ABAC User Guide

Prev Next

ABAC rooms use your account attributes, typically synced from your organization’s LDAP directory, to manage access automatically.

Membership is dynamic: you can be added only when you qualify, and you’re automatically removed when you no longer meet the room’s requirements.

Automatic membership

In ABAC rooms, membership is managed automatically:

  • You can be added to the room only if your LDAP attributes match the room’s access rules (for example: department, location, role, team, clearance, or project).

  • You’re removed if your LDAP attributes change or if the room’s access rules change.

  • Invites don’t override ABAC rules. If you don’t meet the requirements, you won’t be able to stay in the room even if someone tries to add you.

If you believe you should have access but don’t, your LDAP attributes may not match the room’s requirements. Contact your administrator to verify your directory attributes.

System messages you’ll see

Rocket.Chat posts system messages when ABAC changes membership, such as:

  • You are added to the room by ABAC.

  • You are removed from the room by ABAC.

  • Other users are added or removed based on the same rules.

These messages help explain membership changes without manual admin actions.

How to recognize an ABAC room

ABAC rooms may include visual indicators such as:

  • A room icon marker in the header indicating ABAC management.

  • An admin panel indicator (visible to admins) showing the room is governed by ABAC policies.

  • Optional Room Info details showing the room’s attribute requirements.

What’s restricted in ABAC rooms

To support compliance and reduce the risk of unauthorized access, some features can be disabled in ABAC-managed rooms. Depending on your workspace configuration, ABAC rooms may restrict:

  • Invite links (to prevent bypassing attribute-based access rules)

  • Message forwarding

  • Copying text

If an option you normally use is missing, it may be intentionally restricted in that room.

Troubleshooting access issues

If you can’t access a room you expect to be in (or you were removed unexpectedly):

  1. Wait for the next directory sync (or an admin-triggered refresh).

  2. Confirm you’re signed in with the correct account.

  3. Contact your administrator and ask them to verify:

    • Your LDAP attributes (spelling and case sensitivity matter).

    • The room’s attribute requirements.

    • Whether a recent sync/refresh was triggered after changes.