1. Simpplr One
  2. Getting Started with Simpplr
  3. Audience Based Access Control (ABAC) and Control Groups

ABAC: Getting Started with Audience-Based Access Controls (ABAC)

Avatar
Matthew Rawls
Follow

Overview 

Audience-based access controls (ABAC) transform the intranet into a hyper-personalized, secure, and efficient digital workplace. Unlike traditional role-based access, ABAC scopes permissions to specific audiences and attributes, so both actions and content are precisely tailored. Employees only see what matters to them, while organizations benefit from stronger engagement, simplified operations, and enhanced security.

It does this by: 

  • Flexible audience creation 
  • Ability to target audience actions or display content by employee type, region, department, segment, company, etc. 
  • Providing access to features or content based on target audiences, not global roles. 
  • Eliminating the need for unlisted sites and complex site management. 

In this article, we share the key benefits of audience based access control (ABAC) and how you can get started in leveraging the functionality to achieve your goals. 

Jump to a section 

🚀Rollout plan for application managers

We are committed to a smooth experience and are slowly rolling out ABAC to existing customers between October 27, 2025 - February 9, 2026. ABAC is enabled in customer sandboxes as of October 21, 2021, giving you a secure environment to test and configure these new capabilities. You will receive communication from us two weeks prior to your production activation date. 

If you are going through your upgrade from Simpplr Classic to Simpplr One, reach out to your project manager to learn about when you will be getting ABAC turned on in your production environment.

 

Understanding the power of audience based access controls 

Audience-based access controls shifts access management from static, application-wide roles to precise control based on a user's target audience membership. This enables highly targeted access across your entire organization, handling both broad and granular access control needs. 

With ABAC, you can precisely manage content and communications across your organization, ensuring every user interacts only with relevant information. 

This allows you, as an Application Manager, to deliver a highly targeted and secure experience across your entire application. Shifting to an audience-based access model delivers two fundamental, high-value outcomes:

  1. A more personalized employee experience 
  2. Greater control and efficiency for administrators 
A more personalized employee experience   Greater control and efficiency for admins
Higher engagement and adoption: Employees stay connected and engaged because they only see what matters to them.  Enhanced security and compliance: Protect sensitive data by restricting site, content, and feature visibility to precise audience groups, improving governance and meeting compliance requirements.  
Relevant, tailored intranet: Every interaction feels personalized with content, dashboards, and feeds aligned to role, location, or team.  Flexibility at scale: Utilize connected people data to hyper-segment and target audiences with granular controls, ensuring the right people can manage the right features and content. 

 

What features are included in audience-based access controls (ABAC)? 

ABAC provides access to features based on target audience membership (rather than global roles). Access control handles both all org and granular access control.

Here is an overview of features and capabilities. Click on the capability to see how you can set it up in our deep dive knowledge base articles: 

Capability  What it means 
Audiences  Audiences are dynamic groups of users created based on profile attributes like location, department, or job title. A user can belong to multiple audiences.
Advanced audience builder and manager  

Define and organize audiences using categories, rules, custom attributes, CSV, or Entra/Okta groups. 

Includes: audience categories, sub-audiences
Access control groups 

Access control groups replace role management and will allow App Managers to create groups for managing features by audience. There are both system (automatically generated) control groups, as well as custom control groups for special features. 

We also introduce feature owners and feature managers for each access control group. 
Sites ABAC  Create target audiences for sites. ​​If a user is not part of the max audience, they cannot see the site at all; it’s invisible to them. 
Content ABAC  Create target audiences for content. ​​If a user is not part of the content audience, they cannot see the content at all, it’s invisible to them (i.e. restricted content). 
Files ABAC  Upload files to restricted content (see above) and only selected audience will see those files.  
Feed ABAC  Turn on the setting to restrict the audience who can view and interact with the feed. 
Target content notifications by audience  Send a content notification to specific people within your site. 
Target must reads by audience   Send a must read to a specific audience within your site.
Segments  Segments define the personalized experience for a group of users within a single intranet. They enable tailored branding, home dashboard configuration, and a curated set of apps and links. A user can belong to only one segment.

