From 73d9eb2783176954f42aa2cbeda8abf1d49ac260 Mon Sep 17 00:00:00 2001
From: Kevin Aleman <kaleman960@gmail.com>
Date: Thu, 18 Dec 2025 06:32:11 -0600
Subject: [PATCH] feat: ABAC (#37091)

Co-authored-by: Tasso <tasso.evangelista@rocket.chat>
Co-authored-by: Martin Schoeler <martin.schoeler@rocket.chat>
Co-authored-by: MartinSchoeler <martinschoeler8@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .changeset/ninety-dodos-confess.md            |   15 +
 apps/meteor/app/api/server/v1/rooms.ts        |  142 +-
 apps/meteor/app/api/server/v1/teams.ts        |    8 +
 .../server/methods/saveRoomSettings.ts        |   38 +-
 .../server/functions/findOrCreateInvite.ts    |    7 +
 .../server/functions/validateInviteToken.ts   |    9 +
 .../functions/addUserToDefaultChannels.ts     |    5 +
 .../app/lib/server/functions/addUserToRoom.ts |    6 +-
 .../lib/server/functions/getFullUserData.ts   |    1 +
 .../server/functions/removeUserFromRoom.ts    |   35 +-
 .../app/lib/server/lib/beforeAddUserToRoom.ts |    6 +
 .../app/slashcommands-invite/server/server.ts |   48 +-
 .../app/statistics/server/lib/statistics.ts   |   22 +
 .../server/functions/getBaseUserFields.ts     |    1 +
 .../ABACUpsellModal/ABACUpsellModal.spec.tsx  |    9 +-
 .../components/UserInfo/UserInfo.stories.tsx  |   12 +-
 .../client/components/UserInfo/UserInfo.tsx   |    6 +-
 .../UserInfo/UserInfoABACAttributes.tsx       |   15 +-
 .../__snapshots__/UserInfo.spec.tsx.snap      |   11 +-
 .../items/actions/ForwardMessageAction.tsx    |    1 -
 .../message/toolbar/usePermalinkAction.ts     |    1 -
 .../message/toolbar/useReplyInDMAction.ts     |    1 -
 apps/meteor/client/lib/links.ts               |    2 +
 apps/meteor/client/lib/queryKeys.ts           |   19 +
 .../client/lib/rooms/roomTypes/private.ts     |    1 -
 .../lib/utils/mapSubscriptionFromApi.ts       |    2 +
 .../ABAC/ABACAttributesTab/AttributeMenu.tsx  |   28 +
 .../AttributesContextualBar.tsx               |   99 +
 .../AttributesContextualBarWithData.tsx       |   28 +
 .../AttributesForm.spec.tsx}                  |   49 +-
 .../AttributesForm.stories.tsx}               |   25 +-
 .../ABAC/ABACAttributesTab/AttributesForm.tsx |  163 ++
 .../ABAC/ABACAttributesTab/AttributesPage.tsx |  110 +
 .../AttributesForm.spec.tsx.snap}             |  272 +-
 .../views/admin/ABAC/ABACLogsTab/LogsPage.tsx |  213 ++
 .../ABACRoomsTab/DeleteRoomModal.spec.tsx     |   71 +
 .../ABAC/ABACRoomsTab/DeleteRoomModal.tsx     |   48 +
 .../admin/ABAC/ABACRoomsTab/RoomForm.tsx      |  131 +
 .../RoomFormAttributeField.spec.tsx           |   13 +
 .../RoomFormAttributeField.stories.tsx        |   73 +
 .../ABACRoomsTab/RoomFormAttributeField.tsx   |   93 +
 .../RoomFormAttributeFields.spec.tsx          |  136 +
 .../ABACRoomsTab/RoomFormAttributeFields.tsx  |   37 +
 .../RoomFormAutocomplete.spec.tsx             |   60 +
 .../RoomFormAutocomplete.stories.tsx          |   42 +
 .../ABACRoomsTab/RoomFormAutocomplete.tsx     |   58 +
 .../RoomFormAutocompleteDummy.tsx             |   11 +
 .../admin/ABAC/ABACRoomsTab/RoomMenu.tsx      |   28 +
 .../ABAC/ABACRoomsTab/RoomsContextualBar.tsx  |   89 +
 .../RoomsContextualBarWithData.tsx            |   34 +
 .../admin/ABAC/ABACRoomsTab/RoomsPage.tsx     |  137 +
 .../DeleteRoomModal.spec.tsx.snap             |   98 +
 .../RoomFormAttributeField.spec.tsx.snap      |   95 +
 .../RoomFormAutocomplete.spec.tsx.snap        |   31 +
 .../ABAC/ABACSettingTab/AbacEnabledToggle.tsx |   95 +
 .../ABAC/ABACSettingTab/SettingField.spec.tsx |   58 +
 .../ABAC/ABACSettingTab/SettingField.tsx      |  145 +
 .../ABACSettingTab/SettingToggle.spec.tsx     |  142 +
 .../ABACSettingTab/SettingToggle.stories.tsx  |   64 +
 .../ABAC/ABACSettingTab/SettingsPage.tsx      |   33 +
 .../ABAC/ABACSettingTab/WarningModal.tsx      |   48 +
 .../__snapshots__/SettingToggle.spec.tsx.snap |  152 +
 .../client/views/admin/ABAC/AdminABACPage.tsx |  103 +
 .../ABAC/AdminABACRoomAttributesForm.tsx      |  135 -
 .../views/admin/ABAC/AdminABACRoute.tsx       |   64 +
 .../client/views/admin/ABAC/AdminABACTabs.tsx |   33 +
 .../admin/ABAC/hooks/useAttributeList.ts      |   39 +
 .../ABAC/hooks/useAttributeOptions.spec.tsx   |  267 ++
 .../admin/ABAC/hooks/useAttributeOptions.tsx  |  101 +
 .../ABAC/hooks/useDeleteRoomModal.spec.tsx    |   52 +
 .../admin/ABAC/hooks/useDeleteRoomModal.tsx   |   11 +
 .../admin/ABAC/hooks/useIsABACAvailable.ts    |   10 +
 .../admin/ABAC/hooks/useRoomItems.spec.tsx    |  124 +
 .../views/admin/ABAC/hooks/useRoomItems.tsx   |   40 +
 .../moderation/helpers/DateRangePicker.tsx    |   16 +-
 apps/meteor/client/views/admin/routes.tsx     |    9 +
 .../meteor/client/views/admin/sidebarItems.ts |    6 +
 .../admin/users/AdminUserInfoWithData.tsx     |    2 +
 .../currentChats/CurrentChatsPage.tsx         |    2 +-
 .../Info/RoomInfo/RoomInfo.stories.tsx        |    7 +-
 .../RoomMembers/RoomMembersWithData.tsx       |    1 -
 apps/meteor/ee/server/api/abac/index.ts       |  421 +++
 apps/meteor/ee/server/api/abac/schemas.ts     |  389 +++
 apps/meteor/ee/server/api/index.ts            |    1 +
 apps/meteor/ee/server/configuration/abac.ts   |   29 +
 apps/meteor/ee/server/configuration/index.ts  |    1 +
 apps/meteor/ee/server/configuration/ldap.ts   |   17 +
 .../server/hooks/abac/beforeAddUserToRoom.ts  |   22 +
 apps/meteor/ee/server/hooks/abac/index.ts     |    1 +
 apps/meteor/ee/server/lib/abac/index.ts       |    9 +
 apps/meteor/ee/server/lib/audit/methods.ts    |    5 +-
 apps/meteor/ee/server/lib/ldap/Manager.ts     |  131 +-
 .../ee/server/local-services/ldap/service.ts  |   10 +
 .../ee/server/sdk/types/ILDAPEEService.ts     |    5 +
 apps/meteor/ee/server/settings/abac.ts        |   35 +
 apps/meteor/ee/server/settings/ldap.ts        |   24 +
 apps/meteor/ee/server/startup/services.ts     |    2 +
 apps/meteor/lib/publishFields.ts              |    3 +
 apps/meteor/lib/rooms/adminFields.ts          |    1 +
 apps/meteor/package.json                      |    1 +
 .../dataExport/exportRoomMessagesToFile.ts    |    3 +
 .../meteor/server/methods/addAllUserToRoom.ts |    6 +
 apps/meteor/server/models.ts                  |    2 +
 .../services/authorization/canAccessRoom.ts   |   28 +-
 .../server/services/authorization/service.ts  |    3 +-
 apps/meteor/server/services/room/service.ts   |   17 +-
 apps/meteor/tests/end-to-end/api/abac.ts      | 2455 +++++++++++++++++
 apps/meteor/tests/end-to-end/api/rooms.ts     |  104 +
 apps/meteor/tests/mocks/data.ts               |    1 +
 development/ldap/02-data.ldif                 |  204 ++
 docker-compose-ci.yml                         |   18 +-
 ee/apps/authorization-service/Dockerfile      |    3 +
