RocketChat · KevLehman · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
@@ -182,6 +182,7 @@ jobs:
         env:
           ENTERPRISE_LICENSE: ${{ inputs.enterprise-license }}
           TRANSPORTER: ${{ inputs.transporter }}
+          COMPOSE_PROFILES: ${{ inputs.type == 'api' && 'api' || '' }}
         run: |
           DEBUG_LOG_LEVEL=${DEBUG_LOG_LEVEL:-0} docker compose -f docker-compose-ci.yml up -d --wait
 

@@ -1,29 +1,51 @@
-import { Box, Callout, Margins } from '@rocket.chat/fuselage';
-import { Trans } from 'react-i18next';
+import { Accordion, AccordionItem, Box, Callout, Margins } from '@rocket.chat/fuselage';
+import { useSetting } from '@rocket.chat/ui-contexts';
+import { useTranslation, Trans } from 'react-i18next';
 
 import AbacEnabledToggle from './AbacEnabledToggle';
 import SettingField from './SettingField';
 import { useHasLicenseModule } from '../../../../hooks/useHasLicenseModule';
 import { links } from '../../../../lib/links';
 
 const SettingsPage = () => {
+	const { t } = useTranslation();
 	const { data: hasABAC = false } = useHasLicenseModule('abac');
+	const pdpType = useSetting('ABAC_PDP_Type', 'local');
+
 	return (
-		<Box maxWidth='x600' w='full' alignSelf='center'>
+		<Box maxWidth='x600' w='full' alignSelf='center' overflow='auto'>
 			<Box>
 				<Margins block={24}>
 					<AbacEnabledToggle hasABAC={hasABAC} />
+					<SettingField settingId='ABAC_PDP_Type' />
 					<SettingField settingId='ABAC_ShowAttributesInRooms' />
 					<SettingField settingId='Abac_Cache_Decision_Time_Seconds' />
 
-					<Callout>
-						<Trans i18nKey='ABAC_Enabled_callout'>
-							User attributes are synchronized via LDAP
-							<a href={links.go.abacLDAPDocs} rel='noopener noreferrer' target='_blank'>
-								Learn more
-							</a>
-						</Trans>
-					</Callout>
+					<Accordion>
+						<AccordionItem title={t('ABAC_Virtru_PDP_Configuration')}>
+							<Margins block={16}>
+								<SettingField settingId='ABAC_Virtru_Base_URL' />
+								<SettingField settingId='ABAC_Virtru_Client_ID' />
+								<SettingField settingId='ABAC_Virtru_Client_Secret' />
+								<SettingField settingId='ABAC_Virtru_OIDC_Endpoint' />
+								<SettingField settingId='ABAC_Virtru_Default_Entity_Key' />
+								<SettingField settingId='ABAC_Virtru_Attribute_Namespace' />
+								<SettingField settingId='ABAC_Virtru_Sync_Interval' />
+								<SettingField settingId='ABAC_Virtru_Test_Connection' />
+							</Margins>
+						</AccordionItem>
+					</Accordion>
+
+					{pdpType === 'local' && (
+						<Callout>
+							<Trans i18nKey='ABAC_Enabled_callout'>
+								User attributes are synchronized via LDAP
+								<a href={links.go.abacLDAPDocs} rel='noopener noreferrer' target='_blank'>
+									Learn more
+								</a>
+							</Trans>
+						</Callout>
+					)}
 				</Margins>
 			</Box>
 		</Box>

diff --git a/apps/meteor/ee/server/api/abac/index.ts b/apps/meteor/ee/server/api/abac/index.ts
@@ -22,6 +22,8 @@ import {
 	GETAbacRoomsResponseValidator,
 	GETAbacAuditEventsQuerySchema,
 	GETAbacAuditEventsResponseSchema,
+	GETAbacPdpHealthResponseSchema,
+	GETAbacPdpHealthErrorResponseSchema,
 } from './schemas';
 import { API } from '../../../../app/api/server';
 import type { ExtractRoutesFromAPI } from '../../../../app/api/server/ApiClass';
@@ -357,6 +359,31 @@ const abacEndpoints = API.v1
 			return API.v1.success(result);
 		},
 	)
+	.get(
+		'abac/pdp/health',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			rateLimiterOptions: {
+				numRequestsAllowed: 5,
+				intervalTimeInMS: 60000,
+			},
+			response: {
+				200: GETAbacPdpHealthResponseSchema,
+				400: GETAbacPdpHealthErrorResponseSchema,
+				401: validateUnauthorizedErrorResponse,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			try {
+				await Abac.getPDPHealth();
+				return API.v1.success({ available: true, message: 'ABAC_PDP_Health_OK' });
+			} catch (err) {
+				return API.v1.failure({ available: false, message: (err as Error).message });
+			}
+		},
+	)
 	.get(
 		'abac/audit',
 		{

