ABAC: FAQs (Frequently Asked Questions) related to enablement
Updated 3 months ago
Purpose of this document
Audience-Based Access Control (ABAC) automatically controls who can see and do what in the Simpplr platform based on employee information like role, department, or location, so access stays accurate as people and teams change.
When ABAC is enabled, some things on the platform may look a little different. This FAQ walks you through:
Find where your existing data now appears
Understand why some screens or flows look different
Confirm your existing access and setup are still working as expected
This FAQ is meant to help you understand the changes. Configuration and setup instructions are available in separate learning guides. For more information, click here.
Who should read this FAQ
Customers: Platform admins, IT, Intranet managers, site managers/owners
Internal teams: Support, CSMs
General Questions
Q: Is there any downtime when ABAC is enabled?
A: No, there is no downtime with ABAC.
Q: Around what time of the day ABAC will be enabled?
A: ABAC is enabled during IST morning.
Q: Can ABAC be reverted?
A: Once enabled, ABAC cannot be reverted.
Q: Does enabling ABAC impact the end users?
A: No, ABAC only introduces new ways of managing features like audiences, sites, roles etc. There is no change for end users.
Q: Which features support ABAC?
A: Following features support ABAC -
Sites
Content
Alerts
Surveys
Newsletter
Feed
Polls
Forms
Tasks
Messenger
Audiences
Q: What changes to Audiences when ABAC is enabled?
A: These will be the changes:
Audience stay on Manage > Audiences page
Audiences are reorganized under categories
A new ‘Audience builder tab is introduced
All existing audiences, their rules, attributes and users remain the same.
Q: Where did my existing audiences go?
A: Your existing audiences, with the old rules and values, are now moved to a category folder called ‘Uncategorized’ on the Manage > Audiences page.
Q: Were any audiences deleted or modified?
A: No.
No audiences were deleted
Audience rules and memberships remain unchanged
Q: Do I need to recreate or update my audiences?
A: No action is required. However, it is recommended that you reorganize your audiences based on your organizational structure. You can do the following -
Rename ‘Uncategorized’ audience category to a logical, org related category where you want to group your audiences.
Move audiences from ‘Uncategorized’ category to new categories like Locations, Departments, Regions etc. To do that -
Click on the three-dots menu for any audience, click on ‘Edit’, update ‘Parent’.
Create a new category or select an existing category where you want to move the audience.
Please note that the audience category is mandatory for each audience.
Q: I see a category called ‘Additional audiences’ that was added automatically. What are these and why do they have IDs instead of names?
A: During the ABAC migration, some audiences are automatically created to preserve existing site access for what were previously unlisted sites.
We created an audience category called, “Additional audiences” during migration of your tenant. Here’s why this happens:
Site visibility now supports audiences only.
In unlisted sites, individual users who were added directly (not through a subscription) need to have their access to the site preserved.
To ensure no access is lost, those individual users are grouped into a new audience during migration.
Additional audiences are created with site IDs in the naming convention instead of the site name in order to protect the privacy of the unlisted site. However, these audiences are editable and can be updated.
These audiences appear under the audience category titled, “Additional audiences.” Here’s an example:
Let’s say you had an unlisted site with a subscription of “Canada” audience and 5 people were added separately. After migration you will see two audiences in site visibility:
Canada audience
Migrated audience having those 5 people
These audiences are only visible under Manage >Audiences or in the site visibility of the sites. The ‘Additional audiences’ are not added in the site subscription. Please note that users in this audience are members of the site as it is.
Q: How do I know which sites these additional audiences belong to?
A: To know which sites an ‘Additional audience’ belong to, you can follow the below steps -
Click on the three dots menu for the audience, and select ‘View feature usage’ option
Check the Site name in the Feature usage popup. You can also update the ‘Additional’ audience name if desired so it is easier to identify it in the future.
Q: How do I manage these additional audiences?
A: There are different steps you can take to manage these additional audiences -
Keep the audience name and category as it is. Use these audiences to add more individual users (outside subscription) to these sites. To do that, go to the ‘Edit audience’ option and add/remove users.
You can also update the audience name (for example - with site names) or the category for better readability of the audience names.