 

Getting Started with ABAC: Your intranet manager/app manager action plan

As the application manager, your first steps should focus on establishing the foundational Audience Architecture and Access Control Groups. We will share some tips along the way and we encourage you to take some of our intro courses in Simpplr Academy, found here.

We recommend following the three-phase plan to get the most value out of audience based access controls:

  1. Part 1: Establish your audience foundation: Organize and build dynamic groups based on clean people data.
  2. Part 2: Delegate power with Access Control Groups (ACGs): Delegate administrative feature management using access control groups.
  3. Part 3: Implement site, content, and notification targeting: Apply your new audiences to sites, content, and notifications to deliver a precise, secure user experience.

If you don’t want to delegate feature management, you can skip to part 3 after you complete part 1. 

Part 1: Establish your audience foundation and organize your audiences into categories 

You will get the most value out of audience based access controls (ABAC) when you define clear, accurate audiences based on your integrated people data. Audiences are built from standard or custom user attributes like department, job title, location, etc. and are dynamically updated. You can find information on how to sync user data in this help article about user syncing.

Follow these steps:

Step Action for the app manager Why this is critical
1.  Audit available people data  Go to Manage people and review the synced people data and attributes (e.g., fields for Location, Department, Job Title, etc.) currently available in the system. Data mapping: This verifies what attributes you can use for dynamic audience rules, ensuring your ABAC strategy is based on available, reliable data.
2. Create audience categories  Go to the Advanced audience builder and create your audience categories. These act like folders to organize your future audiences by type.  Organization and scalability: Provides a clear structure that prevents the audience list from becoming overwhelming as you scale.    
3. Create audience rules Create your first set of high-level audiences. Focus on the major groups you use for targeting today (e.g. Departments, Locations, Job titles). Foundations: Audience rules are built on a single condition/operator and automatically generate audiences for you. Recommended for creating many audiences in bulk. 
4. Organize and create audiences (optional)  Organize existing audiences into your new audience category structure by editing the audience and updating the audience category. Then create new audiences manually or via CSV using the audience builder.  Organization and scalability: Provides a clear structure that prevents the audience list from becoming overwhelming as you scale.
5. Validate membership and access  Use the audience filters to test specific users and confirm they are in the correct audience. Then navigate to your Sites system audience and confirm you see your sites in this category.  Verification: Ensures your data and rules are working as intended. Confirms that the ABAC functionality is ready for use in access control groups, feature controls, site and content access, and notifications. 

Part 2: Delegating power with Access Control Groups (ACGs) 

This part involves moving away from application-wide roles and assigning feature management rights to specific audiences and people. There are system access control groups and there are custom access control groups.  

Once your core Audience Architecture is built, you can use Access Control Groups (ACGs) to securely shift administrative oversight to feature owners. This is how you enforce the Principle of Least Privilege, ensuring that only authorized people can manage specific features.

Note:

To see an overview of what Access Control Groups are available for configuration, we recommend reading our overview article on Access Control Groups.

The goal of ABAC is to move the heavy lifting of managing feature access from the application manager to the feature owner: 

  • The application manager defines the structure of Audiences and Access control groups (ACGs).
  • The feature owner defines access control groups for a feature and manages who can manage that feature for a defined audience.
  • The feature admin (optional) can add or remove managers for a feature for their defined audience.  
  • The feature manager uses the feature for their defined audience. 

Follow these steps for part 2 of your configuration of Access Control groups: 

Step Action for the app manager Why this is critical
1. Define feature owners Navigate to Access Control. Identify a feature you want to delegate (e.g., Newsletters, Manage sites, Add sites) and add your feature owners. App managers are feature owners for all features by default.  Clear accountability: This assigns high-level ownership to the business group responsible for the feature, moving the maintenance responsibility away from the Application manager.
2. Determine and create your custom access control groups

Review the system-generated “All Org” ACGs that automatically appeared when ABAC was enabled. 