 ee/apps/authorization-service/package.json    |    1 +
 ee/apps/authorization-service/src/service.ts  |    6 +
 ee/packages/abac/.eslintrc.json               |    4 +
 ee/packages/abac/jest.config.ts               |    7 +
 ee/packages/abac/package.json                 |   42 +
 ee/packages/abac/src/audit.ts                 |  148 +
 .../abac/src/can-access-object.spec.ts        |  264 ++
 ee/packages/abac/src/errors.ts                |   93 +
 ee/packages/abac/src/helper.spec.ts           |  478 ++++
 ee/packages/abac/src/helper.ts                |  324 +++
 ee/packages/abac/src/index.ts                 |  667 +++++
 ee/packages/abac/src/service.spec.ts          | 1136 ++++++++
 .../subject-attributes-validations.spec.ts    |  480 ++++
 .../abac/src/user-auto-removal.spec.ts        |  477 ++++
 ee/packages/abac/tsconfig.json                |   10 +
 .../src/definition/messages/MessageType.ts    |    4 +-
 packages/core-services/src/index.ts           |    3 +
 .../core-services/src/types/IAbacService.ts   |   49 +
 .../core-services/src/types/IAuthorization.ts |    2 +-
 .../core-services/src/types/IRoomService.ts   |    8 +-
 packages/core-typings/src/Abac.ts             |    9 +
 packages/core-typings/src/IAbacAttribute.ts   |   16 +
 .../core-typings/src/IMessage/IMessage.ts     |    1 +
 packages/core-typings/src/IRoom.ts            |    6 +-
 packages/core-typings/src/IStats.ts           |    4 +
 packages/core-typings/src/ISubscription.ts    |    2 +
 packages/core-typings/src/IUser.ts            |    3 +
 .../src/ServerAudit/IAuditServerAbacAction.ts |   89 +
 packages/core-typings/src/index.ts            |    4 +
 .../core-typings/src/license/LicenseModule.ts |    1 +
 packages/i18n/src/locales/en.i18n.json        |   90 +-
 packages/jwt/__tests__/jwt.spec.ts            |    1 +
 .../message-types/src/registrations/common.ts |    6 +
 packages/model-typings/src/index.ts           |    1 +
 .../src/models/IAbacAttributesModel.ts        |   10 +
 .../model-typings/src/models/IRoomsModel.ts   |   13 +
 .../src/models/ISubscriptionsModel.ts         |    1 +
 .../model-typings/src/models/IUsersModel.ts   |    7 +
 packages/models/src/index.ts                  |    6 +
 packages/models/src/modelClasses.ts           |    1 +
 packages/models/src/models/AbacAttributes.ts  |   39 +
 packages/models/src/models/Rooms.ts           |  114 +
 packages/models/src/models/Subscriptions.ts   |   15 +
 packages/models/src/models/Users.ts           |   40 +
 yarn.lock                                     |  747 ++++-
 157 files changed, 13369 insertions(+), 465 deletions(-)
 create mode 100644 .changeset/ninety-dodos-confess.md
 create mode 100644 apps/meteor/app/lib/server/lib/beforeAddUserToRoom.ts
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributeMenu.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBar.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBarWithData.tsx
 rename apps/meteor/client/views/admin/ABAC/{AdminABACRoomAttributesForm.spec.tsx => ABACAttributesTab/AttributesForm.spec.tsx} (84%)
 rename apps/meteor/client/views/admin/ABAC/{AdminABACRoomAttributesForm.stories.tsx => ABACAttributesTab/AttributesForm.stories.tsx} (68%)
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesPage.tsx
 rename apps/meteor/client/views/admin/ABAC/{__snapshots__/AdminABACRoomAttributesForm.spec.tsx.snap => ABACAttributesTab/__snapshots__/AttributesForm.spec.tsx.snap} (60%)
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACLogsTab/LogsPage.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomForm.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.stories.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.stories.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocompleteDummy.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomMenu.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBar.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBarWithData.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsPage.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/DeleteRoomModal.spec.tsx.snap
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAttributeField.spec.tsx.snap
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAutocomplete.spec.tsx.snap
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/AbacEnabledToggle.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.stories.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingsPage.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/WarningModal.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/ABACSettingTab/__snapshots__/SettingToggle.spec.tsx.snap
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
 delete mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useAttributeList.ts
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useIsABACAvailable.ts
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.spec.tsx
 create mode 100644 apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.tsx
 create mode 100644 apps/meteor/ee/server/api/abac/index.ts
 create mode 100644 apps/meteor/ee/server/api/abac/schemas.ts
 create mode 100644 apps/meteor/ee/server/configuration/abac.ts
 create mode 100644 apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
 create mode 100644 apps/meteor/ee/server/hooks/abac/index.ts
 create mode 100644 apps/meteor/ee/server/lib/abac/index.ts
 create mode 100644 apps/meteor/ee/server/settings/abac.ts
 create mode 100644 apps/meteor/tests/end-to-end/api/abac.ts
 create mode 100644 development/ldap/02-data.ldif
 create mode 100644 ee/packages/abac/.eslintrc.json
 create mode 100644 ee/packages/abac/jest.config.ts
 create mode 100644 ee/packages/abac/package.json
 create mode 100644 ee/packages/abac/src/audit.ts
 create mode 100644 ee/packages/abac/src/can-access-object.spec.ts
 create mode 100644 ee/packages/abac/src/errors.ts
 create mode 100644 ee/packages/abac/src/helper.spec.ts
 create mode 100644 ee/packages/abac/src/helper.ts
 create mode 100644 ee/packages/abac/src/index.ts
 create mode 100644 ee/packages/abac/src/service.spec.ts
 create mode 100644 ee/packages/abac/src/subject-attributes-validations.spec.ts
 create mode 100644 ee/packages/abac/src/user-auto-removal.spec.ts
 create mode 100644 ee/packages/abac/tsconfig.json
 create mode 100644 packages/core-services/src/types/IAbacService.ts
 create mode 100644 packages/core-typings/src/Abac.ts
 create mode 100644 packages/core-typings/src/IAbacAttribute.ts
 create mode 100644 packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
 create mode 100644 packages/model-typings/src/models/IAbacAttributesModel.ts
 create mode 100644 packages/models/src/models/AbacAttributes.ts

