted Data section provides a preview of the content that is made available to users with the correct attributes

    • Example “all records” filter: set Record NumberNot empty in Field search

  6. The Members tab displays all the users and groups that have been added to this Security Group. To add a new User or Group click the Add button. The Add Users or Groups pane will open.

    image-20241028-022452.png
  7. Add a User by their User Principal Name (UPN)
Groups that are added to security profiles are now ABAC trimmed. RecordPoint supports groups from Entra and PingOne. If you have any questions, please raise this with your account manager.
If a user’s security profile cannot be resolved at the time of a request—for example due to transient identity issues or unavailable group data—no records will be returned until the profile is available.

How Access is Evaluated

When a user is added to multiple security profiles, they will have access to the data associated with all the profiles they belong to. This means the user’s access is cumulative across all profiles, similar to how an "OR" condition works in logic.

Access is cumulative across profiles (union of allowed records), but still requires an explicit allow via at least one Security Profile; visitors without such a profile see nothing by default.
RBAC continues to govern permissions (e.g., view, edit, export), while ABAC governs visibility of the underlying records returned to a user.

 

System-Wide Impact of ABAC Trimming

When a user is added to a security profile with ABAC trimming enabled, it will impact all content, including existing items within the RecordPoint platform. This is because ABAC is a real-time, search-based security filter that reviews all content in the system, ensuring users can only access what they have been granted permission to view.

Please note that the Analytics page under Classification Intelligence will not be available for users a part of a security profile with ABAC enabled. If this is something that your organisation is interested in, please raise an enhancement request or speak with your account manager.
Because ABAC applies at query time, any profile changes (adds/removes or attribute updates) take effect on the next request that evaluates a user’s profile.

Operational Guidance

To provide access to records, create Security Profiles that explicitly allow the appropriate users or groups.

Best practices:

  • Use explicit Security Profiles rather than visitor/default access.
  • Confirm that users who require access successfully resolve a Security Profile during sign-in and record retrieval.

Example Scenario

ABAC now supports: Enabling Lawyers to use the RecordPoint platform for E-Discovery

The newly implemented ABAC feature in RecordPoint transforms how lawyers approach e-Discovery by providing tailored access controls that adapt to individual case needs. This allows legal teams to grant permissions based on attributes like client affiliation, document sensitivity, and user roles, ensuring that only authorized personnel can access or export crucial evidence. By enhancing security and streamlining collaboration, lawyers can focus on building stronger cases while effectively managing sensitive information all on the RecordPoint platform.

To grant broad discovery access, create a Security Profile with a data-trimming query that matches the desired corpus (e.g., all records or a matter-scoped subset) and assign the relevant users or groups; their visibility will be limited to the records defined by that profile and any others to which they belong.

 

Was this article helpful?

1 out of 1 found this helpful

Have more questions? Submit a request