How can I implement Attribute Based Access Control

How can I implement Attribute Based Access Control



I understand the principlesof the RBAC user access methods that are supported by Outsystems. However,since for a lot of Apps granting or denying access based on the person or roleis not enough. What I would need is a method that grants or denies access (inthe context of CRUD of course) based on 1) the role 2)the group BUT ALSO onspecific attributes, like record content.

For example. If I woulddevelop an application for the HR Hiring process, I might want to limit theaccess to the Candidates records based on role, but also based on who is 'therecord' owner. This could be the recruiter that holds the specific file. In thiscase thus, the access is granted based on the content of the record.

Another example could be aSales application, where Sales Managers only have permission to access customer(or sales) records in their specific Region, and do not have access (or limitedaccess) to data from customers not in their Region.

Also possible would begranting access based on hierarchies (e.g. the manager has access to the dataof the employees in his/her team, but not to the data of others).

Can anyone help me with astrategy for this, without writing specific SQL statements for all combinationsof persons, roles and record content.


Hello René,

We use attribute based filtering all the time, and I never saw an application able to do this in a "generic" way.
This is done always based on the business logic. 

For example, there is no way to you to filter data for a sales manager for a speciic region without, well, filtering by that region field comparing it to the region allowed (or using an inner join with the SaleManagerRegion table filtered by its id).

Any other solution that cames to my mind would be terrible ideas...

Hi Eduardo,

First of all, thanks for your clear answer.

If I understand you correctly, in you first define a table structure where you can add the appropriate attributes to the user and then in a SQL join you filter out the data? I understand that works and will move forward in using that techniques. However, some other platforms support ABAC in the way that the for example support limitimg access to records that a user "owns" (t.i. created) and/or based on role hierarchy. But if I understand you correctly, OS does not support this?


Hi René,

Like Eduardo said, there is afaik (almost?) no tool that supports attribute-based security (including the OutSystems Platform), and for good reason imho:

  • it's a nightmare to maintain: an enterprise-grade solution may have hundreds of tables, each with a dozen or more attributes;
  • it'll be very difficult to make the software work in a generic way without adding extra business logic based on the attributes;
  • there's probably a lot of logic anyway that's based on roles, but not on specific attributes.

You also mention restriction on region, or file, but this should imho not be implemented on a database level, but via queries (Aggregates in OutSystems) with filters and business processes (e.g. OutSystems BPT).

Hello René,

OutSystems also support access control through Attributes of an Entity. But you must specify this in your queries.
So, if you have an entity X that has a field OwnerId (with an user identifier) you can filter your query for the records that the current user (for example) identifier match that field.

Pretty much like Kilian said.

What OutSystems doesn't, and I never saw, is a "generic way of doing this", without requiring explicit defining the rules in the queries.