Skip to content

Docs: Update ABAC Channel Access Rules documentation for v11.3#8671

Merged
cwarnermm merged 6 commits intomasterfrom
claude/issue-8666-20260121-0430
Feb 5, 2026
Merged

Docs: Update ABAC Channel Access Rules documentation for v11.3#8671
cwarnermm merged 6 commits intomasterfrom
claude/issue-8666-20260121-0430

Conversation

@Combs7th
Copy link
Contributor

@Combs7th Combs7th commented Jan 21, 2026

Updates the Mattermost Administration Guide section for ABAC Channel Access Rules to clarify:

  • Each ABAC channel access policy has an explicit active state that determines whether rules are enforced and whether auto-sync applies
  • Channel-level (child) ABAC policies now behave independently and consistently, even when parent policies exist
  • Auto-sync behavior follows the channel policy's active state, reducing unexpected inheritance-related behavior
  • Added troubleshooting note advising admins to verify that a channel's access control policy is active if auto-sync is not behaving as expected

Fixes #8666

Generated with Claude Code

@claude @Combs7th
Update ABAC Channel Access Rules documentation for v11.3
931394f 
- Clarify that each ABAC channel access policy has explicit active state
- Document independent behavior of channel-level (child) policies
- Clarify auto-sync behavior follows channel policy's active state
- Add troubleshooting note for verifying channel access control policy is active

Co-authored-by: Combs7th <Combs7th@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2026

Newest code from mattermost has been published to preview environment for Git SHA 931394f

@Combs7th Combs7th requested a review from isacikgoz January 21, 2026 05:17
@Combs7th
Copy link
Contributor Author

Combs7th commented Jan 21, 2026

@isacikgoz - Do the above doc updates look accurate to you?

@cwarnermm cwarnermm requested a review from wiersgallak January 21, 2026 14:00
@cwarnermm cwarnermm added 1: Dev Review Requires review by a core commiter 2: Editor Review Requires review by an editor Guidance labels Jan 21, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2026

Newest code from mattermost has been published to preview environment for Git SHA 99875b3

isacikgoz
isacikgoz requested changes Jan 21, 2026
View reviewed changes
Copy link
Member

@isacikgoz isacikgoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Combs7th I think we might want to clarify the active state.

active state that determines whether the policy's rules are enforced and whether automatic member synchronization applies to the channel.

Regardless of active state, policy's rules will be enforced to remove members if they don't conform to required attribute rules.

source/administration-guide/manage/admin/abac-channel-access-rules.rst Outdated

Channel and Team Admins can self-manage access controls for their private channels directly through the Channel Settings modal, without requiring System Admin intervention. For organization-wide policies created by System Admins, see :doc:`System-wide attribute-based access policies </administration-guide/manage/admin/abac-system-wide-policies>`.

Each ABAC channel access policy has an explicit **active state** that determines whether the policy's rules are enforced and whether automatic member synchronization applies to the channel. Channel-level (child) ABAC policies behave independently and consistently, even when parent system-wide policies exist.
Copy link
Member

@isacikgoz isacikgoz Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regardless of the active state, if there is a policy applied to a channel it will be enforced. The active state indicates that the users matching to the policy will be automatically added. System-wide policies can be inherited, but they don't have an influence on whether auto-add feature also inherited or not. Only the rules are inherited, for auto-add we check the individual channel policy.

