# Attribute Based Access Policies

## **Attribute-Based Access Control (ABAC) Policies in TrustLogix**

### **Overview**

Attribute-Based Access Control (ABAC) in TrustLogix enables fine-grained data access control based on **entitlement attributes**. These policies are primarily used for:

* **Row Access Policies** – Restricting access to rows in a table based on attribute values.
* **Masking Policies** – Masking specific columns based on attribute conditions.

TrustLogix allows defining ABAC policies using **two approaches**:

1. **Named Object Policies** – Applied to explicitly selected objects (tables, views, and columns).
2. **Tagged Object Policies** – Applied to objects (tables, views, columns) that have been tagged.

ABAC policies can be configured through a **no-code condition builder** or using the **SQL Policy Builder** for complex conditions.

***

### **Types of ABAC Policies**

#### **1. Row Access Policy**

Row Access Policies restrict user access to specific rows within a table based on entitlement attributes.

**Subcategories of Row Access Policies:**

* **Named Object Row Access Policy**: Applied to specific objects (tables and columns) by their names.
* **Tagged Object Row Access Policy**: Applied to objects that have been tagged.

#### **2. Masking Policy**

Masking Policies control the visibility of data in columns based on entitlement attributes.

**Subcategories of Masking Policies:**

* **Named Object Masking Policy**: Applied to specific columns using their names.
* **Tagged Object Masking Policy**: Applied to tagged columns.

***

### **Policy Components**

#### **Entitlement Attributes**

ABAC policies use **entitlement attributes** to control access. These attributes define user permissions dynamically and can be matched with:

* **Columns in a table**
* **Tagged columns**
* **Constant values**

#### **Object Selection**

Policies can be applied to:

* **Specific objects (Named Object Policy)**
* **Tagged objects (Tagged Object Policy)**

#### **Policy Condition Builder**

TrustLogix provides a **Condition Builder Interface** to define policy conditions **without SQL**.

**Features of the Condition Builder:**

* Define rules using **Attributes, Operators, and Values**
* Supports **AND/OR** logical operations
* Matches conditions using:
  * **Column Tagged As** (for tagged objects)
  * **Constant Value** (for fixed values)
* Does not support **complex joins or UDFs**

#### **SQL Builder Behavior in TrustLogix ABAC Policies**

The **SQL Policy Builder** in TrustLogix provides an **advanced** way to define Attribute-Based Access Control (ABAC) policies using SQL expressions. It is primarily used when the **Condition Builder Interface** is insufficient for complex conditions, such as:

* **Joins across multiple tables**
* **User-Defined Functions (UDFs)**
* **Nested conditions with intricate logic**
* **Hierarchical access control evaluations**