diff --git a/.changeset/ninety-dodos-confess.md b/.changeset/ninety-dodos-confess.md
new file mode 100644
index 00000000000..b85badf29d0
--- /dev/null
+++ b/.changeset/ninety-dodos-confess.md
@@ -0,0 +1,15 @@
+---
+'@rocket.chat/authorization-service': minor
+'@rocket.chat/core-services': minor
+'@rocket.chat/message-types': minor
+'@rocket.chat/model-typings': minor
+'@rocket.chat/core-typings': minor
+'@rocket.chat/apps-engine': minor
+'@rocket.chat/abac': minor
+'@rocket.chat/models': minor
+'@rocket.chat/i18n': minor
+'@rocket.chat/jwt': minor
+'@rocket.chat/meteor': minor
+---
+
+Adds Attribute Based Access Control (ABAC) for private channels & private teams.
diff --git a/apps/meteor/app/api/server/v1/rooms.ts b/apps/meteor/app/api/server/v1/rooms.ts
index eb9b261d634..2fdc1c071c7 100644
--- a/apps/meteor/app/api/server/v1/rooms.ts
+++ b/apps/meteor/app/api/server/v1/rooms.ts
@@ -22,6 +22,7 @@ import {
 import { Meteor } from 'meteor/meteor';
 
