Open

Overview

This feature gives administrators a powerful way to control which users can access a channel, based on their profile attributes. This addresses the challenge of managing channel access in large or complex organizations dealing with sensitive information, where manual processes can lead to security risks, inefficiencies, or inappropriate access. Enabling attribute-driven rules for channels ensures that users only see and access channels relevant to their assigned attribute values, which can include roles, security clearance, and departments.

Admins will be able to configure access rules through two primary methods:

1. Access Policies:

   • Accessed via System Console → Attribute-based access.

   • Create policies with rules that can be assigned to multiple channels.

     • Future plans include support for additional resources beyond channels.

2. Individual Channel Configuration:

   • Accessed via System Console → Channels.

   • Toggle the "Attribute-based channel access" setting and add custom access expressions.

Scope: In this phase, attribute-based access restrictions will only be allowed for Private channels.

Access Policy Management

Access Policies offer a scalable way to manage channel membership rules based on user attributes. Policies simplify management by:

• Allowing quick updates to multiple channels at once.

• Reducing repetitive work in defining similar rules for each channel individually.

• Providing a clear overview of rules and affected resources.

Attribute Based Access Page (System Console → Attribute-based access)

• Admins start by navigating to System Console → Attribute-based access to view existing policies or add new ones. This page includes:

  • Global ABAC toggle/configuration:
    Enables/disables ABAC rules on the server.

  • Channel-level configuration permission toggle:
    Controls if channel admins can view/modify ABAC settings (default: off).

  • List of Policies:

    • Policy Name: Clearly identifies the policy.

    • Applied Channels: Number of channels currently linked.

    • Actions (Edit/Delete): Manage existing policies.

Open

• Access control sync

  • Sync policies: Users can choose to save policies without immediately applying them. When the user is done updating 1 or more policies, they can click on the `Sync now` button to apply all the updated policies in one go. There will be a confirmation modal before the sync actually begins.
    
    

    Open

    

  • View sync details: Users can click on any of the sync rows to find details about the number of users allowed access/added or members removed from every effected channel. They can also click into any of the channels to view exactly which users were allowed access/added and removed.
    
    

    Open

    

Creating/Editing an Access Policy

Admins click “Add Policy” or edit an existing one to manage the following fields:

Policy Name

A unique, descriptive identifier to easily recognize the policy purpose.

Auto-sync membership toggle

• True: Automatically maintains channel membership according to the defined rules as user attributes change.

• False (default): Only removes members and restricts adding them to the channel if they don’t match defined rules. No auto-add.

Open

Configuring Access Rules (Basic and Advanced Modes)

ABAC policies allow admins to define rules via either Basic or Advanced modes, balancing simplicity and flexibility.

Switching Between Modes

• Basic → Advanced:
  Available anytime via "Switch to Advanced Mode" button.
  Tooltip: "Use Advanced mode for complex expressions and logical groupings."

• Advanced → Basic:
  Available only when the current expression can be represented in Basic mode.
  If disabled, a tooltip states clearly: "Basic mode is not available since complex expressions have been added."

Basic Mode

Basic Mode provides an intuitive UI for creating simple rules with minimal training.

Open

UI Components:

Attribute Conditions Table

Admins add multiple attribute conditions using the following UI elements:

• "Select user attribute" button:
  Clicking this opens a dropdown with a list of available attributes from the system (e.g., Program, Clearance, Branch, Department, etc.).

• Operator Dropdown:
  Available operators are:

  • is: Attribute exactly matches a single selected value.

  • in: Attribute matches any of multiple selected values.
    Help text: "Matches any of the selected values."

• Attribute Values Dropdown:
  Lists available values relevant to the selected attribute. If the user selects multiple values for an attribute, the in operator should be chosen automatically.

Open

Logical Operator Selection

A dropdown titled "All attributes required" selects how multiple conditions combine logically:

• "All attributes required" (default): Combines conditions using logical AND. Users must match all conditions.