Q: What are Site, segment and other audiences? Why do they have lock icons?
A: To make things easy for the managers, some audiences are automatically created during the migration. These audiences have lock icons as these cannot be edited or deleted.
Site
There is a system-level site audience created for each site.
This audience includes all the members and followers of the site.
Audiences get updated automatically when there is a new member added/removed from the site.
You can use site audiences in access control groups like newsletters, alerts, surveys, etc.
This audience has further sub-audiences like Members, Followers (only for public sites), Non-managing members, Owners and managers etc. and you can create subaudiences from these groups.
These audiences have lock icons as these cannot be edited or deleted by the user.
Segment (only applicable when tenant has segments configured)
There is a system-level segment audience created for each segment.
This audience includes all the members of the segment and is ready for you to use in access control groups, features like newsletters, surveys etc.
Audiences get updated automatically when there is a new user added/removed from the segment.
You can create sub-audiences under any segment audience.
These audiences have lock icons as these cannot be edited or deleted.
Microsoft Entra groups/ Okta groups/ Google groups
There is a system-level segment audience created for the external groups if you have Entra or Okta or Google integrated and groups configured at app level.
This audience includes all the users of the external groups and is ready for you to use in access control groups, features like newsletters, surveys etc.
Audiences get updated automatically when there is a new user added/removed from the external group.
You can create sub-audiences under any audience.
These audiences have lock icons as these cannot be edited or deleted by the user.
Roles
Q: What changes to Roles when ABAC is enabled?
A: The existing ‘Manage roles’ screen will be removed. Every user has a primary role - App manager or Standard user. Additional permissions are now managed in the newly introduced Access control screen.
Q: What happened to my existing role assignments?
A: Existing role assignments are preserved through system mapping of access control groups.
Existing roles are mapped to the access control group of the feature. For example - Users with ‘Newsletter manager’ roles are mapped to the Newsletter - system access control group.
Q: Were any roles or privileges changed?
A: There is only one change for the App manager role.
Before ABAC, App managers needed additional roles to manage private and unlisted sites.
After ABAC, app managers have permission to manage all sites by default.
Note: Existing App managers get access to manage all sites by default. It is recommended to review the list of App managers in your organization and assign more targeted permissions using feature-based access control groups (ACGs) where appropriate. ABAC allows you to grant specific permissions without making someone an App Manager, giving you more control and reducing unnecessary broad access.
Q: Do I need to reassign roles?
A: No immediate action is required.
Access Control Groups
Q: What is Access control screen and access control groups?
A: Access Control Groups are a new way of managing access and permissions for different features. It allows you to assign targeted permissions to standard users. For example - User A can be a newsletter manager for the Finance department, and user B can only manage newsletters for Engineering. Please refer to ABAC using ACGs (Access Control Groups) and Introduction to ACGs.
Q: Do I need to update any access control groups immediately ?
A: No. All your existing roles are mapped to the access control groups as part of the ABAC migration. No immediate action is required.
Sites
Q: What changes to Sites when ABAC is enabled?
A: When ABAC is enabled, site visibility becomes a required setting for every site. Site visibility controls who can see or discover a site across the platform. Additionally, there are now two site types: public or private, which determines how content access works.
Site visibility controls site discoverability (e.g. who can discover the site).
Public v. private site controls content access.
Subscriptions control who is automatically added to the site as a member or follower.
Unlisted site types are no longer a site type after ABAC.
To summarize what happens to sites when ABAC is enabled:
Existing public sites have been mapped to public sites. Site visibility= ‘Everyone in organization’
Existing private sites have been mapped to private sites. Site visibility= ‘Everyone in the organization’
Existing unlisted sites have been mapped to private sites. Site visibility=’Select audiences/Additional audiences (migrated users)’
Before ABAC | After ABAC | ||
Site type | Site type | Site Visibility | What this means |
Site type: Public | Site type: Public | All Organization | Everyone in the organization can discover the site. The site is unlocked. Users do not need to be a member of the site to access site content. |
Site type: Private | Site type: Private | All Organization | Everyone in the organization can discover the site. The site is locked. Users must be a member to access site content. If the user is not a member, then they see the “request membership” button. |
Site type: Unlisted | Site type: Private | Select audience(s) Additional audience (migrated users) | Select audiences can discover the site. The site is locked. Users must be a member to access site content. If the user is not a member, then they see the “request membership” button |
Please note that site visibility only controls who can view the site. It does not determine the access to content.