Identify which features need to be delegated and controlled for specific audiences, and create custom ACGs (e.g. Newsletter for USA audience). 

 Total coverage: Ensures features you need to delegate have a dedicated permission container.
3. Assign managers to access control groups  Within each ACG, define the specific person, or people, who should be granted “Manager” rights (e.g. assign Nancy as the Manager to the Newsletter USA ACG).   Granular control: This enforces Least Privilege by using audience attributes to grant the exact management access needed, without giving that person/people access over any other feature or audience. 
4. Login as a feature owner or feature manager  Impersonate or log in as a user assigned to the new feature owner and feature manager audiences in your sandbox or production environment. Verification: This is the critical security check. You should confirm that the delegated user can perform their intended tasks (e.g., edit the newsletter) but cannot access settings or features outside of their assigned ACG. 

By completing these four steps, you effectively convert global administrative control into targeted administrative access. You are no longer the bottleneck for every permission request; the Feature owner is empowered to govern their own piece of the intranet puzzle, all while operating within the secure boundaries you defined.  

Note:

We recommend reviewing your access control groups annually to ensure you have the right people in the right roles. If you ever need to make changes to your controls, you can edit feature owners, managers, and control groups in the Access Controls page.

You now have a complete, structured guide for setting up both the audience foundation and the access delegation model.

Part 3: Implement site, content, and notification targeting

This part involves applying audience based access controls to your sites, content, and notifications. This ensures a personalized, clutter-free, and secure intranet experience. 

We recommend that as an Application manager, you try out these steps in your sandbox so you can educate your Site and Content managers on how to use this functionality. If you don’t have a sandbox, contact your CSM to have one enabled.

Follow these steps to get started: 

Step Action for the app manager Why this is critical
1. Create a site in sandbox  Create a site or click into an existing public site in your sandbox. Learn how to create a site and manage site setup using the new audience based access functionality.  
2. Create and restrict a page Create a new page in your site. Use Content ABAC to restrict its visibility to a specific, targeted audience you defined (e.g., 'West Coast Sales'). Security: Testing that the content is hidden at the page level.
3. Add your page to the site carousel  Add the restricted content from step 2 to the site carousel. Discoverability: Verifying that a user outside the target audience cannot see the restricted content, even when it is promoted on a major visual element.
4. Send a notification (restricted page)   Send a content notification using the restricted page created in Step 2. Precision: Testing that the notification system honors the page's ABAC rules, delivering the notification only to the intended audience.
5. Send a notification (unrestricted page) Send a content notification using an unrestricted page on the same site. Baseline: Establishing that general notifications are can be broadcast to members and followers of a site, or to a specific audience within the site, confirming that ABAC is not universally restricting all communications.
6. Validate the user experience Login as two test users: one who is in the 'restricted page' audience, and one who is not. Experience & enforcement: Verify the in-audience user sees the page, the carousel item, and the notification. Confirm the out-of-audience user sees none of those restricted items. 

With your full validation complete in the sandbox, you are ready to introduce the next generation of access control to your live environment.

Audience-based access controls (ABAC) move your intranet beyond broad permissions to precise, attribute-driven governance. By ensuring that every employee sees only the sites, features, and content relevant to their unique role, location, and needs, you have delivered a platform that is not only more secure and compliant but is also vastly more personal and effective.

You are now prepared to manage your intranet with unprecedented efficiency and strategic control.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Note: Some features may not be avalable in your instance due to various packaging and pricing. To learn what features are available to your org and bundling with the Simpplr One packaging, contact your CSM or Account Manager.

Comments

0 comments

Please sign in to leave a comment.

Articles in this section

See more