Skip to content
English
Sign in
Contact us
  • There are no suggestions because the search field is empty.

Configuring Attribute-Based Access Control (ABAC) Policies

Learn how to define, apply, and test attribute-based access control policies in PumaMesh to enforce Zero Trust authorization across files, objects, and transfer paths.

PumaMesh uses Attribute-Based Access Control (ABAC) to decide who can see a file. The model is deliberately simple: the data scanner assigns tags to each file, and every user carries a set of tags. A user can access a file only when the file's required tags are a subset of that user's tags — in other words, the user must hold ALL of the tags a matching policy requires. This article explains the keyword-policy model, how user tags are resolved, and how to test access before rollout.

How the keyword-policy model works

Every file is tagged by the PumaMesh data scanner during ingest and labeling. A keyword policy maps a keyword to a required tag and an action. When a user requests a file, PumaMesh compares the file's required tags against the user's tags. Access is granted only if the file's tags are a subset of the user's tags, so the user must hold ALL required tags. If even one required tag is missing, the file is hidden from that user.

How user tags are resolved

User tags come from two sources. First, LDAP attributes are auto-resolved at login, so a user's directory attributes are mapped to tags automatically each time they sign in. Second, administrators can apply local tag assignments directly in PumaMesh. The combined set is the user's effective tags. Use the User Tags tab to look up any username and review the exact tags that user holds.

Predefined and Custom policies

PumaMesh ships with Predefined Policies for common keywords and classifications so you can enforce sensible defaults immediately. Custom Policies let you define your own keyword-to-tag mappings, choose an action, and assign a category and granularity. Each policy can be individually enabled or disabled; the header counter shows how many of your total policies are currently enabled.

Testing access before rollout

Use the Access Test Tool to confirm a policy behaves as expected before enabling it broadly. Enter a file path and a username, then run the test to see whether access would be allowed or blocked and exactly which policies were responsible. This lets you validate keyword policies against real users and files without exposing data prematurely.

Best practices

Keep your tag vocabulary small and consistent so file tags and user tags align cleanly. Resolve as many tags as possible from LDAP attributes to reduce manual assignment drift, and reserve local assignments for exceptions. Always run the Access Test Tool against representative users before enabling a new policy, and review the User Tags lookup whenever access does not behave as expected.