Documentation Index

Fetch the complete documentation index at: https://docs.rocket.chat/llms.txt

Use this file to discover all available pages before exploring further.

ABAC User Guide

Prev Next

ABAC rooms use your account attributes, typically synced from your organization’s LDAP directory, to manage access automatically.

Membership is dynamic: you can be added only when you qualify, and you’re automatically removed when you no longer meet the room’s requirements.

Automatic membership

In ABAC rooms, membership is managed automatically:

  • You can be added to the room only if your LDAP attributes match the room’s access rules (for example: department, location, role, team, clearance, or project).

  • You’re removed if your LDAP attributes change or if the room’s access rules change.

  • Invites don’t override ABAC rules. If you don’t meet the requirements, you won’t be able to stay in the room even if someone tries to add you.

If you believe you should have access but don’t, your LDAP attributes may not match the room’s requirements. Contact your administrator to verify your directory attributes.

System messages you’ll see

Rocket.Chat posts system messages when ABAC changes membership, such as:

  • You are added to the room by ABAC.

  • You are removed from the room by ABAC.

  • Other users are added or removed based on the same rules.

These messages help explain membership changes without manual admin actions.

How to recognize an ABAC room

ABAC rooms may include visual indicators such as:

  • A room icon marker in the header indicating ABAC management.

  • An ABAC Managed badge in the room info panel

  • A short explainer below the badge describing why access is restricted

  • A Room Attributes section in the channel info panel listing the attributes assigned to the room and their values

What’s restricted in ABAC rooms

To support compliance and reduce the risk of unauthorized access, some features can be disabled in ABAC-managed rooms. Depending on your workspace configuration, ABAC rooms may restrict:

  • Invite links (to prevent bypassing attribute-based access rules)

  • Message forwarding

  • Copying text

  • Editing Topic, Announcement, and Description (these fields are disabled in the room edit view for ABAC-managed rooms)

If an option you normally use is missing, it may be intentionally restricted in that room.

Troubleshooting access issues

If you can’t access a room you expect to be in (or you were removed unexpectedly):

  1. Wait for the next directory sync (or an admin-triggered refresh).

  2. Confirm you’re signed in with the correct account.

  3. Contact your administrator and ask them to verify:

    • Your LDAP attributes (spelling and case sensitivity matter).

    • The room’s attribute requirements.

    • Whether a recent sync/refresh was triggered after changes.

Rocket.Chat versions receive support for six months after release. End-of-life for any version is the last day of the month when support ends.