Activity Access Controls

What Are Activity Access Controls?

Activity access controls are predefined rules that allow you to control what access the users in your Uptempo environment have to the activities in that environment. As an administrator, you can use access controls to define who (users) can access what (activities and their data) and how (the permitted actions). For example, you can create access controls to ensure users can only make changes to activities within their department or region, or to prevent specific users from seeing any details at all about certain activities.

By creating access controls and assigning them to your users, you can ensure that users only have access to the activity details and functionality they need. This helps to protect sensitive or privileged information, and maintains data integrity by preventing unauthorized changes.

How Do Activity Access Controls Work?

Uptempo Plan uses the "deny by default" principle for activity access control, which means that users have no access to any activity by default. Instead, administrators must grant users explicit permission to access and interact with activities.

Policies

To grant access permissions to users, you first create policies that define the extent of access that will be granted. Then, you apply those policies by linking users to them. Whenever a user makes an access request, Uptempo Plan dynamically decides whether to grant or deny the request, using this process:

  1. A user requests access to an activity.

  2. The system retrieves all of the access control policies that the user is linked to.

  3. The system evaluates the policies to decide whether the user has permission to receive the requested access.

  4. The system grants or denies access based on the outcome of the evaluation.

For example, say a user opens the Details view of a particular activity: if the user's policies give permission to see the activity's details, the system will display those details to the user; otherwise, the system hides the details.

Statements

To define the exact permissions that a policy grants, you create statements. A policy can contain one or multiple statements, and each statement defines a particular extent or scope of access: for example, a statement might grant full access to create, edit, or delete all activities, or it might only grant access to view activities of a specified type.

Statements are additive, which means a policy grants the sum of all its statements added together. In cases where two applicable statements have an overlapping scope (e.g. the same activity type), that means that the statement which grants more access is the one that will take effect. Additionally, users can be linked to multiple policies, so users are granted the sum of the statements across all of the policies they are linked to.

Note

"Requesting access" consists of both actions that the user actively performs, as well as implied requests that the user may not even be aware of. To ensure both data security and a seamless user experience, the system is designed to adjust its behavior in a way that is transparent to the user based on their permissions.

For instance, if the user in the aforementioned had view permission but not edit permission, the system would not wait until they tried to make a change to the activity, but instead would proactively hide the Edit buttons on the activity.

How Are Activity Access Control Statements Structured?

Uptempo's activity access controls are based on the Attribute-Based Access Control (ABAC) model, which evaluates attributes of the entities involved in an access control request (i.e. the Plan user and activity) to make access decisions. As a result, Uptempo's activity access control permissions (statements) are structured around attributes of users and activities.

What is Attribute-Based Access Control (ABAC)?

To understand how Uptempo's activity access controls work, it's helpful to first understand some basics about Attribute-Based Access Control (ABAC).

Like all access control models, ABAC is centered around the concept of protecting resources by deciding which users are allowed to perform specific actions on those resources:

  • Resources are the objects that the ABAC system is protecting. In Uptempo Plan, these are your activities and their data.

  • Users are the entities who are requesting access to the resources. In Uptempo Plan, these are user accounts with access to the Plan module.

  • Actions are the operations that users are requesting to perform on a resource, such as viewing, creating, editing, deleting, etc. In Uptempo Plan, these actions include the basic user operations such as viewing or creating an activity, but can also be defined more specifically, e.g. placing an activity as a child of another activity is an action that can be defined and controlled.

When a user makes a request to the system to perform an action on a resource, the ABAC system looks at the attributes of the user and resource involved:

  • Attributes are characteristics of the entities involved, i.e. the user making the request, and the resource involved in the request. In Uptempo Plan, these are typically properties of activities, such as the activity type (user properties are not yet supported as ABAC attributes).

The ABAC system then looks at the user's policies, and the statements they contain. Each statement is a rule that defines certain attribute-based requirements, and specifies an access control effect (allow or deny) that is applied when these requirements are met.

To make an access control decision, the ABAC system compares the attributes of the user and the requested resource, and evaluates them against the user's access control policies. If the user is linked to a policy that defines a statement (permission) for the attributes involved, the ABAC system grants (or denies) access accordingly.

Example

Assume a user has an access control statement that says:

"ALLOW users in the location EUROPE to VIEW resources with the type DOCUMENT."

If that user makes an access request where:

  • The requested Action is: VIEW

  • The user's Location attribute is: EUROPE

  • The resource's Type attribute is: DOCUMENT

Then this statement would take effect, because all of the statement's requirements are met by the access request. As a result, the access control system applies the effect specified by the statement (ALLOW), and grants access.

If any of the statement's requirements were not met (for example, if the requested action is EDIT), the statement would not apply. In this case, assuming none of the user's other statements are applicable, the access control system would deny access.

Structure of Activity Access Control Statements

In Uptempo, the basic structure of an access control statement is defined using the following four properties:

  1. Effect (required): The effect the statement has when it applies to an access request, i.e. whether the statement allows or denies access.

  2. Action (required): The operation that the user is requesting to perform on the resource, e.g. view, create, etc.

  3. Resource (required): The type of object that the user is requesting to perform the action on, i.e. an activity type.

  4. Conditions (optional): Additional conditions to define the resource with greater granularity, based on activity attribute values (e.g. activities where a specified activity attribute has a particular value).

You construct statements using the Statement Editor, in which you make selections to define each of the parts of the statement. Completed statements are represented as sentences that summarize the access scope of the statement. For example:

ALLOW View access for any Activity

This statement allows users to view activities of all types.

If a statement contains conditions, this is indicated in the statement summary, along with the number of applicable conditions. For example:

ALLOW All actions for any Activity that meets the specified conditions: Conditions (2)

This statement allows users to perform any action on activities that meet certain conditions.

You can click on Conditions (x) to view the conditions on the statement. The conditions are listed individually, like this:

ALLOW All actions for any Activity where:

  • Objective is one of Lead Nurturing, Brand Awareness

  • Activity Type is Tactic

This statement allows users to perform any action on any activity that has the activity type "Tactic", and has its Objective attribute set to either "Lead Nurturing" or "Brand Awareness".

Conditions can be set based on matching either a single value with operator "is", or on matching one of multiple values with the operator "is one of".

Tip

If multiple conditions are specified within a statement, the individual conditions are logically evaluated with an AND operator, i.e. all conditions specified must be met for the statement to apply.

Because statements are additive, separate statements are effectively evaluated with an OR operator, i.e. the requirements of either Statement A or Statement B may be met. As a result, you can also create conditions that should be evaluated as OR (instead of AND) by placing them in separate statements.

Which Capabilities Are Supported?

Activity access control permissions are defined based on four properties: Users, Effects, Actions, and Resources. Each of these properties contains various types: for example, the Users object contains users (individual users) and teams (groups of users).

At present, activity access controls do not yet have support for all available types within each property. This means that activity access controls support certain kinds of configurations today, with more to be added in the future. For a full list of supported capabilities, see Reference: Access Control Statement Properties.

Next Steps

To learn how to create, configure, and manage access control policies and statements, see Managing Access Control for Activities.