Hacktoberfest is here! Contribute, collaborate & earn rewards.
Attribute-Based Access Control¶
Available on Enterprise Advanced plans
From Mattermost v10.9, system admins in large or complex organizations who require Zero Trust Security when handling with sensitive information can prevent unauthorized access through attribute-based access controls.
Enforcing strict access controls based on user attributes eliminates manual role adjustment processes that can lead to security risks, inefficiencies, or inappropriate access, while maintaining security and compliance by ensuring that only authorized users can access specific Mattermost channels.
Access-based access control (ABAC) provides 2 levels of control:
System-wide policies (managed by System Admins): Centralized policies that can be applied across multiple channels in the System Console. See System-wide attribute-based access policies.
Channel-specific rules (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See Channel-specific access rules.
Before you begin¶
Attribute-based access controls require defined user attributes that are either synchronized from an external system (such as LDAP or SAML) or manually configured and enabled on your Mattermost server. You’ll need to configure user attributes in the System Console first before creating access policies.
Once user attributes are defined, go to System Console > System Attributes > Attribute-Based Access to enable attribute-based access controls for your Mattermost instance. This functionality requires a Mattermost Enterprise Advanced license.
From Mattermost v10.11, user-managed attributes are excluded from attribute-based access control (ABAC) rules by default for security reasons. This prevents access control policies from being circumvented by users editing their own profile attributes. To include user-managed attributes in ABAC rules, a system admin must explicitly enable the EnableUserManagedAttributes configuration setting. See the user attribute documentation for details on enabling this feature. This configuration setting is available only in Enterprise Edition Advanced and is disabled by default.
Configure access policies¶
Once enabled, you have multiple ways to configure access policies in Mattermost:
System Admins can:
Create system-wide access policies that can be assigned across multiple channels in the System Console.
Assign individual channel policies to specific channels in the System Console.
Channel Admins can:
Configure channel-specific access rules directly in Channel Settings without requiring a system admin.