diff --git a/apps/meteor/ee/server/api/abac/schemas.ts b/apps/meteor/ee/server/api/abac/schemas.ts
@@ -342,6 +342,31 @@ export const POSTAbacUsersSyncBodySchema = ajv.compile<{
 
 export const GenericErrorSchema = ajv.compile<{ success: boolean; message: string }>(GenericError);
 
+export const GETAbacPdpHealthResponseSchema = ajv.compile<{
+	available: boolean;
+	message: string;
+}>({
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+		available: { type: 'boolean' },
+		message: { type: 'string' },
+	},
+	required: ['available', 'message'],
+	additionalProperties: false,
+});
+
+export const GETAbacPdpHealthErrorResponseSchema = ajv.compile<{ available: boolean; message: string }>({
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [false] },
+		available: { type: 'boolean', enum: [false] },
+		message: { type: 'string' },
+	},
+	required: ['available', 'message'],
+	additionalProperties: false,
+});
+
 const GETAbacRoomsListQuerySchema = {
 	type: 'object',
 	properties: {

diff --git a/apps/meteor/ee/server/configuration/abac.ts b/apps/meteor/ee/server/configuration/abac.ts
@@ -1,12 +1,18 @@
+import { Abac } from '@rocket.chat/core-services';
+import { cronJobs } from '@rocket.chat/cron';
 import { License } from '@rocket.chat/license';
 import { Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
 import { settings } from '../../../app/settings/server';
 import { LDAPEE } from '../sdk';
 
+const VIRTRU_PDP_SYNC_JOB = 'ABAC_Virtru_PDP_Sync';
+
 Meteor.startup(async () => {
 	let stopWatcher: () => void;
+	let stopCronWatcher: () => void;
+
 	License.onToggledFeature('abac', {
 		up: async () => {
 			const { addSettings } = await import('../settings/abac');
@@ -18,13 +24,37 @@ Meteor.startup(async () => {
 			await import('../hooks/abac');
 
 			stopWatcher = settings.watch('ABAC_Enabled', async (value) => {
-				if (value) {
+				if (value && settings.get<string>('ABAC_PDP_Type') !== 'virtru') {
 					await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
 				}
 			});
+
+			async function configureVirtruPdpSync(): Promise<void> {
+				if (await cronJobs.has(VIRTRU_PDP_SYNC_JOB)) {
+					await cronJobs.remove(VIRTRU_PDP_SYNC_JOB);
+				}
+
+				const abacEnabled = settings.get('ABAC_Enabled');
+				const pdpType = settings.get<string>('ABAC_PDP_Type');
+
+				if (!abacEnabled || pdpType !== 'virtru') {
+					return;
+				}
+
+				const cronValue = settings.get<string>('ABAC_Virtru_Sync_Interval');
+
+				await cronJobs.add(VIRTRU_PDP_SYNC_JOB, cronValue, () => Abac.evaluateRoomMembership());
+			}
+
+			stopCronWatcher = settings.watchMultiple(['ABAC_PDP_Type', 'ABAC_Virtru_Sync_Interval'], () => configureVirtruPdpSync());
 		},
-		down: () => {
+		down: async () => {
 			stopWatcher?.();
+			stopCronWatcher?.();
+
+			if (await cronJobs.has(VIRTRU_PDP_SYNC_JOB)) {
+				await cronJobs.remove(VIRTRU_PDP_SYNC_JOB);
+			}
 		},
 	});
 });
diff --git a/apps/meteor/ee/server/lib/ldap/Manager.ts b/apps/meteor/ee/server/lib/ldap/Manager.ts
@@ -109,7 +109,8 @@ export class LDAPEEManager extends LDAPManager {
 			!settings.get('LDAP_Enable') ||
 			!settings.get('LDAP_Background_Sync_ABAC_Attributes') ||
 			!License.hasModule('abac') ||
-			!settings.get('ABAC_Enabled')
+			!settings.get('ABAC_Enabled') ||
+			settings.get('ABAC_PDP_Type') === 'virtru'
 		) {
 			return;
 		}
@@ -129,7 +130,12 @@ export class LDAPEEManager extends LDAPManager {
 	}
 
