Needs a little unpicking and thought for sure. Absolutely at a minimum if they're logged in at 4:59pm and in the middle of some action (live call for example) we wouldn't want them to suddenly have their token expire and a refresh means they can't then log back in to complete that. So I think potentially what you say is the way forward – once you're in you're ok as long as you stay in before the normal token expiration takes effect. In our case that's also the SSO token side of things so some balance would have to be figured out where that needs to be considered too. Would potentially also have to make sure this is potentially application/component aware, e.g. they can't log into the agent UI/embedded framework clients but can still use Tempo.
Hi Vaun, It is an interesting question. I will start with the caveat that this is functionality which is not yet supported by ABAC. We haven't...
Original Message:
Sent: 11/14/2024 1:36:00 PM
From: David Murray
Subject: RE: UI Change: Attribute Based Access Control (ABAC)
Hi Vaun, It is an interesting question. I will start with the caveat that this is functionality which is not yet supported by ABAC. We haven't yet implemented the ability to use ABAC to deny access to Genesys Cloud. This is a use case we will be adding shortly. So, some of the behavior around this has yet to be defined. From your perspective, what would that desired behavior be?
Ultimately, as long as we have a way to identify the user or group of users defined in the policy, we can deny access at any time. So, for example, a user who is already logged in prior to 5pm might continue to be logged in (their access tokens aren't automatically invalidated) but the ABAC policy could prevent them from accessing resources post 5pm. That might not be a desirable outcome so the policy could be implemented in a different manner such that, once the user has access, they continue to have access until they logout or their tokens expire. Similar to getting access to a conference call which is locked at a certain time. Once you are in, you are in, but if you don't get in ahead of the deadline, you are blocked. So, in summary, yet to be defined but definitely something to think about.
------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------
Original Message:
Sent: 11-08-2024 23:55
From: Vaun McCarthy
Subject: UI Change: Attribute Based Access Control (ABAC)
Hi David, I'm curious. Where you mention here environment access and time of day, what would a user experience if we were to do something like say "this group of users can only access the environment 9am-5pm". What would happen to that user at 5:01pm?
------------------------------
Vaun McCarthy
Original Message:
Sent: 10-02-2024 06:21
From: David Murray
Subject: UI Change: Attribute Based Access Control (ABAC)
We are getting ready to release Attribute Based Access Control (ABAC). This article provides an overview of some of the upcoming Admin UI changes that you will see once ABAC has been released.
But, first of all, what is ABAC?
Attribute based access control is an authorization model that evaluates attributes to determine access. Attributes can be about the subject (the user or entity requesting access), the object (the resource or file the subject wants to access) or even the environment (the broader context including characteristics such as time of day or IP address). ABAC policies work alongside RBAC (Role Based Access Control) and Divisions to provide additional access control granularity. These policies are essentially boolean logic statements where a condition is evaluated to a true or false result. Each policy targets a specific group of API calls (known as a 'target') and applies to a specific subset of users (known as the 'subjects')
ABAC will evolve over time as more attributes and targets are defined. The initial ABAC release focuses on restricting permission changes and will deliver the following use cases:
- Cannot grant new roles - Prevent non-admin users from granting roles they do not themselves have
- Cannot update certain user profile fields - Prevent define user profile fields from being modified except by supervisors or admins
ABAC UI Overview
There is a new Organization Setting that controls ABAC enforcement. Enable this setting to create and edit policies. Each ABAC policy also has an individual on/off setting.
#Roadmap/NewFeatures
#Security
------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------