Configure ABAC

Prev Next

This guide explains how to enable and configure Attribute-Based Access Control (ABAC) in Rocket.Chat using LDAP-synchronized user attributes.

Prerequisites

Before configuring ABAC, ensure the following requirements are met:

  1. License: Enterprise

  2. Global setting: ABAC_enable must be enabled.

  3. Directory: LDAP must be configured and reachable

  4. Permissions: Administrators must have the abac-management permission

  5. Supported rooms: ABAC applies only to private channels and private teams

Enabling ABAC

Before configuring LDAP mappings or assigning room attributes, you must first enable ABAC at the workspace level. From the admin panel, open Administration → Workspace → Attribute-Based Access Control → Settings, then turn on the Enable ABAC toggle. Once enabled, ABAC is activated system-wide and attribute-based enforcement becomes available for supported rooms. A notice also appears confirming that user attributes are synchronized via LDAP.

Disabling ABAC

If you turn ABAC off, a confirmation dialog appears warning that:

  • You will not be able to automatically or manually manage users in existing ABAC-managed rooms.

  • To restore a room’s default access control, the room must first be removed from ABAC management under ABAC → Rooms.

Disabling ABAC:

  • Freezes all ABAC enforcement.

  • Blocks both automatic removals and manual user management in ABAC rooms.

  • Triggers a fresh LDAP re-sync when ABAC is re-enabled.

Configure LDAP ABAC attribute mapping

ABAC relies entirely on LDAP as the source of user attributes. Before room-level ABAC rules can be enforced, you must define which LDAP attributes Rocket.Chat should synchronize for ABAC evaluation.

To access these settings, open Administration → Settings → LDAP → Premium → Sync ABAC Attributes.

Step 1: Enable ABAC attribute sync

Enable this setting to allow Rocket.Chat to continuously synchronize ABAC attributes in the background. This ensures that changes in LDAP are reflected in room access decisions with minimal delay.

If required, you can also define a schedule using ABAC Attributes Background Sync Interval. This field accepts cron format expressions (for example: 0 0 * * *).

Step 2: Configure ABAC attribute mapping

In the ABAC Attribute Mapping field, define a JSON object that maps LDAP user attributes to ABAC attributes used by Rocket.Chat.

The structure follows this format:

  • The key is the LDAP attribute name

  • The value is the ABAC attribute name stored in Rocket.Chat

Only attributes defined in this mapping are synchronized and used for ABAC enforcement.

Example:

{
  "departmentNumber": "department",
  "employeeType": "accessLevel",
  "destinationIndicator": "country"
}

This configuration maps:

  • departmentNumberdepartment

  • employeeTypeaccessLevel

  • destinationIndicatorcountry

After saving the mapping, click Sync Now to immediately synchronize ABAC attributes for all users.

Force a sync on revocations

When a user’s LDAP attributes change due to termination, role downgrade, or clearance removal, immediately call:

POST /api/v1/abac/users/sync

This forces Rocket.Chat to refresh ABAC attributes for the affected users. Although ABAC enforcement operates in near real time, triggering this endpoint minimizes the residual access window and helps prevent users from retaining room access after revocation.

Endpoint requirements:

  • A valid Enterprise ABAC license is required

  • The requester must have the abac-management permission

Request payload

The endpoint accepts a JSON payload with one or more identifiers:

{
  "usernames": ["alice", "bob"],
  "ids": ["userId123"],
  "emails": ["user@example.com"],
  "ldapIds": ["ldap-uid-456"]
}

Behaviour

  • All scalar values are converted to arrays

  • Non-string values are stringified

  • Only mapped LDAP attributes are synchronized

  • Only the specified users are refreshed