How can we get possible actions (permissions) with ABAC? I need to say to front-end that this button should be hidden, as this action is restricted for for this particular case, and for another not.
Currently only hybrid RBAC/ABAC model is what I'm thinking about, but it is still not covering all the cases, as we might have unauthenticated access, permissions for which will not be covered with RBAC, therefore that should be covered with ABAC.
The question is it possible with ABAC to collect all allowed actions for this user for the current object?
Yes, you can restrict UI elements based on the user's attributes. And if a user's attributes change, like the user is promoted or demoted, then the front end will be adjusted based on your policy once the logic is implemented.
I have an example project on Github that demonstrates restricting a UI element with ABAC using Java + Spring Security: https://github.com/michaelcgood/spring-security-ui-demo
As I mentioned, I work for Axiomatics and this project is configured to work with an Axiomatics project in the pdp.properties. However, this project could be used with other software implementing XACML for ABAC with the proper properties settings.
If you don't use Java, then the project won't be as useful to you. However, it certainly does demonstrate what you are asking - that UI elements can be restricted.
The front end framework used is Thymeleaf, a server side Java template engine that is HTML friendly.
And the code that restricts a UI element by applying a resource ID is this:
<div class="jumbotron" style="background-color: green" sec:authorize="XACMLDecisionUI('secretmessage')">
<p style="color:white" align="center">Message only available to senior admins (seniority == 2).</p>
</div>
If you do happen to be using Axiomatics software, please let me know in the comments and I have further guidance I could give you.
Thanks, Michael