 	public static async syncUsersAbacAttributes(users: FindCursor<IUser>): Promise<void> {
-		if (!settings.get('LDAP_Enable') || !License.hasModule('abac') || !settings.get('ABAC_Enabled')) {
+		if (
+			!settings.get('LDAP_Enable') ||
+			!License.hasModule('abac') ||
+			!settings.get('ABAC_Enabled') ||
+			settings.get('ABAC_PDP_Type') === 'virtru'
+		) {
 			return;
 		}
 

diff --git a/apps/meteor/ee/server/settings/abac.ts b/apps/meteor/ee/server/settings/abac.ts
@@ -1,5 +1,8 @@
 import { settingsRegistry } from '../../../app/settings/server';
 
+const abacEnabledQuery = { _id: 'ABAC_Enabled', value: true };
+const virtruPdpQuery = [abacEnabledQuery, { _id: 'ABAC_PDP_Type', value: 'virtru' }];
+
 export function addSettings(): Promise<void> {
 	return settingsRegistry.addGroup('General', async function () {
 		await this.with(
@@ -15,20 +18,101 @@ export function addSettings(): Promise<void> {
 					section: 'ABAC',
 					i18nDescription: 'ABAC_Enabled_Description',
 				});
+				await this.add('ABAC_PDP_Type', 'local', {
+					type: 'select',
+					public: true,
+					section: 'ABAC',
+					invalidValue: 'local',
+					values: [
+						{ key: 'local', i18nLabel: 'ABAC_PDP_Type_Local' },
+						{ key: 'virtru', i18nLabel: 'ABAC_PDP_Type_Virtru' },
+					],
+					enableQuery: abacEnabledQuery,
+				});
 				await this.add('ABAC_ShowAttributesInRooms', false, {
 					type: 'boolean',
 					public: true,
 					invalidValue: false,
 					section: 'ABAC',
-					enableQuery: { _id: 'ABAC_Enabled', value: true },
+					enableQuery: abacEnabledQuery,
 				});
 				await this.add('Abac_Cache_Decision_Time_Seconds', 300, {
 					type: 'int',
 					public: true,
 					section: 'ABAC',
 					invalidValue: 0,
-					enableQuery: { _id: 'ABAC_Enabled', value: true },
+					enableQuery: [abacEnabledQuery],
+				});
+
+				// Virtru PDP Configuration
+				await this.add('ABAC_Virtru_Base_URL', '', {
+					type: 'string',
+					public: false,
+					invalidValue: '',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_Client_ID', '', {
+					type: 'string',
+					public: false,
+					invalidValue: '',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_Client_Secret', '', {
+					type: 'password',
+					public: false,
+					invalidValue: '',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_OIDC_Endpoint', '', {
+					type: 'string',
+					public: false,
+					invalidValue: '',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					i18nDescription: 'ABAC_Virtru_OIDC_Endpoint_Description',
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_Default_Entity_Key', 'emailAddress', {
+					type: 'select',
+					public: false,
+					invalidValue: 'emailAddress',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					i18nDescription: 'ABAC_Virtru_Default_Entity_Key_Description',
+					values: [
+						{ key: 'emailAddress', i18nLabel: 'ABAC_Virtru_Entity_Key_Email' },
+						{ key: 'oidcIdentifier', i18nLabel: 'ABAC_Virtru_Entity_Key_OIDC' },
+					],
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_Attribute_Namespace', 'example.com', {
+					type: 'string',
+					public: false,
+					invalidValue: 'example.com',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					i18nDescription: 'ABAC_Virtru_Attribute_Namespace_Description',
+					enableQuery: virtruPdpQuery,
+				});
+				await this.add('ABAC_Virtru_Sync_Interval', '*/5 * * * *', {
+					type: 'string',
+					public: false,
+					invalidValue: '*/5 * * * *',
+					section: 'ABAC_Virtru_PDP_Configuration',
+					i18nDescription: 'ABAC_Virtru_Sync_Interval_Description',
+					enableQuery: virtruPdpQuery,
 				});
+				await this.add(
+					'ABAC_Virtru_Test_Connection',
+					{ method: 'GET', path: '/v1/abac/pdp/health' },
+					{
+						type: 'action',
+						actionText: 'ABAC_Virtru_Test_Connection_Action',
+						invalidValue: '',
+						section: 'ABAC_Virtru_PDP_Configuration',
+						enableQuery: virtruPdpQuery,
+					},
+				);
 			},
 		);
 	});