Attribute-based access control attribute-based-access

Attribute-based access control (ABAC) lets you define authorizations to manage data access for specific teams or groups of users. Its purpose is to protect sensitive digital assets from unauthorized users allowing further protection of personal data.

In Adobe Journey Optimizer, ABAC allows you to protect data and grant specific access to specific field elements including Experience Data Model (XDM) schemas, Profile attributes, and audiences.

For a more detailed list of the terminology used with ABAC, refer to Adobe Experience Platform documentation.

In this example, we want to add a label to the Nationality schema field to restrict unauthorized users from using it. For this to work, you need to perform the following steps:

  1. Create a new Role and assign it with the corresponding Label for users to be able to access and use the schema field.

  2. Assign a Label to the Nationality schema field in Adobe Experience Platform.

  3. Use the Schema field in Adobe Journey Optimizer.

Note that Roles, Policies and Products can also be accessed with the Attribute-based access control API. For more on this, refer to this documentation.

Create a role and assign labels assign-role

Before managing permissions for a role, you will first need to create a policy. For more on this, refer to Adobe Experience Platform documentation.

Roles are a set of users that share the same permissions, labels and sandboxes within your organization. Each user belonging to a Role is entitled with the Adobe apps and services contained in the product.
You can also create your own Roles if you want to fine-tune your users’ access to certain functionalities or objects in the interface.

We now want to grant selected users access to the Nationality field, labeled C2. To do so, we need to create a new Role with a specific set of users and grant them the label C2 allowing them to use the Nationality details in a Journey.

  1. From the Permissions product, select Role from the left pane menu and click Create role. Note that you can also add Label to built-in roles.

  2. Add a Name and Description to your new Role, here: Restricted role demographic.

  3. From the drop-down, select your Sandbox.

  4. From the Resources menu, click Adobe Experience Platform to open the different capabilities. Here, we select Journeys.

  5. From the drop down, select the Permissions linked to the selected feature such as View journeys or Publish journeys.

  6. After saving your newly created Role, click Properties to further configure access to your role.

  7. From the Users tab, click Add users.

  8. From the Labels tab, select Add label.

  9. Select the Labels you want to add to your role and click Save. For this example, we grant the label C2 for users to have access to the previously restricted schema’s field.

The users in the Restricted role demographic role have now access to the C2 labeled objects.

Assign labels to an object in Adobe Experience Platform assign-label

Incorrect label usage can break access to people and trigger policy violations.

Labels can be used to assign specific feature areas using Attribute-based access control.
In this example, we want to restrict access to the Nationality field. This field will only be accessible to users with the corresponding Label to their Role.

Note that you can also add Label to Schema, Datasets and Audiences.

  1. Create your Schema. For more on this, refer to this documentation.

  2. In the newly created Schema, we first add the Demographic details field group that contains the Nationality field.

  3. From the Labels tab, check the restricted field name, here Nationality. Then, from the right pane menu, select Edit governance labels.

  4. Select the corresponding Label, in this case, the C2 - Data cannot be exported to a third-party. For the detailed list of available labels, refer to this page.

  5. Further personalize your schema if needed then enable it. For the detailed steps on how to enable your schema, refer to this page.

Your schema’s field will now be only visible and can now only be used by users which are a part of a role set with the C2 label.
By applying a Label to your Field name, note that the Label will automatically be applied to the Nationality field in every created schema.

Access labeled objects in Adobe Journey Optimizer attribute-access-ajo

After labeling our Nationality field name in a new schema and our new role, we can now see the impact of this restriction in Adobe Journey Optimizer.
For our example, a first user X with access to objects labeled C2 will create a Journey with a condition targeting the restricted Field name. A second user Y without access to objects labeled C2 will then need to publish the Journey.

  1. From Adobe Journey Optimizer, you first need to configure the Data source with your new schema.

  2. Add a new Field group of your newly created Schema to the built-in Data source. You can also create a new external data source and associated Field groups.

  3. After selecting your previously created Schema, click Edit from the Fields category.

  4. Select the Field name you want to target. Here we select the restricted Nationality field.

  5. Then, create a Journey which will send an email to users with a specific nationality. Add an Event then a Condition.

  6. Select the restricted Nationality field to start building your expression.

  7. Edit your Condition to target a specific population with the restricted Nationality field.

  8. Personalize your journey as needed, here we add an Email action.

If the User Y without access to label C2 objects needs to access this journey with this restricted field:

  • User Y will not be able to use the restricted Field name since it will not be visible.

  • User Y will not be able to edit the Expression with the restricted Field name in Advanced mode. The following error will appear The expression is invalid. Field is no longer available or you don't have enough permission to see it.

  • User Y can delete the Expression.

  • User Y will not be able to test the Journey.

  • User Y will not be able to publish the Journey.