diff --git a/source/administration-guide/manage/admin/abac-channel-access-rules.rst b/source/administration-guide/manage/admin/abac-channel-access-rules.rst index 09c79ce35cb..0a35cd60eb4 100644 --- a/source/administration-guide/manage/admin/abac-channel-access-rules.rst +++ b/source/administration-guide/manage/admin/abac-channel-access-rules.rst @@ -86,6 +86,50 @@ When you save changes that affect membership, a confirmation dialog shows you: - Option to view the specific users affected - Confirmation required before applying changes +Manage team-scoped membership policies in Team Settings +------------------------------------------------------- + +From Mattermost v11.7, Team Admins can create, edit, and delete channel membership policies directly from Team Settings, scoped to channels within their team. This lets teams self-manage attribute-based membership for their own channels without requiring a System Admin to create or modify a system-wide policy. + +Prerequisites +~~~~~~~~~~~~~ + +- :doc:`Attribute-Based Access Control (ABAC) ` must be enabled by a System Admin in **System Console > System Attributes > Attribute-Based Access**. +- You need Team Admin permissions for the team and the ``manage_team_access_rules`` permission. +- Team-scoped membership policies can be assigned to both public and private channels within the team. + +Team Admin workflow +~~~~~~~~~~~~~~~~~~~ + +1. Open **Team Settings** from the team menu, and go to the **Membership Policies** tab. This tab is only visible to Team Admins with the ``manage_team_access_rules`` permission when ABAC is enabled system-wide. +2. Select **Add Policy** and enter a name for the policy. Parent policy names must be unique; if you enter a name that's already in use, Mattermost displays a user-friendly error and prevents the policy from being saved. +3. Define the attribute rules that determine which users can be members of channels assigned to this policy. Rules use the same attribute conditions available for channel-specific access rules. +4. Assign the applicable private channels in the team to the policy. +5. Select **Save** to create or update the policy. Team-scoped policies can be edited or deleted from the same tab at any time. + +Team Settings sync status footer +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The **Membership Policies** tab includes a sync status footer that shows: + +- **Last sync time**: The time of the most recent membership synchronization for policies in this team. +- **Sync now**: An on-demand action that triggers an immediate synchronization for the team's policies. + +Team-scoped sync is limited to the team admin's team scope. Triggering **Sync now** from Team Settings does not affect channels or policies outside the current team. + +Sync behavior by channel type +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Sync behavior for team-scoped membership policies depends on the type of channel the policy is assigned to: + +- **Public channels**: Sync is advisory and add-only. Users who match the policy's rules are added to the channel, but no users are removed if their attributes change. +- **Private channels**: Sync is enforced. Users who match the policy's rules are added to the channel, and users who no longer match the rules are removed during the next synchronization. + +Automatic sync on policy changes +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Mattermost automatically runs a sync job whenever a team-scoped membership policy is created, or its rules, assigned channels, or active state change. Team Admins don't need to manually trigger **Sync now** for these updates; the sync runs as part of the change. + Policy inheritance -------------------- diff --git a/source/administration-guide/manage/admin/abac-system-wide-policies.rst b/source/administration-guide/manage/admin/abac-system-wide-policies.rst index bd7aa811b5a..02f3bf520c3 100644 --- a/source/administration-guide/manage/admin/abac-system-wide-policies.rst +++ b/source/administration-guide/manage/admin/abac-system-wide-policies.rst @@ -20,7 +20,7 @@ Define access control policies You can add multiple rules to a single policy, and each rule can include multiple attribute values. 1. In the System Console, go to **System Attributes > Attribute-Based Access** and select **Add Policy**. -2. Enter a unique policy name. +2. Enter a unique policy name. Parent access control policy names must be unique; if you enter a name that's already in use, Mattermost displays a user-friendly error message and prevents the policy from being saved until you choose a different name. 3. Choose whether to automatically add users who match your configured attribute values as new members. Automatic synchronization is disabled by default. * **True**: Automatically maintains channel membership according to the defined rules as user attributes change. @@ -102,4 +102,18 @@ You can assign an existing access control policy to a private channels for more Remove channel policies ~~~~~~~~~~~~~~~~~~~~~~~ -Disable the policy for the channel by selecting **Remove Policy**. You can then link the channel to a different policy if preferred. \ No newline at end of file +Disable the policy for the channel by selecting **Remove Policy**. You can then link the channel to a different policy if preferred. + +Permission policies +------------------- + +From Mattermost v11.7, System Admins can define attribute-based **permission policies** that restrict specific user actions in addition to channel membership. Permission policies use the same attribute-based rules as access policies, but they apply to user actions rather than channel access. + +Permission policies can be used to restrict the following actions based on user attributes: + +- **File upload**: Prevent users who don't match the