Context

Attribute-Based Access Control (ABAC) allows you to restrict user access to only specific projects based on attributes like tags. This is useful when you want users to only see projects they have permission to access, rather than all projects in a workspace.

Answer

To properly set up ABAC for project-level access control, follow these steps:

1. Enable ABAC Feature

Add the following environment variable to your LangSmith installation:

- name: "DEFAULT_ORG_FEATURE_CAN_USE_ABAC"
  value: "true"

2. Ensure You Have the Latest Version

Make sure you're using Helm chart version 0.12.8 or later (application version 0.12.35 or later). Earlier versions may not support all ABAC functionality properly.

3. Configure Role with Minimal Permissions

Create a custom role that only includes essential permissions. Remove projects:read from the RBAC permissions if you want to control project access through policies:

{
  "name": "custom_role",
  "permissions": [
    "workspaces:read"
  ],
  "access_scope": "workspace"
}

4. Create Allow Policies

Create policies with "effect": "allow" that grant access to specific projects based on tags. You need separate condition groups for both projects:read and runs:read:

{
  "name": "allow_project_access",
  "effect": "allow",
  "condition_groups": [
    {
      "permission": "projects:read",
      "resource_type": "project",
      "conditions": [
        {
          "attribute_name": "resource_tag_key",
          "attribute_key": "YourTagKey",
          "operator": "equals",
          "attribute_value": "YourTagValue"
        }
      ]
    },
    {
      "permission": "runs:read",
      "resource_type": "project",
      "conditions": [
        {
          "attribute_name": "resource_tag_key",
          "attribute_key": "YourTagKey",
          "operator": "equals",
          "attribute_value": "YourTagValue"
        }
      ]
    }
  ]
}

5. Tag Your Projects

Ensure your projects are properly tagged with the attributes referenced in your policies. The tags must match exactly what you've specified in the policy conditions.

6. Assign Role to Users

Assign the custom role to users. Note that users must have the "Organization User" org_role_id (not Organization Admin) to use custom roles with access policies.

Important Notes

• User Provisioning: You cannot update a user's role while they are in "pending" state. Consider using JIT provisioning or SCIM for programmatic user setup without pending states.

• Multiple Projects: If a user needs access to multiple projects, create separate allow policies for each project or include multiple condition groups in a single policy.

• Current Limitations: There may be occasional UI issues when accessing projects with ABAC policies. These are being actively addressed in upcoming releases.

For more detailed information, refer to the ABAC documentation.