 import { isTruthy } from '../../../../lib/isTruthy';
+import { adminFields } from '../../../../lib/rooms/adminFields';
 import { omit } from '../../../../lib/utils/omit';
 import * as dataExport from '../../../../server/lib/dataExport';
 import { eraseRoom } from '../../../../server/lib/eraseRoom';
@@ -1032,49 +1033,120 @@ const isRoomGetRolesPropsSchema = {
 	additionalProperties: false,
 	required: ['rid'],
 };
-export const roomEndpoints = API.v1.get(
-	'rooms.roles',
-	{
-		authRequired: true,
-		query: ajv.compile<{
-			rid: string;
-		}>(isRoomGetRolesPropsSchema),
-		response: {
-			200: ajv.compile<{
-				roles: RoomRoles[];
-			}>({
-				type: 'object',
-				properties: {
-					roles: {
-						type: 'array',
-						items: {
-							type: 'object',
-							properties: {
-								rid: { type: 'string' },
-								u: {
-									type: 'object',
-									properties: { _id: { type: 'string' }, username: { type: 'string' } },
-									required: ['_id', 'username'],
+export const roomEndpoints = API.v1
+	.get(
+		'rooms.roles',
+		{
+			authRequired: true,
+			query: ajv.compile<{
+				rid: string;
+			}>(isRoomGetRolesPropsSchema),
+			response: {
+				200: ajv.compile<{
+					roles: RoomRoles[];
+				}>({
+					type: 'object',
+					properties: {
+						roles: {
+							type: 'array',
+							items: {
+								type: 'object',
+								properties: {
+									rid: { type: 'string' },
+									u: {
+										type: 'object',
+										properties: { _id: { type: 'string' }, username: { type: 'string' } },
+										required: ['_id', 'username'],
+									},
+									roles: { type: 'array', items: { type: 'string' } },
 								},
-								roles: { type: 'array', items: { type: 'string' } },
+								required: ['rid', 'u', 'roles'],
 							},
-							required: ['rid', 'u', 'roles'],
 						},
 					},
+					required: ['roles'],
+				}),
+			},
+		},
+		async function () {
+			const { rid } = this.queryParams;
+			const roles = await executeGetRoomRoles(rid, this.userId);
+
+			return API.v1.success({
+				roles,
+			});
+		},
+	)
+	.get(
+		'rooms.adminRooms.privateRooms',
+		{
+			authRequired: true,
+			permissionsRequired: ['view-room-administration'],
+			query: ajv.compile<{
+				filter?: string;
+				offset?: number;
+				count?: number;
+				sort?: string;
+			}>({
+				type: 'object',
+				properties: {
+					filter: { type: 'string' },
+					offset: { type: 'number' },
+					count: { type: 'number' },
+					sort: { type: 'string' },
 				},
-				required: ['roles'],
+				additionalProperties: true,
 			}),
+			response: {
+				400: validateBadRequestErrorResponse,
+				401: validateUnauthorizedErrorResponse,
+				403: validateUnauthorizedErrorResponse,
+				200: ajv.compile<{
+					rooms: IRoom[];
+					count: number;
+					offset: number;
+					total: number;
+				}>({
+					type: 'object',
+					properties: {
+						rooms: {
+							type: 'array',
+							items: { type: 'object' },
+						},
+						count: { type: 'number' },
+						offset: { type: 'number' },
+						total: { type: 'number' },
+						success: { type: 'boolean', enum: [true] },
+					},
+					required: ['rooms', 'count', 'offset', 'total', 'success'],
+					additionalProperties: false,
+				}),
+			},
 		},
-	},
-	async function () {
-		const { rid } = this.queryParams;
-		const roles = await executeGetRoomRoles(rid, this.userId);
+		async function action() {
+			const { offset, count } = await getPaginationItems(this.queryParams);
+			const { sort } = await this.parseJsonQuery();
+			const { filter } = this.queryParams;
 
-		return API.v1.success({
-			roles,
-		});
-	},
-);
+			const name = (filter || '').trim();
+
+			const { cursor, totalCount } = Rooms.findPrivateRoomsAndTeamsPaginated(name, {
+				skip: offset,
+				limit: count,
+				sort: sort || { default: -1, name: 1 },
+				projection: adminFields,
+			});
+
+			const [rooms, total] = await Promise.all([cursor.toArray(), totalCount]);
+
+			return API.v1.success({
+				rooms,
+				count: rooms.length,
+				offset,
+				total,
+			});
+		},
+	);
 
 const roomInviteEndpoints = API.v1.post(
 	'rooms.invite',
diff --git a/apps/meteor/app/api/server/v1/teams.ts b/apps/meteor/app/api/server/v1/teams.ts
index 9ce577522a2..f1893def4a7 100644
--- a/apps/meteor/app/api/server/v1/teams.ts
+++ b/apps/meteor/app/api/server/v1/teams.ts
@@ -20,6 +20,7 @@ import { eraseRoom } from '../../../../server/lib/eraseRoom';
 import { canAccessRoomAsync } from '../../../authorization/server';
 import { hasPermissionAsync, hasAtLeastOnePermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { removeUserFromRoom } from '../../../lib/server/functions/removeUserFromRoom';
+import { settings } from '../../../settings/server';
 import { API } from '../api';
 import { getPaginationItems } from '../helpers/getPaginationItems';
 import { eraseTeam } from '../lib/eraseTeam';
@@ -235,6 +236,13 @@ API.v1.addRoute(
 			}
 			const canUpdateAny = !!(await hasPermissionAsync(this.userId, 'view-all-team-channels', team.roomId));
 
+			if (settings.get('ABAC_Enabled') && isDefault) {
+				const room = await Rooms.findOneByIdAndType(roomId, 'p', { projection: { abacAttributes: 1 } });
+				if (room?.abacAttributes?.length) {
+					return API.v1.failure('error-room-is-abac-managed');
+				}
+			}
+
 			const room = await Team.updateRoom(this.userId, roomId, isDefault, canUpdateAny);
 
 			return API.v1.success({ room });
diff --git a/apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts b/apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts
index 7cbdca852cd..6ca88c1fdab 100644
--- a/apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts
+++ b/apps/meteor/app/channel-settings/server/methods/saveRoomSettings.ts
@@ -1,5 +1,5 @@
 import { Team } from '@rocket.chat/core-services';
-import type { IRoom, IRoomWithRetentionPolicy, IUser, MessageTypesValues } from '@rocket.chat/core-typings';
+import type { IRoom, IRoomWithRetentionPolicy, IUser, MessageTypesValues, ITeam } from '@rocket.chat/core-typings';
 import { TEAM_TYPE } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
 import { Rooms, Users } from '@rocket.chat/models';
@@ -11,6 +11,7 @@ import { roomCoordinator } from '../../../../server/lib/rooms/roomCoordinator';
 import { hasPermissionAsync } from '../../../authorization/server/functions/hasPermission';
 import { setRoomAvatar } from '../../../lib/server/functions/setRoomAvatar';
 import { notifyOnRoomChangedById } from '../../../lib/server/lib/notifyListener';
+import { settings } from '../../../settings/server';
 import { saveReactWhenReadOnly } from '../functions/saveReactWhenReadOnly';
 import { saveRoomAnnouncement } from '../functions/saveRoomAnnouncement';
 import { saveRoomCustomFields } from '../functions/saveRoomCustomFields';
@@ -61,14 +62,33 @@ type RoomSettingsValidators = {
 const hasRetentionPolicy = (room: IRoom & { retention?: any }): room is IRoomWithRetentionPolicy =>
 	'retention' in room && room.retention !== undefined;
 