defined attribute rules from uploading file attachments. +- **File download**: Prevent users who don't match the defined attribute rules from downloading file attachments. + +When a permission policy applies, users who don't match the configured attribute values can't perform the restricted action. Users may see file attachments as unavailable or redacted in messages they would otherwise have access to. See :ref:`Restricted file attachments ` for the end-user-facing behavior. + +Permission policies follow the same unique-name requirement as access policies: each parent permission policy must have a unique name, and Mattermost surfaces a user-friendly error if a duplicate name is entered. \ No newline at end of file diff --git a/source/administration-guide/manage/admin/attribute-based-access-control.rst b/source/administration-guide/manage/admin/attribute-based-access-control.rst index e188d2efbf1..ce289d2f44e 100644 --- a/source/administration-guide/manage/admin/attribute-based-access-control.rst +++ b/source/administration-guide/manage/admin/attribute-based-access-control.rst @@ -16,10 +16,12 @@ From Mattermost v10.9, system admins in large or complex organizations who requi Enforcing strict access controls based on user attributes eliminates manual role adjustment processes that can lead to security risks, inefficiencies, or inappropriate access, while maintaining security and compliance by ensuring that only authorized users can access specific Mattermost channels. -Attribute-based access control (ABAC) provides 2 levels of control: +Attribute-based access control (ABAC) can be used with the following policy types: -- **System-wide policies** (managed by System Admins): Centralized policies that can be applied across multiple channels in the System Console. See :doc:`System-wide attribute-based access policies `. -- **Channel-specific rules** (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See :doc:`Channel-specific access rules `. +- **System-wide access policies** (managed by System Admins): Centralized policies created in the System Console that can be applied across multiple channels. See :doc:`System-wide attribute-based access policies `. +- **Permission policies** (managed by System Admins): Attribute-based restrictions on user actions such as file upload and file download. See :ref:`Permission policies `. +- **Team-scoped membership policies** (managed by Team Admins): Channel membership policies that Team Admins can create, edit, and delete directly from Team Settings for channels in their team. See :ref:`Manage team-scoped membership policies in Team Settings `. +- **Channel-specific access rules** (managed by Channel Admins): Self-service access rules that Channel Admins can configure directly in Channel Settings for individual channels. See :doc:`Channel-specific access rules `. Before you begin ------------------ @@ -41,6 +43,11 @@ Once enabled, you have multiple ways to configure access policies in Mattermost: - Create :doc:`system-wide access policies ` that can be assigned across multiple channels in the System Console. - Assign :ref:`individual channel policies ` to specific channels in the System Console. +- Define :ref:`permission policies ` that restrict actions such as file upload and file download based on user attributes. + +**Team Admins can:** + +- Create, edit, and delete :ref:`team-scoped channel membership policies ` for channels in their team directly from Team Settings, when granted the ``manage_team_access_rules`` permission. **Channel Admins can:** diff --git a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst index 3b7939d8cf1..54d954a2aff 100644 --- a/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst +++ b/source/administration-guide/onboard/advanced-permissions-backend-infrastructure.rst @@ -244,6 +244,8 @@ Permissions in Mattermost are a property of the server code base and are not cre +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | manage_channel_access_rules | channel | Manage attribute-based access control rules for channels. | +----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| manage_team_access_rules | team | Manage attribute-based channel membership policies for a team from Team Settings. | ++----------------------------------------------+---------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ``Roles`` field ~~~~~~~~~~~~~~~ @@ -654,6 +656,7 @@ The following built-in roles with default permissions are available: - order_bookmark_private_channel - manage_channel_banner - manage_channel_access_rules +- manage_team_access_rules *team_guest* diff --git a/source/end-user-guide/collaborate/share-files-in-messages.rst b/source/end-user-guide/collaborate/share-files-in-messages.rst index 590b109a819..4aca8a84f44 100644 --- a/source/end-user-guide/collaborate/share-files-in-messages.rst +++ b/source/end-user-guide/collaborate/share-files-in-messages.rst @@ -104,4 +104,11 @@ The following media formats are supported on most browsers: - Audio: MP3, M4A - Files: PDF, TXT -Other document previews (such as Word, Excel, or PPT) are not yet supported. \ No newline at end of file +Other document previews (such as Word, Excel, or PPT) are not yet supported. + +Restricted file attachments +--------------------------- + +If your administrator has configured attribute-based permission policies on your Mattermost instance, file uploads or downloads may be restricted based on your user attributes. Restricted attachments appear in messages with the placeholder **Files not available** and the subtitle **Access to files is restricted based on attributes**. + +If you expect to have access to a restricted file and don't, contact your Mattermost administrator. For administrator-facing details, see :ref:`Permission policies `. \ No newline at end of file