Olympus Docs
SecurityAuthorization

Authorization, ABAC

Attribute-Based Access Control with Olympus

ABAC = decisions based on attributes of: subject (user), resource, action, environment. More flexible than RBAC; more complex.

Olympus's role

Olympus provides subject attributes via Kratos identity traits + Hydra claims. The decision engine (your code, OPA, Cedar) is separate.

Subject attributes

{
  "sub": "01H8...",
  "role": "operator",
  "department": "engineering",
  "office_country": "DE",
  "clearance_level": 3,
  "groups": ["engineers", "oncall"]
}

All these flow from the identity schema's traits, through Hydra into the ID token.

Resource attributes

Defined per-resource in your app:

{
  "id": "doc-123",
  "owner_id": "01H7...",
  "classification": "internal",
  "department": "engineering"
}

Action attributes

Often just a string: read, write, delete. Sometimes complex: read.with-pii, read.metadata-only.

Environment attributes

  • Time of day.
  • Source IP / network.
  • Recent auth strength (acr).
  • Detected risk score.

Decision example

function canAccess(subject, resource, action, env): boolean {
  // Owners can do anything to their own resources
  if (subject.sub === resource.owner_id) return true;

  // Admins can read anything
  if (subject.role === "admin" && action === "read") return true;

  // Same-department write
  if (subject.department === resource.department && action === "write") return true;

  // Classified resources require clearance
  if (resource.classification === "secret" && subject.clearance_level < 3) return false;

  // Off-hours = read-only
  if (env.hour < 8 || env.hour > 18) {
    if (action !== "read") return false;
  }

  return false;
}

When ABAC code grows unwieldy

10-20 rules is manageable in code. Above that, externalize to a policy engine:

  • OPA, Rego-based policies, can be embedded as a sidecar or library.
  • Cedar, AWS's policy language, similar shape.
  • Casbin, multi-language policy engine.

See Security, Authorization, OPA integration.

Performance

Each ABAC decision involves multiple attribute lookups. For high-throughput services:

  • Cache subject attributes (from ID token introspection).
  • Cache resource attributes (your DB).
  • Memoize decisions briefly.

Session fixation defense

How Olympus prevents fixed-session attacks

Authorization, Casbin

Cross-language authz with Casbin

On this page

Olympus's roleSubject attributesResource attributesAction attributesEnvironment attributesDecision exampleWhen ABAC code grows unwieldyPerformanceRelated