+const isAbacManagedRoom = (room: IRoom): boolean => {
+	return room.t === 'p' && settings.get<boolean>('ABAC_Enabled') && Array.isArray(room?.abacAttributes) && room.abacAttributes.length > 0;
+};
+
+const isAbacManagedTeam = (team: Partial<ITeam> | null, teamRoom: IRoom): boolean => {
+	return (
+		team?.type === TEAM_TYPE.PRIVATE &&
+		settings.get<boolean>('ABAC_Enabled') &&
+		Array.isArray(teamRoom?.abacAttributes) &&
+		teamRoom.abacAttributes.length > 0
+	);
+};
+
 const validators: RoomSettingsValidators = {
-	async default({ userId }) {
+	async default({ userId, room, value }) {
 		if (!(await hasPermissionAsync(userId, 'view-room-administration'))) {
 			throw new Meteor.Error('error-action-not-allowed', 'Viewing room administration is not allowed', {
 				method: 'saveRoomSettings',
 				action: 'Viewing_room_administration',
 			});
 		}
+		if (isAbacManagedRoom(room) && value) {
+			throw new Meteor.Error('error-action-not-allowed', 'Setting an ABAC managed room as default is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Viewing_room_administration',
+			});
+		}
 	},
 	async featured({ userId }) {
 		if (!(await hasPermissionAsync(userId, 'view-room-administration'))) {
@@ -98,6 +118,13 @@ const validators: RoomSettingsValidators = {
 			});
 		}
 
+		if (isAbacManagedRoom(room) && value !== 'p') {
+			throw new Meteor.Error('error-action-not-allowed', 'Changing an ABAC managed private room to public is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
+
 		if (!room.teamId) {
 			return;
 		}
@@ -116,6 +143,13 @@ const validators: RoomSettingsValidators = {
 				action: 'Change_Room_Type',
 			});
 		}
+
+		if (isAbacManagedTeam(team, room) && value !== 'p') {
+			throw new Meteor.Error('error-action-not-allowed', 'Changing an ABAC managed private team room to public is not allowed', {
+				method: 'saveRoomSettings',
+				action: 'Change_Room_Type',
+			});
+		}
 	},
 	async encrypted({ userId, value, room, rid }) {
 		if (value !== room.encrypted) {
diff --git a/apps/meteor/app/invites/server/functions/findOrCreateInvite.ts b/apps/meteor/app/invites/server/functions/findOrCreateInvite.ts
index 052445a1ebc..fa905cc345c 100644
--- a/apps/meteor/app/invites/server/functions/findOrCreateInvite.ts
+++ b/apps/meteor/app/invites/server/functions/findOrCreateInvite.ts
@@ -63,6 +63,13 @@ export const findOrCreateInvite = async (userId: string, invite: Pick<IInvite, '
 		});
 	}
 
+	if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+		throw new Meteor.Error('error-invalid-room', 'Room is ABAC managed', {
+			method: 'findOrCreateInvite',
+			field: 'rid',
+		});
+	}
+
 	if (!(await roomCoordinator.getRoomDirectives(room.t).allowMemberAction(room, RoomMemberActions.INVITE, userId))) {
 		throw new Meteor.Error('error-room-type-not-allowed', 'Cannot create invite links for this room type', {
 			method: 'findOrCreateInvite',
diff --git a/apps/meteor/app/invites/server/functions/validateInviteToken.ts b/apps/meteor/app/invites/server/functions/validateInviteToken.ts
index 0d1727454ca..22517643fd8 100644
--- a/apps/meteor/app/invites/server/functions/validateInviteToken.ts
+++ b/apps/meteor/app/invites/server/functions/validateInviteToken.ts
@@ -1,6 +1,8 @@
 import { Invites, Rooms } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
+import { settings } from '../../../settings/server';
+
 export const validateInviteToken = async (token: string) => {
 	if (!token || typeof token !== 'string') {
 		throw new Meteor.Error('error-invalid-token', 'The invite token is invalid.', {
@@ -25,6 +27,13 @@ export const validateInviteToken = async (token: string) => {
 		});
 	}
 
+	if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+		throw new Meteor.Error('error-invalid-room', 'Room is ABAC managed', {
+			method: 'validateInviteToken',
+			field: 'rid',
+		});
+	}
+
 	if (inviteData.expires && new Date(inviteData.expires).getTime() <= Date.now()) {
 		throw new Meteor.Error('error-invite-expired', 'The invite token has expired.', {
 			method: 'validateInviteToken',
diff --git a/apps/meteor/app/lib/server/functions/addUserToDefaultChannels.ts b/apps/meteor/app/lib/server/functions/addUserToDefaultChannels.ts
index a74964cc05a..89f4e5e3527 100644
--- a/apps/meteor/app/lib/server/functions/addUserToDefaultChannels.ts
+++ b/apps/meteor/app/lib/server/functions/addUserToDefaultChannels.ts
@@ -5,6 +5,7 @@ import { Subscriptions } from '@rocket.chat/models';
 import { getDefaultChannels } from './getDefaultChannels';
 import { callbacks } from '../../../../server/lib/callbacks';
 import { getSubscriptionAutotranslateDefaultConfig } from '../../../../server/lib/getSubscriptionAutotranslateDefaultConfig';
+import { settings } from '../../../settings/server';
 import { getDefaultSubscriptionPref } from '../../../utils/lib/getDefaultSubscriptionPref';
 import { notifyOnSubscriptionChangedById } from '../lib/notifyListener';
 