Existing public sites have been mapped to public sites. Site visibility= ‘Everyone in organization’
Existing private sites have been mapped to private sites. Site visibility= ‘Everyone in the organization’
Existing unlisted sites have been mapped to private sites. Site visibility=’Select audiences/Additional audiences (migrated users)’
Q: If site visibility controls who can discover the site, then what are ‘Public’ and ‘Private’ sites?
A: ‘Public’ and ‘Private’ type determines the access to content.
Public site -> Everyone in the site visibility has access to the content by default. They do not need to become a member to access the content.
Private site -> Everyone in the site visibility needs to be a member to access the content. Users can become members through subscription or manual addition by site managers or by requesting the membership.
Q: Will users lose access to their existing sites?
A: No. Users will continue to see the same sites as before.
Q: Do I need to reconfigure my sites?
A: No immediate changes are required unless you want to update the site visibility or subscriptions.
Q: I used to add people one by one to unlisted sites. How do I add individual users now?
A: With ABAC, adding someone to a site is a two-step process. This replaces how unlisted sites worked before. Directly adding individual users as members (without first adding them to site visibility) is not supported today, but this capability is on the roadmap.
Step 1: Add user to target visibility via Manage>Audiences.
Step 2: Add user as a member to your site either via site subscription or manually by Manage site>People>Add person.
Directly adding individual users as members (without first adding them to site visibility) is not supported today, but this capability is on the roadmap.
Subscriptions
Q: What changes to Subscriptions when ABAC is enabled?
A: No change to existing subscriptions. Subscriptions are retained in their respective sites.
Q: Subscriptions tab on the navigation is empty. Where did my subscriptions go?
A: Subscriptions now appear under the Subscriptions tab within Manage sites.
Q: Who can manage site subscriptions?
A: App Managers and Manage Sites feature owners can manage all site subscriptions across the platform. Managers and Admins of “Manage sites” access control group can manage site subscriptions for sites they can manage.
Site owners and managers can only re-run subscriptions for their sites. They cannot create/edit/update the subscriptions.
Q: Do I need to reassign or reconfigure subscriptions?
A: No action is required. Only the UI location has changed.
Privileges
Q: What changes to Privileges when ABAC is enabled?
A: When ABAC is enabled, permissions for managing newsletters and alerts are now handled through Access Control Groups (ACGs) instead of the Privileges tab.
Before ABAC: Newsletter and alert permissions for site owners and managers were managed in Manage application > Privileges.
After ABAC: These permissions are managed through Access Control Groups.
If site owners or managers previously had permission to send newsletters and alerts:
Access Control Groups are automatically created for those sites
Site owners and managers are added as managers of the corresponding ACGs
No existing permissions are removed during this process
This ensures site owners and managers can continue sending newsletters and alerts without interruption. You do not need to take action unless you want to further refine permissions using Access Control Groups.
Segments
Q: What changes to Segments when ABAC is enabled?
A: There are two main updates related to segments -
Segment audiences
If you have segments configured, the system creates audiences for each segment.
Segment audiences are visible under the Segment category on Manage > Audiences tab.
These audiences are ready to use in access control groups, or features like newsletters, surveys etc.
These audiences cannot be edited or deleted from UI. Segment audiences are updated automatically if there is a user added/removed from the segment. Segment audiences are created/deleted automatically when a segment is added/deleted.
There is no action needed for segments post ABAC activation.
Featured sites
Featured sites are not managed through segments.
Permission to manage featured sites is managed through ‘Manage sites’ access control groups. This permission can be given for any audience.
Home dashboard and Branding
If segment setting for Home dashboard and Branding was set as “Managed per segment’, the system creates access control groups for each segment automatically. It allows you to assign anyone permission to manage Home dashboard and Branding for one or more segments.
Need More Help?
For ABAC concepts and setup → Refer to ABAC learning documentation
For any issues → Contact Support
Subscribe to receive updates on this article