source/administration-guide/manage/admin/abac-channel-access-rules.rst Outdated
~~~~~~~~~~~~~~~~~~~~

The **Auto-add members based on access rules** toggle controls automatic membership management:
The **Auto-add members based on access rules** toggle controls automatic membership management. Auto-sync behavior follows the channel policy's active state, reducing unexpected inheritance-related behavior:
Copy link
Member

@isacikgoz isacikgoz Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not about inheritance but more giving the channel admin or system admin to decide if occasionally dropped members (eg. if users are losing attributes for some time), it will re-add them. Or you want to dedicate a channel to certain attribute and you always want to make sure people are in the channel. More like an alternative for LDAP group channels.

source/administration-guide/manage/admin/abac-channel-access-rules.rst Outdated

.. important::

- Auto-sync behavior is determined by the channel policy's active state, not inherited from parent policies.
Copy link
Member

@isacikgoz isacikgoz Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

source/administration-guide/manage/admin/abac-channel-access-rules.rst
Policy inheritance
--------------------

Channel-level (child) ABAC policies now behave independently and consistently, even when parent system-wide policies exist. Each policy maintains its own active state and configuration.
Copy link
Member

@isacikgoz isacikgoz Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@github-actions
Copy link
Contributor

github-actions bot commented Jan 26, 2026

Newest code from mattermost has been published to preview environment for Git SHA cd53bf8

@wiersgallak wiersgallak requested review from cwarnermm and removed request for wiersgallak February 3, 2026 19:48
@wiersgallak
Copy link
Contributor

wiersgallak commented Feb 3, 2026

Reassigning to Carrie, since she wrote the original ABAC docs and has more familiarity. @john-combs can you confirm if you've addressed the feedback from @isacikgoz, If so, we can ask him to rereview as well.

@Combs7th Combs7th changed the base branch from master to v11.4-documentation February 3, 2026 21:44
@Combs7th Combs7th added this to the v11.4.0 milestone Feb 3, 2026
@cwarnermm cwarnermm added the Awaiting Submitter Action Blocked on the author label Feb 4, 2026
@Combs7th
Copy link
Contributor Author

Combs7th commented Feb 4, 2026

@claude - Please update this doc text based on the feedback from @isacikgoz above.

Key corrections to reflect accurately:

  • The policy being applied to a channel is always enforced (including removing members who no longer meet required attribute rules), regardless of the policy’s active state.
  • The policy active state controls automatic member synchronization / auto-add behavior (i.e., whether users matching rules are automatically added/re-added), not whether enforcement happens at all.
  • System-wide (parent) policies can be inherited at the channel level for rules, but inheritance is not the point for auto-add: auto-add/auto-sync is checked per individual channel policy.
  • Reframe the “Auto-add members based on access rules” toggle explanation: it’s primarily about ensuring members are automatically added/re-added when they match (e.g., if attributes were temporarily lost and later restored), more like an alternative to LDAP group channels / a way to keep the channel consistently aligned to an attribute set—not about inheritance reducing surprises.

What I need:

  • Rewrite the relevant doc sections so they’re accurate and clear, using the above points.
  • Remove or revise any statement implying the active state determines whether rules are enforced.
  • Remove or revise any statement framing auto-sync behavior as “inheritance-related,” and instead explain the admin control/use-case described above.
  • Keep the edits concise and consistent with Mattermost docs tone.

@claude
Copy link
Contributor

claude bot commented Feb 4, 2026
edited
Loading

Claude finished @Combs7th's task in 1m 34s —— View job

Documentation updates completed

Tasks

  • Read current documentation file
  • Identify sections needing correction based on reviewer feedback
  • Rewrite sections to accurately reflect ABAC policy behavior
  • Commit and push changes
  • Final verification

Changes made:

Line 9 - Introduction paragraph:

  • Clarified that policy rules are always enforced (including removing members who don't meet requirements), regardless of active state
  • Active state only controls automatic member synchronization (auto-add/re-add behavior)

Lines 58-76 - Auto-sync membership section:

  • Reframed auto-sync as a feature for keeping channels consistently aligned to attribute rules, similar to LDAP group channels
  • Explained that enabled auto-sync means users are automatically re-added if they temporarily lose and regain attributes
  • Added explicit note that removal of non-conforming members always happens during synchronization, regardless of auto-sync setting
  • Changed terminology from "auto-sync behavior is determined by" to "auto-add/auto-sync is checked on a per-channel policy basis"

Lines 93-105 - Policy inheritance section:

  • Clarified that auto-add behavior is determined by the individual channel policy, not inherited from parent system-wide policies
  • Explained that system-wide policies pass down rules, but auto-add/auto-sync is evaluated per channel

Lines 200-218 - Troubleshooting section:

  • Updated troubleshooting note to distinguish between auto-add (controlled by active state) and enforcement (always happens)
  • Clarified that inactive policy prevents automatic member additions, but rule enforcement (removal) happens regardless

All changes have been committed and pushed to the PR branch.

--- | Branch: claude/issue-8666-20260121-0430

@github-actions @Combs7th
docs: Clarify ABAC policy enforcement vs auto-add behavior
3fcce44 
Updated ABAC channel access rules documentation to accurately reflect:
- Policy rules are always enforced (including member removal) regardless of active state
- Active state controls only automatic member addition/re-addition (auto-sync)
- Auto-add is evaluated per-channel policy, not inherited from parent policies
- Reframed auto-sync as a feature for keeping channels aligned to attributes

Based on technical review feedback from @isacikgoz

Co-authored-by: Combs7th <Combs7th@users.noreply.github.com>
@Combs7th
Copy link
Contributor Author

Combs7th commented Feb 4, 2026

@isacikgoz - Does the above look more accurate to you?

@github-actions
Copy link
Contributor

github-actions bot commented Feb 4, 2026

Newest code from mattermost has been published to preview environment for Git SHA 3fcce44

isacikgoz
isacikgoz approved these changes Feb 5, 2026
View reviewed changes
Copy link
Member

@isacikgoz isacikgoz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, only one suggestion on improving the sentence.

@cwarnermm @isacikgoz
Update source/administration-guide/manage/admin/abac-channel-access-r…
69a8713 
…ules.rst

Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com>
@cwarnermm cwarnermm removed 1: Dev Review Requires review by a core commiter Awaiting Submitter Action Blocked on the author labels Feb 5, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2026

Newest code from mattermost has been published to preview environment for Git SHA 69a8713

@cwarnermm cwarnermm added 3: Reviews Complete All reviewers have approved the pull request and removed 2: Editor Review Requires review by an editor labels Feb 5, 2026
@cwarnermm cwarnermm changed the base branch from v11.4-documentation to master February 5, 2026 21:35
@cwarnermm cwarnermm merged commit 6d419dd into master Feb 5, 2026
4 checks passed
@cwarnermm cwarnermm deleted the claude/issue-8666-20260121-0430 branch February 5, 2026 21:35
@github-actions
Copy link
Contributor

github-actions bot commented Feb 5, 2026

Newest code from mattermost has been published to preview environment for Git SHA 1db1b2d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@isacikgoz isacikgoz isacikgoz approved these changes

+1 more reviewer

@cwarnermm cwarnermm cwarnermm approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

3: Reviews Complete All reviewers have approved the pull request Guidance

Projects

None yet

Milestone

v11.4.0

Development

Successfully merging this pull request may close these issues.

v11.3 Docs: Tweak auto-add to make it consistent with child policies

4 participants

@Combs7th @wiersgallak @isacikgoz @cwarnermm