Room attributes define the classification model for ABAC-managed rooms. They represent the resource-side conditions used during access evaluation and are matched against user attributes synchronized from LDAP. Before any room can be governed by ABAC, its required attributes and allowed values must first be defined here.
Room attributes act as a controlled vocabulary for room restrictions. Only values defined at this level can later be applied to rooms, ensuring consistency, validation, and auditability across the system.
Manage room attributes
To manage global room attributes, navigate to: Administration → Attribute Based Access Control → Room Attributes. This section displays the central attribute registry used by all ABAC-managed rooms across the workspace.
The Room Attributes page provides a searchable list of all existing attributes and their allowed values. Each entry contains:
Name: the attribute identifier used by ABAC policies
Value: the full set of allowed values that may be assigned to rooms
For example:
A
departmentattribute may include values such asengineering,financeetc.A
employmentTypeattribute may include values such asfullTime,Contractoretc.
These attributes do not grant access on their own. They function strictly as room-side constraints, which are later enforced by matching them against LDAP-synchronized user attributes.
Creating a new room attribute
New room attributes are created from the Room Attributes tab and become immediately available for use across all ABAC-managed rooms. To create a new attribute:
Open the Room Attributes tab and select New attribute.
Enter a value in the Name field.
Enter a value in the Values field and select Add Value.
Repeat until all required values have been added.
Select Save to finalize the attribute.
Once saved, the attribute becomes part of the global ABAC attribute repository and can be applied to rooms immediately.
Attribute validation rules
Room attributes enforce strict validation to prevent misconfiguration and ensure predictable enforcement behavior.
Attribute names must conform to the following pattern:
^[A-Za-z0-9_-]+$This means:
Only alphanumeric characters, underscores (
_), and hyphens (-) are permitted.Spaces, symbols, and special characters are rejected.
Invalid names trigger an immediate validation error and prevent saving.
Attribute names are case sensitive and must exactly match the attribute name configured in the LDAP mapping settings.
This restriction ensures compatibility with policy evaluation and backend enforcement.
Attribute value requirements
Each attribute must contain at least one allowed value. Values are added individually and validated at the time of entry.
Empty values are rejected.
Duplicate values are not permitted.
The system displays a “Values required” error if no values are defined.
Attribute values are case sensitive and must exactly match the values imported from LDAP.
Values represent the exact classification options that administrators can later assign to rooms.
Editing an existing room attribute
Once a room attribute has been created, its structure is locked, but its values can still be managed. To edit an existing attribute:
Locate the attribute you want to modify.
Click the kebab menu (⋮) at the end of the row and select Edit.
The Edit Attribute dialog opens with the following behavior:
The attribute name is editable.
Existing attribute values cannot be modified directly.
You can:
Add new values
Delete existing values
This guarantees referential integrity for any rooms already using this attribute. After adding or removing values, click Save to apply the changes.
Deleting a room attribute
You can permanently delete a room attribute when it is no longer needed. To delete an attribute:
Locate the attribute you want to modify.
Click the kebab menu (⋮) at the end of the row and select Delete.
A confirmation dialog appears asking you to confirm the action.
Important behaviour:
If the attribute is not assigned to any rooms, it can be deleted safely with no impact on existing rooms.
If the attribute is assigned to one or more rooms, deletion is blocked and you must first remove it from all rooms before it can be deleted.
Deletion is permanent and cannot be undone.
Searching for attributes
At the top of the Room Attributes tab, use the Search attributes field to quickly locate an attribute. The search works across:
Attribute names
Attribute values
This allows you to find attributes even when you only remember one of their values.
Manage ABAC rooms
The Rooms tab is where administrators bring private rooms under Attribute-Based Access Control (ABAC) enforcement. Once a room is ABAC-managed, its membership is controlled strictly by user attributes synchronized from LDAP. Manual room management is restricted, and access is enforced automatically and continuously.
