Configure ABAC

Attribute-Based Access Control (ABAC) enables fine-grained authorization by evaluating user attributes, directory data, and room properties when determining access.

This guide walks through configuring ABAC in your Rocket.Chat workspace, from enabling the feature to selecting a Policy Decision Point (PDP), syncing LDAP attributes, and optionally connecting an external Virtru PDP.

Prerequisites

Ensure the following requirements are met before configuring ABAC:

License: Defense subscription.
Global setting: ABAC_enable must be enabled.
Directory service: LDAP must be configured and reachable.
Permissions: Administrators require the abac-management permission.
Supported rooms: ABAC applies only to private channels and private teams.

Access ABAC settings

To open the ABAC configuration page, navigate to Manage → Workspace → Attribute-Based Access Control → Settings. This is the recommended entry point, as it groups all ABAC controls (Settings, Room Attributes, Rooms, and Logs) in one place.

The same settings are also available from Manage → Workspace → Settings → General → ABAC. Both locations point to the same underlying settings and have the same effect. Rocket.Chat automatically surfaces all server-level settings under General Settings.

The Settings tab groups all workspace-level ABAC controls into three areas:

Core settings: Enable ABAC, select a Policy Decision Point, configure display and caching behavior.
Sync ABAC Attributes: Control how user attributes are synchronized from LDAP.
Virtru PDP Configuration: Connect an external Virtru Policy Decision Point (optional).

Core settings

Enable ABAC

Turn on the Enable Attribute Based Access Control (ABAC) toggle to activate attribute-based authorization across the workspace.

Once enabled:

ABAC policies are enforced in all supported rooms.
User attributes are synchronized through LDAP.
The Room Attributes, Rooms, and Logs tabs become active.

Select a Policy Decision Point (PDP)

A Policy Decision Point is the engine that evaluates access requests using user and room attributes. Use the Policy Decision Point (PDP) dropdown to select one of the following:

Option	Description
Local (default)	Access decisions are evaluated inside Rocket.Chat using LDAP-synchronized attributes. No external system is required.
Virtru	Access decisions are delegated to an external Virtru PDP for centralized attribute management. Requires additional configuration.

Option

Description

Local

(default)

Access decisions are evaluated inside Rocket.Chat using LDAP-synchronized attributes. No external system is required.

Virtru

Access decisions are delegated to an external Virtru PDP for centralized attribute management. Requires additional configuration.

Selecting Virtru reveals the Virtru PDP Configuration section further down the page.

Show ABAC attributes in rooms

Enable the Show ABAC attributes in rooms toggle to display each room's assigned ABAC attributes in its contextual bar. This allows room admins to verify enforcement rules without leaving the room view.

ABAC Cache Decision Time

Use the ABAC Cache Decision Time (seconds) field to set how long access decisions are cached before re-evaluation. The default is 300 seconds.

Higher values reduce load on the PDP but delay the effect of attribute changes.

Set to 0 to disable caching entirely (every access request is re-evaluated).

Sync ABAC Attributes

The Sync ABAC Attributes section controls how Rocket.Chat pulls user attributes from LDAP and maps them to ABAC attributes. Expand the section on the Settings tab to access these controls.

ABAC Attributes Background Sync

Enable this toggle to run a dedicated background process that continuously synchronizes user ABAC attributes from LDAP. This ensures LDAP updates are reflected in ABAC access decisions with minimal delay.

ABAC Attributes Background Sync Interval

Defines how frequently the background sync runs, using a cron expression. For example:

0 0 * * *: once per day at midnight
*/15 * * * *: every 15 minutes

Adjust based on how often attributes change in your LDAP directory.

ABAC Attribute Mapping

Defines which LDAP attributes are synchronized as ABAC attributes. Enter a JSON object where:

Key: LDAP attribute name
Value: ABAC attribute name stored in Rocket.Chat

Example:

{
  "departmentNumber": "department",
  "employeeType": "accessLevel",
  "destinationIndicator": "country"
}

This configuration maps:

departmentNumber → department
employeeType → accessLevel
destinationIndicator → country

After saving the mapping, click the Sync Now button in the top-right corner of the ABAC settings page to immediately synchronize ABAC attributes from LDAP, without waiting for the next scheduled background sync. Use this when:

You have just updated the ABAC Attribute Mapping and want changes applied right away.
A user's LDAP attributes have changed and you want the update reflected immediately.
You are troubleshooting attribute sync issues.

