Machine identities can have metadata set manually, just like users. In addition, during the machine authentication process (e.g., via OIDC), extra attributes called claims—are provided, which can be used in your ABAC policies.

Setting Metadata on Machine Identities

1

Navigate to the Access Control page on the organization sidebar and select a machine identity.

2

On the machine identity page, click the pencil icon to edit the selected identity.

3

Add metadata via key-value pairs and update the machine identity.

Accessing Attributes From Machine Identity Login

When machine identities authenticate, they may receive additional payloads/attributes from the service provider. For methods like OIDC, these come as claims in the token and can be made available in your policies.

  1. Navigate to the Identity Authentication settings and select the OIDC Auth Method.
  2. In the Advanced section, locate the Claim Mapping configuration.
  3. Map the OIDC claims to permission attributes by specifying:
    • Attribute Name: The identifier to be used in your policies (e.g., department).
    • Claim Path: The dot notation path to the claim in the OIDC token (e.g., user.department).

For example, if your OIDC provider returns:

{
  "sub": "machine456",
  "name": "Service A",
  "user": {
    "department": "engineering",
    "role": "service"
  }
}

You might map:

  • department: to user.department
  • role: to user.role

Once configured, these attributes become available in your policies using the following format:

{{ identity.auth.oidc.claims.<permission claim name> }}

Was this page helpful?

Suggest editsRaise issue