Documentation/Features

ABAC and attributes

What Attribute-Based Access Control is, how ServiceChanger links attributes to groups, and how to write your first rules.

Concept

ABAC stands for Attribute-Based Access Control. Access is determined by the user's attributes (job title, department, location), not by manually assigned groups.

In ServiceChanger you define which attribute grants which group. That link is the rule. If a user has the attribute, ServiceChanger puts them in the linked group. When the attribute changes, the membership adjusts.

ServiceChanger reads attributes from Entra ID. It does not write attributes back and does not change them. How attributes get into Entra (by hand, through a script, or through your own sync) stays your choice.

Attributes, with HR as custom work

By default ServiceChanger reacts to what is already in Entra. If you want a role change to adjust access automatically, make sure the matching attribute in Entra is updated. ServiceChanger does the rest. If you want to connect your HR system for onboarding and offboarding, we build that as custom work using automation accounts and runbooks in Azure.

How a rule is built

A rule links an attribute to a target group:

  1. Attribute: the value you match on, for example job title or department.
  2. Target group: the Entra or AD group that gets filled.
  3. Level: attributes have a level (level1 to level4) so you can aim broad or narrow.
A simple condition looks like this: 

Attribute: jobTitle contains "Sales"
Target group: Sales-Amsterdam

Composed attributes

An attribute can be composed of two values. That lets you combine "Sales" and "Amsterdam" into a single attribute that only catches the Sales people in Amsterdam. In ServiceChanger this is a composed attribute, with a primary and a secondary value.

Attributes you can use

All standard Entra ID user attributes, including:

  • jobTitle, department, officeLocation, companyName
  • city, country, state
  • employeeId, employeeType, employeeHireDate
  • extensionAttribute1 through extensionAttribute15 (custom attributes)
  • userType (Member or Guest)
Note: displayName and mobilePhone can often be edited by employees themselves. Do not use them as a basis for access.

Levels

Attributes have a level. You use a low level for broad access (everyone in a country) and a higher level for more specific access (a team within a department). Group mining also uses these levels to suggest consolidation, for example replacing two narrow links with one broader attribute.

Start with a small test group

Before a rule goes broad, test it on a small test group of a few users first. That way you see on a limited group whether the right people get added or removed. Does it look right? Adjust where needed and then roll the rule out more broadly.

Cloud and on-prem

If the rule points to a cloud-only Entra group, ServiceChanger updates membership through Microsoft Graph. If it points to an on-prem synced group, the change runs through the PowerShell runbook on your hybrid worker and writes back through Entra Connect. See Hybrid and on-prem AD.

ServiceChanger recognizes whether a group or user is on-prem synced. Microsoft cannot add a cloud-only user to an on-prem mastered group, so that combination is skipped and reported.

Troubleshooting

Users who should match do not match. Check whether the attribute is populated for that user. Empty attributes produce no match.

Rule matches but the group is not updated. Check the group's status in Entra ID. On-prem mastered or mail-enabled security groups do not accept membership writes through Graph.

Too many users matched. The condition is too broad. Use a more specific attribute or a composed attribute.

Related