• "Any 1 attribute required": Combines conditions using logical OR. Users match at least one condition.

Validation and Error Handling:

• No manual validation needed; input constraints prevent invalid selections.

Advanced Mode

Advanced Mode allows detailed, flexible expression-based rules using CEL syntax. Recommended for technical or complex scenarios.

CEL Expression Editor:

• Real-time syntax validation and feedback.

• Context-aware autocomplete for attributes, operators, and attribute values.

Open

Syntax Structure:

• Multiple conditions can be combined using && / ||.

• Parentheses () group conditions logically.

Autocomplete Interaction:

• Typing user. triggers autocomplete listing available attributes (Department, Program, Clearance, Rank, Location).

• Upon selecting attributes, autocomplete suggests appropriate CEL operators (==, !=, in, &&, ||).

• After selecting an operator, if attribute values are known (pre-defined), autocomplete suggests values to choose from (e.g., "Dragon Spacecraft", "Confidential").

Open

Syntax Validation & Error Messaging:

• Immediate validation upon typing expressions.

  • Validation should get triggered if the user stops typing for at least 3 seconds or when the user focuses out of the expression input box.

• Errors explicitly indicate issues such as missing operators, incorrect syntax, or incomplete conditions.

• Clear, actionable error messaging guiding admins toward successful rule creation.

Open

Mode Compatibility & Constraints

• Basic mode only supports simple conditions without nested logic or mixed logical operators.

• Switching from Advanced back to Basic mode is restricted if:

  • Mixed logical operators are used between conditions.

  • Nested logic/grouping (parentheses) is present.

  • Unsupported operators or expressions are detected.

Testing and Previewing Rules:

• Functions identically in Basic and Advanced modes.

• Admins can test rules to preview selected users, ensuring the intended scope and preventing unexpected access changes.

• Displays the number and list of matching users.

• Also shows all the attribute values that make up the access condition.

Open

Expression Syntax Cheatsheet Modal (Single Page)

This cheatsheet modal will be accessible from the rule definition UI, providing quick help on syntax usage:

📝 Syntax Basics

🔧 Operators

🎯 Combining Conditions

• Use parentheses ( ) to clearly group conditions.

Simple Example:

Complex Example:

🚀 Quick Tips

• Use autocomplete while typing expressions to select attributes, operators, and predefined values quickly.

• Always enclose text values in double quotes " ".

• Validate syntax regularly to ensure expressions are correct.

• Test your rules after creation to see affected users and confirm intended outcomes.

Open

Assign Channels

Users can select multiple channels to assign to the policy.

• Clicking on the Add policy button should bring up a modal with a list of channels along with a search box.

• Only private channels will be allowed to be selected.

• Users can select multiple channels and add them to the policy at once.

• Users do not need to be a part of the channel or satisfy the access rules in the policy to add a channel to a policy from the System Console UI.

Open

Saving a policy

When saving a new policy or making changes to a policy, a confirmation dialog should be shown before we actually save the changes.

Open

Deleting a policy

A policy can only be deleted if there are no channels assigned to it. The option to delete a policy will be available at the bottom of the access policy detail page. When there are assigned channels in a policy, the delete button will be disabled.

Open

When there are no assigned channels, the delete policy button will be enabled. There should be a confirmation modal before an access policy is deleted.

Open

Individual Channel Configuration

Individual channel configuration allows admins to define custom ABAC rules specific to a single channel. It offers flexibility when exceptions or special conditions are needed outside standard policies.

Admins Navigate: System Console → Channels → Select Channel → Channel Configuration

Open

New ABAC-specific settings:

Toggle: Enable attribute-based channel access

• When enabled, channel membership is governed by ABAC rules.

• Reveals the "Access Rules" configuration section.

• Edge cases:

  • Trying to enable attribute-based channel access when you already have group-sync enabled should show a confirmation dialog. Similarly, trying to enable group-sync when having attribute-based channel access already enabled should trigger a confirmation dialog.