From this view, you can:
Search and filter ABAC-managed rooms
Add new rooms to ABAC control
Assign required access attributes and values
View real-time membership counts
Remove rooms from ABAC enforcement
Understanding the rooms list
Each row in the Rooms table represents one ABAC-managed room and displays the following information:
Room: The name of the channel or team under ABAC control
Members: The number of users who currently satisfy the ABAC rules
Subject attributes: The attribute used to control access
Attribute values: The values required for access
Actions menu (⋮): Used to manage or remove the room from ABAC
Only private channels and private teams appear here. Public rooms cannot be managed by ABAC.
Searching and filtering rooms
At the top of the page, the search bar allows you to find rooms using multiple criteria. You can search by:
Room name
Attribute name
Attribute value
Next to the search bar, a filter dropdown lets you scope your search to:
All: Searches across rooms, attributes, and values
Rooms: Searches only by room name
Attributes: Searches only by attribute name
Values: Searches only by attribute values
This makes it easy to locate ABAC-managed rooms even in large environments.
Adding a room to ABAC
To begin enforcing ABAC on a room, click Add Room.
Step 1: Select the room
In Room to be ABAC-managed, select a private channel or private team.
Important behavior:
This list only shows eligible rooms
A room appears here only if:
It is private
It is not already ABAC-managed
It still uses default access control
If this field shows “Empty”, it means no rooms currently meet these conditions. In that case, create a new private room first.
Step 2: Assign required attributes
After selecting a room:
Choose an Attribute from the dropdown
Select one or more Attribute Values
Click Add Attribute to attach the rule
Repeat as needed to add additional required attributes
Each attribute added acts as a mandatory access condition. A user must match all configured attributes and values to remain a member of the room.
Step 3: Finalize the configuration
Once all required attributes are assigned, save the configuration. The room immediately becomes ABAC-managed, and enforcement begins.
Membership is evaluated automatically:
Users who match the rules remain or are added
Users who do not match the rules are removed within seconds
How enforcement works for ABAC rooms
Once a room is under ABAC control:
Users are automatically added and removed based on LDAP attributes
Administrators cannot manually add users unless they already satisfy all attribute rules
Membership is continuously re-evaluated on:
LDAP syncs
Room attribute changes
ABAC reactivation
This guarantees Zero-Trust enforcement where access is always attribute-driven.
Editing an ABAC-managed room
To modify an existing ABAC rule for a room, open the kebab menu (⋮) on the right side of the room row and select Edit.
The Edit Room dialog allows you to:
View the currently managed room
Change the attribute
Modify the allowed attribute values
Add additional attributes
Remove existing attributes
The room itself cannot be changed during editing, only its enforcement rules.
Changes take effect immediately after clicking Save, and user membership is re-evaluated automatically.
Removing a room from ABAC management
To stop enforcing ABAC on a room, open the kebab menu (⋮) and select Remove.
A confirmation dialog appears with the following message: Removing this room from ABAC management may result in unintended users gaining access.
This warning exists because:
Once ABAC enforcement is removed, the room reverts to standard Rocket.Chat access control
Users who do not meet the former ABAC conditions may retain access
Click Remove to proceed, or Cancel to keep the room under ABAC control.
ABAC logs and audit trail
The Logs tab provides a complete audit trail of all ABAC-related activity across the workspace. This audit log is designed for security monitoring, compliance verification, and operational troubleshooting, ensuring that every change to ABAC configuration is fully traceable.
Administrators use this view to answer critical questions such as:
Who created or modified an attribute?
When was a room placed under ABAC enforcement?
Which user removed an attribute or updated a room’s access policy?
All actions recorded here are generated automatically by Rocket.Chat and cannot be altered.
Understanding log entries
Each log entry contains the following fields:
User: The account that performed the action. System-initiated events (such as automatic evaluations) appear as System.
Action: What happened (for example, Created, Updated, or Removed).
ABAC Element: The object affected by the change (such as Room, Room Attribute).
Element Name: The exact name of the room or attribute involved.
Timestamp: The precise date and time when the action occurred.
This structure allows administrators to reconstruct a complete change history of ABAC enforcement across the workspace.
Time-based filtering
The Logs view supports full date-range filtering and quick time presets to make investigations faster.
You can filter by:
Today
Yesterday
This Week
Previous Week
This Month
All time
You can also manually select a custom start date and end date using the date pickers at the top of the page. This is especially useful during incident response, audits, or access reviews.