Hanzo
PlatformHanzo KMSPlatformAccess ControlsAttribute-Based Access Control

Users identities

How to set and use metadata attributes on user identities for ABAC.

User identities can have metadata attributes assigned directly. These attributes (such as location or department) are used to define dynamic access policies.

Setting Metadata on Users

For organizations using SAML for user logins, Hanzo KMS automatically maps metadata attributes from SAML assertions to user identities on every login. This enables dynamic policies based on the user's SAML attributes.

Applying ABAC Policies with User Metadata

Attribute-based access controls are currently only available for policies defined on Secrets Manager projects. You can set ABAC permissions to dynamically set access to environments, folders, secrets, and secret tags.

In your policies, metadata values are accessed as follows:

  • User ID: {{ identity.id }} (always available)
  • Username: {{ identity.username }} (always available)
  • Metadata Attributes: {{ identity.metadata.<metadata-key-name> }} (available if set)

How is this guide?

Last updated on

Overview

Learn the basics of ABAC for both users and machine identities.

Machine identities

Learn how to set metadata and leverage authentication attributes for machine identities.

On this page

Setting Metadata on Users
Applying ABAC Policies with User Metadata