What is ABAC?

Birthright Access in Clarity is determined by ABAC (Attribute Based Access Control).  In the Clarity platform you will establish certain ABAC Attributes (Ex: Department, Job Title, Location), which then determines

An example of a standard ABAC setup would be utilizing Department and Job Title Attributes from a Source of Truth application (such as your HR platform). This configuration would allow you to assign birthright access to users at the Department level and Job Title level, resulting in birthright access determined by the Employee’s attribute(s) for Department and Job Title (individual Entitlements would be assigned to each of these ABAC Values) .

Quick ABAC Concepts

ABAC Attribute: This is the attribute(s) you select to determine birthright access. This would typically would come from sources like your HR platform (Workday, UKG, BambooHR) or Directory service (Entra ID, Active Directory) Ex: “Department”, “Job Title”, “Location”

ABAC Value: These are the individual attribute values based on the ABAC Attributes you have selected. If your ABAC Attribute (defined above) is Department, examples of ABAC Value would be “Marketing”, “Information Technology”, “Sales”

ABAC Profile: Clarity creates an ABAC Profile for each ABAC Value (defined above) found.  The difference to keep in mind for ABAC Value vs ABAC Profile, is the ABAC Profile is the Clarity object created based on all ABAC Values which allowed you to establish the relationship between the “Marketing” and the Entitlements determined for Birthright Access.

Check out these other Articles to learn more about ABAC

ABAC Terms and Definitions

Where the data comes from

The data for Clarity ABAC comes primarily from your Sources of Truth.  We would typically advise customers to build their Profiles based on their HR system or a Directory service like Entra ID or on-prem Active Directory.

In order to establish Birthright Access, ABAC Profiles will have various Entitlements associated with them, and these Entitlements will come from all the various Downstream Applications your connect to Clarity.

What generates a profile

The profiles created in your Clarity tenant are customizable, and determined by the customer. Once you determine that you want to define and identify Birthright Access by Department, then Clarity will used the source of that Attribute to create your various profiles. Most often then would be your HR platform, we would look at all of the values across all employees, and create an ABAC Profile for each unique value found (Ex: Marketing, Sales, IT, Security, etc.)

Next Clarity will place all of your Identities into the various ABAC Profiles based on if their Service Users have the matching attribute from HR.

Finally Clarity will analyze all of the members of each ABAC Profile, and determine the baseline for Birthright Access.  If your ABAC Profile has 3 members, Clarity will determine which Entitlements all 3 members have in common (100% match) and automatically include those in the Profile.  You can choose to keep this baseline, or remove them and start over.

Access from an ABAC Profile

An ABAC Profile is an object created by Clarity that contains the relationships between Identities with the corresponding ABAC Value and the Identity

Grant Type: ABAC Profile

If you are viewing an Identity's Entitlements (depicted above), and you see Grant Type ABAC Profile, this would indicate that the Entitlement is part of the the Identity's ABAC Profile (In this case, based on their department).

Grant Type: Exception

If an Identity has any Entitlements that are not associated with their ABAC Profile, then Clarity will mark these with the Grant Type Exception. This is to indicate that the Identity has the Entitlement, but it is an exception to the entitlements outlined in their ABAC Profiles.

Creating, modifying, and deleting ABAC Profiles

Clarity allows for the creation and modification of existing ABAC Profiles in Clarity.

Creating

While typically ABAC Profiles are generated from the attributes you select, you can create custom ABAC Profiles in the UI if it is necessary for your environment or you plan to combine (alias) other ABAC Profiles under another.
ABAC Profiles can also be created by using the Clone feature, this lets you clone an existing ABAC Profile to create a new Profile with the same entitlements.

Modifying

ABAC Profiles can be modified in several ways including: merging, renaming, tagging.
Merging an ABAC Profile into another Profile creates an alias relationship in the database, which tells any member of Profile B (an alias of Profile A) that they should be treated as a member of Profile A.
Renaming an ABAC Profile creates a new Profile with the desired name, and then makes the original ABAC Profile an alias of the newly created ABAC Profile with the desired name.
Tagging an ABAC Profile lets you use filtering and perform reviews against particular ABAC Profiles. Similar to tagging, you can also flag an ABAC Profile as High Risk.

Deleting

At this time, clarity does not allow for deleting ABAC Profiles from the User Interface. You can contact your Clarity Support team if an ABAC Profile was created incorrectly or needs to be deleted.

Identity Primary Role Via ABAC Attribute

The Identity Primary Role Via ABAC Attribute is a particular ABAC Attribute you have selected (from an already configured ABAC Attributes).  This selection determines the Attribute or Attribute combination that will display on Identity Profiles and can be visible in User Access Reviews.

An example of this, would be to choose an ABAC Attribute like Department/Job Title (that’s 2 attributes concatenated together), so that way you can quickly see at a glance in an Access Review the Department and Job Title associated with the user under review.

Need help?