Notes about Sync Now button
Sync Now is only available when both LDAP and ABAC are enabled.
This button synchronizes ABAC attributes only. It is separate from the standard LDAP Sync Now action, which does not trigger an ABAC sync.

Configure Virtru PDP

Use the Virtru PDP Configuration section to connect Rocket.Chat to an external Virtru Policy Decision Point. This centralizes attribute management and delegates access decisions to the Virtru platform.

The Virtru PDP evaluates user attributes against room access policies and returns an allow or deny decision.

Additional prerequisites

In addition to the general ABAC prerequisites, Virtru integration requires:

A Virtru PDP instance configured and reachable from your Rocket.Chat server.
A Virtru OIDC endpoint with valid client credentials.
Network connectivity between Rocket.Chat and both the Virtru PDP and OIDC endpoint.

Connection settings

Enter your Virtru connection credentials exactly as provided by your Virtru administrator.

Setting	Description	Required
Base URL	Virtru PDP base URL.	Yes
Client ID	OIDC client identifier.	Yes
Client Secret	OIDC client secret.	Yes
OIDC Endpoint	Base OIDC realm URL used for client credentials authentication. Example: `https://keycloak.example.com/auth/realms/opentdf`.	Yes

Attribute mapping

Setting	Description	Default
Default Entity Key	The entity identifier sent to the External Rights Server (ERS). Options: `emailAddress`, `oidcIdentifier`.	`emailAddress`
Attribute Namespace	Namespace used to build attribute FQNs. For example, `opentdf.io` produces `https://opentdf.io/attr/{key}/value/{value}`.	`example.com`

Select the entity key that matches your Virtru configuration and update the attribute namespace to match your environment.

Synchronization

Setting	Description	Default
Membership Sync Interval	Cron expression for re-evaluating ABAC room memberships against the Virtru PDP. Non-compliant users are evicted on each run.	`/5 * * *` (every 5 minutes)

Setting

Description

Default

Membership Sync Interval

Cron expression for re-evaluating ABAC room memberships against the Virtru PDP. Non-compliant users are evicted on each run.

*/5 * * * *

(every 5 minutes)

Adjust based on how frequently attributes change in your environment.

Test the connection

After entering your Virtru settings:

Click Test connection at the bottom of the Virtru PDP Configuration section.
Rocket.Chat attempts to authenticate with Virtru and reach the health endpoint, then displays the result as a toast notification in the top-right corner.
The toast is not persistent, once it disappears, you'll need to click Test connection again to re-check the status. For deeper troubleshooting, check your Rocket.Chat server logs, which record the action and the full error details for any failed connection attempt.

Health status

The ABAC PDP Health (toast notification) shows one of the following messages:

Status	Meaning
All systems operational	Connected and healthy.
No PDP configured	ABAC is enabled but no PDP has been selected.
Unable to connect to the Identity Provider (IdP)	Cannot generate a token. Verify OIDC credentials and endpoint.
Unable to reach the Virtru platform health endpoint	Network connectivity issue, or Base URL is missing or incorrect.
Unable to perform an authenticated request	OIDC client lacks admin rights. Verify client permissions.
PDP health check failed due to an unexpected error	Review server logs for details.

Access control behaviour

Once the Virtru PDP is configured and healthy:

Access decisions are made by the Virtru PDP instead of local policies.
User attributes are synced from Virtru at the configured interval.
Room access is evaluated against Virtru policies.
Decisions are cached according to the ABAC Cache Decision Time setting.

Disable ABAC

To disable, turn off the Enable Attribute Based Access Control (ABAC) toggle on the Settings tab.

Disabling ABAC suspends attribute-based enforcement across the workspace. Before disabling, be aware of the following:

Automatic and manual user management is blocked in existing ABAC rooms.
Rooms must be removed from ABAC management before reverting to default access controls.
All attribute-based enforcement is paused until ABAC is re-enabled.
Re-enabling ABAC triggers a new LDAP synchronization.

Force a sync on revocations

When a user’s LDAP attributes change due to termination, role downgrade, or clearance removal, immediately trigger a manual ABAC sync:

POST /api/v1/abac/users/sync

Request body:

Provide a JSON payload containing one or more user identifiers:

{
  "usernames": ["alice", "bob"],
  "ids": ["userId123"],
  "emails": ["user@example.com"],
  "ldapIds": ["ldap-uid-456"]
}