Concepts
A Grant Kit allows you to automatically control and right-size permissions to sensitive resources. Grant Kits allow you to define a Workflow (how someone should get access), Policies (if they should get access), and an Output template (how and where you want the automated permission grants to materialize) for a specific Target resource.
A Workflow, written natively in Terraform using HCL, defines how an Identity should get access to a Resource. For more information on how to define a workflow and what the schema looks like, visit the Grant Kits Workflow reference.
Policies, written as Open Policy Agent (OPA) Policies in Rego, define if an Identity should get access to a Resource. For more information on how to define policies and how to work with input and external data, visit the Grant Kits Policies reference.
An Output is a template that defines how and where your permission grants should be materialized. Simply put, this means HCL code is generated to a Terraform file at a location you specify within your Version Control System (VCS).
Targets are what an Identity can access. This can be arbitrarily granular and system-agnostic, such as a Snowflake database, table, or role, or a Kafka cluster or topic.
An Identity is someone or something trying to access access to a Resource. Identities are fragmented across systems where multiple identities can represent the same thing such as an email address in Google Directory, a GUID in Okta, or a username in Slack referring to a person. Abbey helps security teams by automatically resolving identities.
There can only be one Primary Identity. By default, this is your Abbey account. However you can bring your own Identity Provider (IDP) using a Connector and make that the Primary Identity if you choose. You'll be able to toggle an Identity to become a Primary Identity at any time. Abbey will automatically perform identity resolution for you.
You can have many Secondary Identities. These may be IDPs such as Okta, Google Directory, Azure Active Directory, Github, PagerDuty, or Slack, etc. When you add an IDP using a Connector, it will become a Secondary Identity by default. You can make any of your Secondary Identities a Primary Identity at any time. Abbey will automatically perform identity resolution for you.
Connectors is a generic term for 3rd party tools that are integrated with Abbey. There are 3 types: Identity Providers (IDPs), Repositories, and Utilities.
Identity Providers (IDPs) are systems external to Abbey that store and manage your identities. Examples of this are Okta, Google Directory, and Azure Active Directory.
Repositories are your Version Control Systems (VCS) which contain your IaC and Access Management as Code. This would be your Terraform setup, inclusive of any CI/CD configuration. Examples of this are GitHub and GitLab.
Utilities augment your entire access request functionality within Abbey. Examples of this are PagerDuty and Slack to send/receive notifications.
Last modified 3mo ago