@@ -13,6 +14,10 @@ export const addUserToDefaultChannels = async function (user: IUser, silenced?:
 	const defaultRooms = await getDefaultChannels();
 
 	for await (const room of defaultRooms) {
+		if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+			continue;
+		}
+
 		if (!(await Subscriptions.findOneByRoomIdAndUserId(room._id, user._id, { projection: { _id: 1 } }))) {
 			const autoTranslateConfig = getSubscriptionAutotranslateDefaultConfig(user);
 
diff --git a/apps/meteor/app/lib/server/functions/addUserToRoom.ts b/apps/meteor/app/lib/server/functions/addUserToRoom.ts
index 7651b571723..6ebfd848448 100644
--- a/apps/meteor/app/lib/server/functions/addUserToRoom.ts
+++ b/apps/meteor/app/lib/server/functions/addUserToRoom.ts
@@ -10,6 +10,7 @@ import { callbacks } from '../../../../server/lib/callbacks';
 import { beforeAddUserToRoom } from '../../../../server/lib/callbacks/beforeAddUserToRoom';
 import { roomCoordinator } from '../../../../server/lib/rooms/roomCoordinator';
 import { settings } from '../../../settings/server';
+import { beforeAddUserToRoom as beforeAddUserToRoomPatch } from '../lib/beforeAddUserToRoom';
 import { notifyOnRoomChangedById } from '../lib/notifyListener';
 
 /**
@@ -61,7 +62,10 @@ export const addUserToRoom = async (
 	}
 
 	try {
-		await beforeAddUserToRoom.run({ user: userToBeAdded, inviter: (inviter && (await Users.findOneById(inviter._id))) || undefined }, room);
+		const inviterUser = inviter && ((await Users.findOneById(inviter._id)) || undefined);
+		// Not "duplicated": we're moving away from callbacks so this is a patch function. We should migrate the next one to be a patch or use this same patch, instead of calling both
+		await beforeAddUserToRoomPatch([userToBeAdded.username!], room, inviterUser);
+		await beforeAddUserToRoom.run({ user: userToBeAdded, inviter: inviterUser }, room);
 	} catch (error) {
 		throw new Meteor.Error((error as any)?.message);
 	}
diff --git a/apps/meteor/app/lib/server/functions/getFullUserData.ts b/apps/meteor/app/lib/server/functions/getFullUserData.ts
index f66f8ecb49c..9c3eb6a10ef 100644
--- a/apps/meteor/app/lib/server/functions/getFullUserData.ts
+++ b/apps/meteor/app/lib/server/functions/getFullUserData.ts
@@ -22,6 +22,7 @@ const defaultFields = {
 	extension: 1,
 	federated: 1,
 	statusLivechat: 1,
+	abacAttributes: 1,
 } as const;
 
 const fullFields = {
diff --git a/apps/meteor/app/lib/server/functions/removeUserFromRoom.ts b/apps/meteor/app/lib/server/functions/removeUserFromRoom.ts
index 56cdd03a701..0a899a88690 100644
--- a/apps/meteor/app/lib/server/functions/removeUserFromRoom.ts
+++ b/apps/meteor/app/lib/server/functions/removeUserFromRoom.ts
@@ -1,7 +1,7 @@
 import { Apps, AppEvents } from '@rocket.chat/apps';
 import { AppsEngineException } from '@rocket.chat/apps-engine/definition/exceptions';
 import { Message, Team, Room } from '@rocket.chat/core-services';
-import type { IRoom, IUser } from '@rocket.chat/core-typings';
+import type { IRoom, IUser, MessageTypesValues } from '@rocket.chat/core-typings';
 import { Subscriptions, Rooms } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
@@ -15,7 +15,11 @@ import { notifyOnRoomChangedById, notifyOnSubscriptionChanged } from '../lib/not
  * Executes only the necessary database operations, with no callbacks, to prevent
  * propagation loops during external event processing.
  */
-export const performUserRemoval = async function (room: IRoom, user: IUser, options?: { byUser?: IUser }): Promise<void> {
+export const performUserRemoval = async function (
+	room: IRoom,
+	user: IUser,
+	options?: { byUser?: IUser; skipAppPreEvents?: boolean; customSystemMessage?: MessageTypesValues },
+): Promise<void> {
 	const subscription = await Subscriptions.findOneByRoomIdAndUserId(room._id, user._id, {
 		projection: { _id: 1, status: 1 },
 	});
@@ -28,7 +32,9 @@ export const performUserRemoval = async function (room: IRoom, user: IUser, opti
 
 	if (subscription) {
 		const removedUser = user;
-		if (options?.byUser) {
+		if (options?.customSystemMessage) {
+			await Message.saveSystemMessage(options?.customSystemMessage, room._id, user.username || '', user);
+		} else if (options?.byUser) {
 			const extraData = {
 				u: options.byUser,
 			};
@@ -72,20 +78,27 @@ export const performUserRemoval = async function (room: IRoom, user: IUser, opti
  * and triggering all standard callbacks. Used for local actions (UI or API)
  * that should propagate normally to federation and other subscribers.
  */
-export const removeUserFromRoom = async function (rid: string, user: IUser, options?: { byUser: IUser }): Promise<void> {
+export const removeUserFromRoom = async function (
+	rid: string,
+	user: IUser,
+	options?: { byUser?: IUser; skipAppPreEvents?: boolean; customSystemMessage?: MessageTypesValues },
+): Promise<void> {
 	const room = await Rooms.findOneById(rid);
 	if (!room) {
 		return;
 	}
 
-	try {
-		await Apps.self?.triggerEvent(AppEvents.IPreRoomUserLeave, room, user, options?.byUser);
-	} catch (error: any) {
-		if (error.name === AppsEngineException.name) {
-			throw new Meteor.Error('error-app-prevented', error.message);
-		}
+	// Rationale: for an abac room, we don't want apps to be able to prevent a user from leaving
+	if (!options?.skipAppPreEvents) {
+		try {
+			await Apps.self?.triggerEvent(AppEvents.IPreRoomUserLeave, room, user, options?.byUser);
+		} catch (error: any) {
+			if (error.name === AppsEngineException.name) {
+				throw new Meteor.Error('error-app-prevented', error.message);
+			}
 
