Skip to main content

Using Custom Policy Attributes

Some advanced platform use cases may require defining a subset of access controls on a per-user basis. The platform provides a mechanism for "extending" policies for particular users via the Policy Attributes API.

Note: This page requires an understanding of Access Control Policies, including the advanced syntax for defining them. For an overview of how Access Control works on the platform, see the Access Control Overview. For a detailed description of policy syntax and terminology, see Access Control Policy Syntax.

When To Use Custom Policy Attributes

Custom policy attributes may be useful if your platform use case matches any of the following criteria:

  • You want to control access to LifeOmic resources based on user attributes that are owned and managed by an external system (e.g. your application).

  • You cannot use the default built-in ABAC attributes to enforce your access control.

If any of these scenarios apply to your use case, you can use custom policy attributes to "mirror" your external user attributes as custom policy attributes. Then, you can reference these custom policy attributes in your access control policies.

How To Use Custom Policy Attributes

Working with custom policy attributes is a simple two-step process.

Set Custom Attributes

First, use the Policy Attributes API to set custom attributes for a particular user.

// PUT /v1/policy-attributes/users/john-doe
// Authorization: Bearer <access_token>
// LifeOmic-Account <your account>
{
"attributes": {
"myCustomAttribute": "..."
}
}

The attributes definition can contain any valid JSON:

{
"attributes": {
"myStringAttribute": "a-string-value",
"myBooleanValue": true,
"myArrayValue": [
"array-value-one",
"array-value-two"
],
"myObjectValue": {
"aNestedProperty": "nested-property-value"
}
}
}

Reference Custom Attributes

Now, you can reference these custom attributes in your central access control policies using the standard ABAC attribute syntax. Custom attributes are exposed under the user.customAttributes namespace:

{
"rules": {
"readData": [
{
"user.customAttributes.myCustomAttribute": {
"comparison": "equals",
"value": "..."
}
}
]
}
}