Open

Access policy section (appears only after enabling ABAC)

• Shows the applied policy if already selected or an empty state with a button to link a policy when no policy is selected.

• Linked policy details (policy name, number of applied channels) shown. Users can click on a policy to go to the edit policy page.

• Confirmation dialog is shown when user clicks on Remove policy.

Open

Open

End-User Experience and Indicators

When a channel has attribute-based access controls (ABAC) applied, end users must see clear and informative indicators to understand access restrictions. These indicators and restrictions will appear consistently across web and mobile interfaces.

Web/Desktop

Channel Members RHS

Visual Indicators:

• Section Notice:
  At the top of the Members panel, display a clearly distinguishable informational section notice.

• Property Values Display:
  The notice should also show the required attribute values as a flat list of tags, clearly displaying each property value needed for channel access.

• Hovering over any attribute value pill reveals a tooltip displaying the corresponding attribute name (e.g., hovering over "Confidential" reveals "Clearance").

Open

Add People to Channel Modal

Visual Indicators:

• Section Notice
  Display a clear and informative section notice at the top of the modal:

• Attribute Values Display:
  Present required attribute values as tags along with tooltips, identical to the display in the Members RHS.

Functionality Restrictions:

• Users who do not match the channel’s attribute-based access rules:

  • Will not appear in search results.

  • Cannot be selected or added to the channel.

Open

Mobile App

The mobile experience aligns closely with the web implementation, optimized for mobile form factor.

Members Screen

Visual Indicators:

• Section Notice (Top of screen)

• Attribute Values Display
  Display required attributes as a flat list of tags, wraps in multiple row if necessary, clearly visible at the top but scrolls along with the content of the page and is NOT fixed/sticky.

Add Members Screen

Visual Indicators:

• Section Notice:
  Clearly inform the user at the top of the Add Members screen.

Functionality Restrictions:

• User Search and Selectability:
  Identical to web behavior—users not matching the ABAC conditions do not appear in search results, ensuring only eligible users can be added.

Open

Licensing

For workspaces on any other pricing tier, there should be an upsell placeholder shown on the Attribute-based access page.

Open

Coming in future phases

• Attribute based policy settings in the Team Settings modal.

• Attribute based rules settings in the Channel Settings modal.

• Add a new Role (Access controller) in Delegated Granular Administration for managing ABAC.

• 'Need to know' attribute/value/rule masking.

• Configurable end user indicators + more UI touchpoints to surface them (eg. Channel header, Find channels modal).

• Applying ABAC to Public channels?

Open Questions

• How do we support or work-around the hierarchical structure of user attributes that may exist in customer attribute management systems or mental models. Eg. Anyone with a Top secret clearance level should also be able to view channels marked as Unclassified.

  • How do we support the tree structure for properties that may exist in external systems?

Old explorations

Configuration

Enabling Attribute-Based Access

• Channel Settings → Access

  • For Private channels, a new toggle should be added under Channel Access, labeled “Manage access with user properties”.

  • Once the toggle is on, users will have an option to select user properties and specify one or more values for each property. Only users who have those values will get access to the channel.

Open

Adding Properties & Values

• Select Property

  • Clicking “+ Select property” reveals a dropdown listing all available user attributes that can be added. Only Select and Multi-select type custom user attributes will be shown here.

  • Users should be able to search through the available user attributes if there are more than 3 attributes available to choose from.
    
    

    Open

    

     

• Select Values

  • After choosing a property (e.g. Clearance), the admin can pick one or multiple valid values from a dropdown.
    
    

    Open

    

    • For single-select properties — multiple values for the same property are combined with OR. So a user can have either of the selected values to get access to the channel.

    • For multi-select properties — there will be an option in the ••• context menu for the property row that lets the user configure if all selected values will be required to satisfy the property row rule or if having any of the selected values will be enough to satisfy the property row.

  • Once a value is selected, the user can unselect it by clicking on the x icon in the value chip.
    