-		throw error;
+			throw error;
+		}
 	}
 
 	await Room.beforeLeave(room);
diff --git a/apps/meteor/app/lib/server/lib/beforeAddUserToRoom.ts b/apps/meteor/app/lib/server/lib/beforeAddUserToRoom.ts
new file mode 100644
index 00000000000..984dc34a22a
--- /dev/null
+++ b/apps/meteor/app/lib/server/lib/beforeAddUserToRoom.ts
@@ -0,0 +1,6 @@
+import type { IRoom, IUser } from '@rocket.chat/core-typings';
+import { makeFunction } from '@rocket.chat/patch-injection';
+
+export const beforeAddUserToRoom = makeFunction(async (_users: IUser['username'][], _room: IRoom, _actor?: IUser) => {
+	// no op on CE
+});
diff --git a/apps/meteor/app/slashcommands-invite/server/server.ts b/apps/meteor/app/slashcommands-invite/server/server.ts
index f325f6b2e08..583a70a202b 100644
--- a/apps/meteor/app/slashcommands-invite/server/server.ts
+++ b/apps/meteor/app/slashcommands-invite/server/server.ts
@@ -1,4 +1,4 @@
-import { api, FederationMatrix } from '@rocket.chat/core-services';
+import { api, FederationMatrix, isMeteorError } from '@rocket.chat/core-services';
 import type { IUser, SlashCommandCallbackParams } from '@rocket.chat/core-typings';
 import { validateFederatedUsername } from '@rocket.chat/federation-matrix';
 import { Subscriptions, Users, Rooms } from '@rocket.chat/models';
@@ -10,6 +10,11 @@ import { addUsersToRoomMethod, sanitizeUsername } from '../../lib/server/methods
 import { settings } from '../../settings/server';
 import { slashCommands } from '../../utils/server/slashCommand';
 
+// Type guards for the error
+function isStringError(error: unknown): error is { error: string } {
+	return typeof (error as any)?.error === 'string';
+}
+
 /*
  * Invite is a named function that will replace /invite commands
  * @param {Object} message - The message object
@@ -105,23 +110,34 @@ slashCommands.add({
 						},
 						inviter,
 					);
-				} catch ({ error }: any) {
-					if (typeof error !== 'string') {
-						return;
+				} catch (e: unknown) {
+					if (isMeteorError(e)) {
+						if (e.error === 'error-only-compliant-users-can-be-added-to-abac-rooms') {
+							void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+								msg: i18n.t(e.error, { lng: settings.get('Language') || 'en' }),
+							});
+						} else {
+							void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+								msg: i18n.t(e.message, { lng: settings.get('Language') || 'en' }),
+							});
+						}
 					}
 
-					if (error === 'error-federated-users-in-non-federated-rooms') {
-						void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
-							msg: i18n.t('You_cannot_add_external_users_to_non_federated_room', { lng: settings.get('Language') || 'en' }),
-						});
-					} else if (error === 'cant-invite-for-direct-room') {
-						void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
-							msg: i18n.t('Cannot_invite_users_to_direct_rooms', { lng: settings.get('Language') || 'en' }),
-						});
-					} else {
-						void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
-							msg: i18n.t(error, { lng: settings.get('Language') || 'en' }),
-						});
+					if (isStringError(e)) {
+						const { error } = e;
+						if (error === 'error-federated-users-in-non-federated-rooms') {
+							void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+								msg: i18n.t('You_cannot_add_external_users_to_non_federated_room', { lng: settings.get('Language') || 'en' }),
+							});
+						} else if (error === 'cant-invite-for-direct-room') {
+							void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+								msg: i18n.t('Cannot_invite_users_to_direct_rooms', { lng: settings.get('Language') || 'en' }),
+							});
+						} else {
+							void api.broadcast('notify.ephemeralMessage', userId, message.rid, {
+								msg: i18n.t(error, { lng: settings.get('Language') || 'en' }),
+							});
+						}
 					}
 				}
 			}),
diff --git a/apps/meteor/app/statistics/server/lib/statistics.ts b/apps/meteor/app/statistics/server/lib/statistics.ts
index 0fadf701d46..73292480d74 100644
--- a/apps/meteor/app/statistics/server/lib/statistics.ts
+++ b/apps/meteor/app/statistics/server/lib/statistics.ts
@@ -4,6 +4,7 @@ import os from 'os';
 import { Analytics, Team, VideoConf, Presence } from '@rocket.chat/core-services';
 import type { IRoom, IStats, ISetting } from '@rocket.chat/core-typings';
 import { UserStatus } from '@rocket.chat/core-typings';
+import { License } from '@rocket.chat/license';
 import {
 	NotificationQueue,
 	Rooms,
@@ -25,6 +26,7 @@ import {
 	Subscriptions,
 	Users,
 	LivechatRooms,
+	AbacAttributes,
 } from '@rocket.chat/models';
 import { MongoInternals } from 'meteor/mongo';
 import moment from 'moment';
@@ -609,6 +611,26 @@ export const statistics = {
 		statistics.webRTCEnabledForOmnichannel = settings.get('Omnichannel_call_provider') === 'WebRTC';
 		statistics.omnichannelWebRTCCalls = await Rooms.findCountOfRoomsWithActiveCalls();
 
+		// ABAC stats
+		if (License.hasModule('abac')) {
+			statistics.abacEnabled = settings.get('ABAC_Enabled');
+			statsPms.push(
+				AbacAttributes.estimatedDocumentCount().then((result) => {
+					statistics.abacTotalAttributes = result;
+				}),
+			);
+			statsPms.push(
+				AbacAttributes.countTotalValues().then((result) => {
+					statistics.abacTotalAttributeValues = result;
+				}),
+			);
+			statsPms.push(
+				Rooms.countAbacEnabled().then((result) => {
+					statistics.abacRoomsEnrolled = result;
+				}),
+			);
+		}
+
 		await Promise.all(statsPms).catch(log);
 
 		return statistics;
diff --git a/apps/meteor/app/utils/server/functions/getBaseUserFields.ts b/apps/meteor/app/utils/server/functions/getBaseUserFields.ts
index a366f95a2fe..12a97d53923 100644
--- a/apps/meteor/app/utils/server/functions/getBaseUserFields.ts
+++ b/apps/meteor/app/utils/server/functions/getBaseUserFields.ts
@@ -31,5 +31,6 @@ export const getBaseUserFields = (allowServiceKeys = false): UserFields => ({
 	'avatarETag': 1,
 	'extension': 1,
 	'openBusinessHours': 1,
+	'abacAttributes': 1,
 	...(allowServiceKeys && { 'services.totp.enabled': 1, 'services.email2fa.enabled': 1 }),
 });
diff --git a/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx b/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
index c2fd14fb4fe..584b64aece7 100644
--- a/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
+++ b/apps/meteor/client/components/ABAC/ABACUpsellModal/ABACUpsellModal.spec.tsx
@@ -4,11 +4,7 @@ import userEvent from '@testing-library/user-event';
 import { axe } from 'jest-axe';
 
