# Enable and configure attributes for access control
<a name="configure-abac"></a>

To use attribute-based access control (ABAC), you must first enable it in either the **Settings** page of the IAM Identity Center console or the [IAM Identity Center API](https://docs.aws.amazon.com//singlesignon/latest/APIReference/API_CreateInstanceAccessControlAttributeConfiguration.html). Regardless of the identity source, you can always configure user attributes from the Identity Store for use in ABAC. In the console, you can do this by navigating to the **Attributes for access control** tab on the **Settings** page. If you use an external identity provider (IdP) as the identity source, you also have the option of receiving attributes from the external IdP in SAML assertions. In this case, you need to configure the external IdP to send the desired attributes. If an attribute from a SAML assertion is also defined as an ABAC attribute in IAM Identity Center, IAM Identity Center will send the value from its Identity Store as a [session tag](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_session-tags.html) on sign-in to an AWS account.

**Note**  
You cannot view attributes configured and sent by an external IdP from the **Attributes for access control** page in the IAM Identity Center console. If you are passing access control attributes in the SAML assertions from your external IdP, then those attributes are directly sent to the AWS account when users federate in. The attributes won’t be available in IAM Identity Center for mapping.

**Topics**
+ [Enable attributes for access control](enable-abac.md)
+ [Select your attributes for access control](configure-abac-attributes.md)
+ [Disable attributes for access control](disable-abac.md)

# Enable attributes for access control
<a name="enable-abac"></a>

Use the following procedure to enable the attributes for access (ABAC) control feature using the IAM Identity Center console.

**Note**  
If you have existing permission sets and you plan to enable ABAC in your IAM Identity Center instance, additional security restrictions require you to first have the `iam:UpdateAssumeRolePolicy` policy. These additional security restrictions are not required if you do not have any permission sets created in your account.  
If your IAM Identity Center instance was created before December 2020 and you plan to enable ABAC in it, you must have the `iam:UpdateAssumeRolePolicy` policy associated with the IAM Identity Center administrative role, regardless of whether you have permission sets created in your account.

**To enable Attributes for access control**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Settings**

1. On the **Settings** page, locate the **Attributes for access control** information box, and then choose **Enable**. Continue to the next procedure to configure it.

# Select your attributes for access control
<a name="configure-abac-attributes"></a>

Use the following procedure to set up attributes for your ABAC configuration. 

**Note**  
This procedure applies only when you want to map attributes from your IAM Identity Center directory for use as session tags. If you are passing attributes from an external identity provider (IdP) through SAML assertions, you do not need to configure attribute mappings here. For more information, see [Choosing attributes when using an external identity provider as your identity source](attributesforaccesscontrol.md#abac-getting-started-idp). Values set in the mapping from the Identity Center directory overwrite values set in SAML assertions.

**To select your attributes using the IAM Identity Center console**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Settings**

1. On the **Settings** page, choose the **Attributes for access control** tab, and then choose **Manage attributes**.

1. On the **Attributes for access control** page, choose **Add attribute** and enter the **Key** and **Value** details. This is where you will be mapping the attribute coming from your identity source to an attribute that IAM Identity Center passes as a session tag.  
![\[Key value details in the IAM Identity Center console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/abac_key_value.png)

   **Key** represents the name you are giving to the attribute for use in policies. This can be any arbitrary name, but you need to specify that exact name in the policies you author for access control. For example, lets say that you are using Okta (an external IdP) as your identity source and need to pass your organization's cost center data along as session tags. In **Key**, you would enter a similarly matched name like **CostCenter** as your key name. It's important to note that whichever name you choose here, it must also be named exactly the same in your `aws:PrincipalTag condition key` (that is, `"ec2:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"`).
**Note**  
Use a single-value attribute for your key, for example, **Manager**. IAM Identity Center doesn't support multi-value attributes for ABAC, for example, **Manager, IT Systems**.

   **Value** represents the content of the attribute coming from your configured identity source. Here you can enter any value from the appropriate identity source table listed in [Attribute mappings between IAM Identity Center and External Identity Providers directory](attributemappingsconcept.md). For example, using the context provided in the above mentioned example, you would review the list of supported IdP attributes and determine that the closest match of a supported attribute would be **`${path:enterprise.costCenter}`** and you would then enter it in the **Value** field. See the screenshot provided above for reference. Note, that you can’t use external IdP attribute values outside of this list for ABAC unless you use the option of passing attributes through the SAML assertion.

1. Choose **Save changes**.

Now that you have configured mapping your access control attributes, you need to complete the ABAC configuration process. To do this, create your ABAC rules and add them to your permission sets and/or resource-based policies. This is required so that you can grant user identities access to AWS resources. For more information, see [Create permission policies for ABAC in IAM Identity Center](configure-abac-policies.md).

# Disable attributes for access control
<a name="disable-abac"></a>

Use the following procedure to disable the ABAC feature and delete all of the attribute mappings that have been configured. 

**To disable Attributes for access control**

1. Open the [IAM Identity Center console](https://console.aws.amazon.com/singlesignon).

1. Choose **Settings**.

1. On the **Settings** page, choose the **Attributes for access control** tab, and then choose **Manage attributes**.

1. On the **Manage attributes for access control** page, choose **Disable**.

1. In the **Disable attributes for access control** dialog window, review the information and when ready enter **DISABLE**, and then choose **Confirm**.
**Important**  
This step deletes all attributes and stops the use of attributes for access control when federating into AWS accounts regardless of whether any attributes are present in SAML assertions from an external identity source provider.