    
    

    Open

    

     

• Property-Level Options

  For each property row added, there will be a context menu (•••) which should include:

  • Required values

    • Visible only if the property type is multi‐select.

    • “All values required”: The user must hold all selected values for this property.

      • Example: Program = [Dragon Spacecraft, Black Phoenix], “All values required” means the user must be in both programs simultaneously to get access to the channel.

    • “Any 1 value required”: The user must hold at least one of the selected values.

      • Example: Program = [Dragon Spacecraft, Black Phoenix], “Any 1 value required” means the user can be in either program.

  • Link to Channel Property (toggle)

    • Turning this On creates (and syncs) a corresponding read‐only “channel property” that can be displayed in the channel header and other places.

    • Default value: OFF

  • Remove property

    • Removes the respective property restriction row from the channel.

Open

• Adding multiple property rows

  • Users will be able to add multiple properties along with their corresponding values to control channel access.

  • A single global control (dropdown) called “All properties required / Any 1 property required” allows the admin to specify AND or OR logic across different property rows configured.

    • All properties required - The user must satisfy every property row rules configured.

    • Any 1 property required - The user must satisfy at least one of the property row rules.
      
      
      

      Open

      

       

Saving and Validation

(Mockups will be added)

When the user modifies the access rules and saves the settings, we will need to validate the access rules and inform the user about any unexpected scenarios:

1. No Users Match

   1. On “Save,” if no existing members meet the new rules, a blocking error modal appears informing the user “No users meet the selected property requirements. Please modify the requirements to save your changes.”

2. Current user does not match

   1. If the user’s own profile attribute values don’t meet the new rules, show a warning modal informing them “You do not meet the selected property requirements. If you continue, you will be removed from the channel.” with options to Cancel or Continue Anyway.

   2. If they proceed, they lose channel membership (subject to the Grace Period rules below).

3. Some users may be removed

   1. If the user configures property rules on a channel that will end up removing any existing members from the channel, show a warning modal when the users clicks on Save, informing them “The selected property requirements will remove [XX] existing members from this channel.
      [Cancel] [Continue Anyway]

Grace Period (Out of scope?)

If a current channel member (including an admin) no longer meets the channel’s property requirements (e.g., their “Clearance” changes):

1. Loss of access — The user immediately loses access to channel content (cannot view or post), but remains listed in the members list in a disabled state.

   • Hovering on the user will show a tooltip saying: “This user no longer meets channel requirements. [Grace Period: X days left]”

2. Reinstatement — If their attribute values revert to matching the ones required for access before the Grace Period ends, they should automatically regain full membership of the channel.

3. Removal — After the Grace Period expires, the user is permanently removed. An admin can also manually remove them at any time from the Manage Members RHS.
   
   

Open

Grace Period Configuration

A System Admin can set a time duration (e.g., 2 days) in the System Console for the Grace Period. This applies globally to all channels using attribute‐based access.

Adding People to Channel

• In the Add People to Channel modal, there will be a section notice shown informing the user that attribute based access restrictions are applicable for that channel.

• Only users who meet the current property rules appear in the search and can be invited to the channel. Anyone else is hidden from the results entirely.

Open

Displaying property values required for access

Channel Members RHS

• A section should be added at the top of the Channel Members RHS to convey that attribute based access control is enabled for the channel.

• Property values necessary to get access to the channel should also be shown as a flat list in a single row. Hovering on any value should reveal the corresponding property in a tooltip.

• If there are a more property values than what fit in the row, they should be combined into a single +XX tag, with a tooltip showing all the property-value pairs that have been configured for the channel.

• Clicking anywhere on this section should open Channel Settings → Access tab to view more details, only if the user is allowed to view the Channel Settings modal.

Open

Permissions & Roles

This will rely on the Manage Channel Settings permission in the system console > system scheme. By default:

• Channel Admin (or System Admin) can configure property-based access.

• Channel members can view the configured properties and values but will not be able to modify them.

System admins can update the System/Team Permission scheme to allow members to edit Channel Settings.