Login
    Contents x
    ABAC Attribute Settings
    • 18 Dec 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    ABAC Attribute Settings

    • Updated on 18 Dec 2025
    • 3 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    This article details the various Settings available on the Settings page for an individual ABAC Attribute.

    Activation Status

    The Corresponding Activate or Deactivate button in the top right corner lets you control at the ABAC Attribute level if Provisioning is allowed or disallowed for all ABAC Profiles associated with this particular ABAC Attribute.

    Clicking Activate would Activate the ABAC Attribute, and clicking Deactivate would Deactivate the ABAC Attribute (the button shown is the opposite of the current Status).

    ABAC Attribute Owners

    This option allowed establishing Owners (or those responsible for this ABAC Attribute).

    An ABAC Attribute can have more than one Owner, and the UI changes based on the amount of owners defined. Use the Search field when you click on the Owners button to find and add new Owners, or uncheck existing Owners to remove them.

    Attribute Maintenance

    While the ABAC attributes are dynamic, and should update automatically if the supporting data changes, you can utilize the following Attribute Maintenance actions if you need to manually manage an ABAC Attribute for any reason.

    Rebuild

    This option lets you reset the entire set of ABAC Profiles created for this ABAC Attribute and all entitlements associated with them.  Clarity will then rebuild all of the profiles from scratch, and insert any Entitlements into the ABAC Profile which are held by ALL Active member Identities in the Profile.

    Rebuild

    Complete reset - deletes everything and starts fresh

    • Removes all existing profiles

    • Scans data sources again for attribute values

    • Creates brand new profiles from scratch

    • Populates new profiles with fresh entitlements

    Clean

    Existing ABAC Profiles are kept in place, and missing ABAC Profiles will be created.  Existing entitlements are analyzed, and any Entitlements not currently held by ALL Active member Identities will be removed from the profile.

    Clean

    Refresh and clean up - keeps profiles but removes outdated access

    • Keeps existing profiles intact

    • Finds any new attribute values and creates new profiles for them

    • Analyzes entitlements overlap across all profiles

    • Removes entitlements that aren’t shared by 100% of users in profile

    Refresh

    Existing ABAC Profiles are kept in place, and missing ABAC Profiles will be created.   No Entitlements are removed from Profiles, but new Entitlements will be added if ALL Active member Identities have the entitlement.

    Refresh

    Refresh only - adds new without removing existing

    • Keeps existing profiles intact

    • Finds any new attribute values and creates new profiles for them

    • Analyzes entitlements overlap but doesn’t remove anything

    • Preserves all existing entitlements even if they’re not universal

    Delete

    This option would allow you to delete the ABAC Attribute in it’s entirety, this would mean all ABAC Profiles, and all Entitlements associated with those profiles.

    Update Attribute

    ABAC Attribute Name

    You can use this field to rename the ABAC Attribute to something new (as long as the new value is not already in use by another ABAC Attribute.

    Description

    Adjust the description for your ABAC Attribute, this is recommended if you are making large changes to the Attribute Precedence below,

    Enable Concatenation

    This allows you to enable the Concatenation feature for an already existing ABAC attribute.  This feature lets you combine multiple Attributes into a single unique value.

    Attribute Precedence

    This section allows you to add more attributes for consideration in the Profile creation process.  Adjustments can also be made to the order in which attributes are evaluated for individual Identities.

    Deprovision Strategy (Mover or Profile Changes)

    This selection lets you determine how to handle the removal (delayed removal, or no removal) when an Identity is either Moving to a new profile or gaining additional profiles in this ABAC Attribute.

    Options

    Description

    Deprovision Immediately

    Entitlements not associated with either the new profile or any other ABAC Profiles associated with the Identity will immediately be deprovisioned.

    Convert to Exception

    Entitlements not associated with either the new profile or any other ABAC Profiles associated with the Identity will be converted to an Exception and NOT DEPROVISIONED.

    Set Expiration

    Entitlements not associated with either the new profile or any other ABAC Profiles associated with the Identity will be converted to an Exception and configured with an Expiration date (corresponding to the number of days indicated).

    Entitlements from Multiple Profiles

    For an Entitlement assigned to an Identity to be considered an exception, it must be missing from ALL ABAC Profiles associated with that particular Identity.

    Need help?

    If you have any problems, contact your customer success team. You can also get in touch with our general support via email, open a support ticket. Our general support team is available Monday - Friday from 8:00 AM - 6:30 PM CST.

    Was this article helpful?
    What's Next
    Identity Governance Made Easy.
    Platform
    Use Cases
    Resources
    Connect With Us
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout