Configure ABAC

Prev Next

Attribute-Based Access Control (ABAC) enables fine-grained authorization by evaluating user attributes, directory data, and room properties when determining access.

This guide walks through enabling and configuring ABAC in Rocket.Chat using LDAP-synchronized user attributes.

Prerequisites

Ensure the following requirements are met before configuring ABAC:

  1. License: Enterprise subscription.

  2. Global setting: ABAC_enable must be enabled.

  3. Directory service: LDAP must be configured and reachable.

  4. Permissions: Administrators require the abac-management permission.

  5. Supported rooms: ABAC applies only to private channels and private teams.


Enabling ABAC

Before configuring LDAP mappings or assigning room attributes, you must enable Attribute-Based Access Control (ABAC) at the workspace level.

To enable ABAC, navigate to Manage → Workspace → Attribute-Based Access Control → Settings, then turn on the Enable ABAC toggle.

Once enabled:

  • ABAC policies are enforced across supported rooms.

  • Attribute-based authorization becomes available for access management.

  • User attributes are synchronized through LDAP.

Disabling ABAC

Disabling ABAC suspends attribute-based enforcement and impacts how access is managed within ABAC-controlled rooms.

Before proceeding, be aware of the following:

  • Users can no longer be automatically or manually managed in existing ABAC rooms.

  • Rooms must be removed from ABAC management before reverting to default access controls.

When ABAC is disabled:

  • All attribute-based enforcement is paused.

  • Automatic removals and manual user management are blocked in ABAC rooms.

  • A new LDAP synchronization is triggered when ABAC is re-enabled.


Configure LDAP ABAC attribute mapping

ABAC relies on LDAP as the source of user attributes. Before enforcing room-level ABAC rules, you must define which LDAP attributes Rocket.Chat synchronizes for ABAC evaluation.

To access these settings:

Manage → Settings → LDAP → Premium → Sync ABAC Attributes

Step 1: Enable ABAC attribute sync

Enable ABAC attribute sync to allow Rocket.Chat to continuously synchronize user attributes from LDAP in the background. This ensures that updates in LDAP are reflected in ABAC access decisions with minimal delay.

Optionally, configure the ABAC Attributes Background Sync Interval to define how frequently synchronization runs. This field accepts cron expressions (for example: 0 0 * * *).

Step 2: Configure ABAC attribute mapping

In the ABAC Attribute Mapping field, define a JSON object that maps LDAP user attributes to ABAC attributes stored in Rocket.Chat.

Mapping structure:

  • Key → LDAP attribute name

  • Value → ABAC attribute name stored in Rocket.Chat

Only attributes defined in this mapping are synchronized and evaluated by ABAC.

Example:

{
  "departmentNumber": "department",
  "employeeType": "accessLevel",
  "destinationIndicator": "country"
}

This configuration maps:

  • departmentNumberdepartment

  • employeeTypeaccessLevel

  • destinationIndicatorcountry

After saving the mapping, click Sync Now to immediately synchronize ABAC attributes for all users.


Force a sync on revocations

When a user’s LDAP attributes change due to termination, role downgrade, or clearance removal, immediately trigger a manual ABAC sync:

POST /api/v1/abac/users/sync

This endpoint refreshes ABAC attributes for the specified users. Although ABAC enforcement runs in near real time, invoking this endpoint reduces the residual access window after revocation.

Requirements:

  • Enterprise license with ABAC enabled

  • abac-management permission

Request body:

Provide a JSON payload containing one or more user identifiers:

{
  "usernames": ["alice", "bob"],
  "ids": ["userId123"],
  "emails": ["user@example.com"],
  "ldapIds": ["ldap-uid-456"]
}

You may specify any combination of identifiers. At least one field is required.

Behaviour:

  • Scalar values are automatically converted to arrays.

  • Non-string values are stringified.

  • Only mapped LDAP attributes are synchronized.

  • Only the specified users are refreshed.