 import ABACUpsellModal from './ABACUpsellModal';
-
-// Mock the hooks used by ABACUpsellModal
-jest.mock('../../../hooks/useHasLicenseModule', () => ({
-	useHasLicenseModule: jest.fn(() => false),
-}));
+import { createFakeLicenseInfo } from '../../../../tests/mocks/data';
 
 jest.mock('../../GenericUpsellModal/hooks', () => ({
 	useUpsellActions: jest.fn(() => ({
@@ -34,6 +30,9 @@ const appRoot = mockAppRoot()
 		Upgrade: 'Upgrade',
 		Cancel: 'Cancel',
 	})
+	.withEndpoint('GET', '/v1/licenses.info', async () => ({
+		license: createFakeLicenseInfo(),
+	}))
 	.build();
 
 describe('ABACUpsellModal', () => {
diff --git a/apps/meteor/client/components/UserInfo/UserInfo.stories.tsx b/apps/meteor/client/components/UserInfo/UserInfo.stories.tsx
index 815b11a0008..81e32c7f6cd 100644
--- a/apps/meteor/client/components/UserInfo/UserInfo.stories.tsx
+++ b/apps/meteor/client/components/UserInfo/UserInfo.stories.tsx
@@ -42,6 +42,14 @@ WithVoiceCallExtension.args = {
 
 export const WithABACAttributes = Template.bind({});
 WithABACAttributes.args = {
-	// @ts-expect-error - abacAttributes is not yet implemented in Users properties
-	abacAttributes: ['Classified', 'Top Secret', 'Confidential'],
+	abacAttributes: [
+		{
+			key: 'Classified',
+			values: ['Top Secret', 'Confidential'],
+		},
+		{
+			key: 'Security_Clearance',
+			values: ['Top Secret', 'Confidential'],
+		},
+	],
 };
diff --git a/apps/meteor/client/components/UserInfo/UserInfo.tsx b/apps/meteor/client/components/UserInfo/UserInfo.tsx
index 124fffc2344..28a82c3835d 100644
--- a/apps/meteor/client/components/UserInfo/UserInfo.tsx
+++ b/apps/meteor/client/components/UserInfo/UserInfo.tsx
@@ -41,6 +41,7 @@ type UserInfoDataProps = Serialized<
 		| 'canViewAllInfo'
 		| 'customFields'
 		| 'freeSwitchExtension'
+		| 'abacAttributes'
 	>
 >;
 
@@ -73,8 +74,7 @@ const UserInfo = ({
 	actions,
 	reason,
 	freeSwitchExtension,
-	// @ts-expect-error - abacAttributes is not yet implemented in Users properties
-	abacAttributes = null,
+	abacAttributes,
 	...props
 }: UserInfoProps): ReactElement => {
 	const { t } = useTranslation();
@@ -189,7 +189,7 @@ const UserInfo = ({
 						</InfoPanelField>
 					)}
 
-					{abacAttributes?.length > 0 && (
+					{abacAttributes && abacAttributes.length > 0 && (
 						<InfoPanelField>
 							<InfoPanelLabel title={t('ABAC_Attributes_description')}>{t('ABAC_Attributes')}</InfoPanelLabel>
 							<UserInfoABACAttributes abacAttributes={abacAttributes} />
diff --git a/apps/meteor/client/components/UserInfo/UserInfoABACAttributes.tsx b/apps/meteor/client/components/UserInfo/UserInfoABACAttributes.tsx
index b9cf2870d3d..952e7a9afc6 100644
--- a/apps/meteor/client/components/UserInfo/UserInfoABACAttributes.tsx
+++ b/apps/meteor/client/components/UserInfo/UserInfoABACAttributes.tsx
@@ -1,20 +1,23 @@
+import type { IAbacAttributeDefinition } from '@rocket.chat/core-typings';
 import { Box, Margins } from '@rocket.chat/fuselage';
 
 import UserInfoABACAttribute from './UserInfoABACAttribute';
 
 type UserInfoABACAttributesProps = {
-	abacAttributes: string[];
+	abacAttributes: IAbacAttributeDefinition[];
 };
 
 const UserInfoABACAttributes = ({ abacAttributes }: UserInfoABACAttributesProps) => {
 	return (
 		<Box m='neg-x2'>
 			<Box flexWrap='wrap' display='flex' flexShrink={0} mb={8}>
-				{abacAttributes.map((attribute, index) => (
-					<Margins inline={2} blockEnd={4} key={`${attribute}-${index}`}>
-						<UserInfoABACAttribute attribute={attribute} />
-					</Margins>
-				))}
+				{abacAttributes.map((attribute, index) =>
+					attribute.values.map((value) => (
+						<Margins inline={2} blockEnd={4} key={`${attribute.key}-${value}-${index}`}>
+							<UserInfoABACAttribute attribute={value} />
+						</Margins>
+					)),
+				)}
 			</Box>
 		</Box>
 	);
diff --git a/apps/meteor/client/components/UserInfo/__snapshots__/UserInfo.spec.tsx.snap b/apps/meteor/client/components/UserInfo/__snapshots__/UserInfo.spec.tsx.snap
index d7c3831028a..3625392b362 100644
--- a/apps/meteor/client/components/UserInfo/__snapshots__/UserInfo.spec.tsx.snap
+++ b/apps/meteor/client/components/UserInfo/__snapshots__/UserInfo.spec.tsx.snap
@@ -510,7 +510,16 @@ exports[`renders WithABACAttributes without crashing 1`] = `
                           <span
                             class="rcx-tag__inner"
                           >
-                            Classified
+                            Top Secret
+                          </span>
+                        </span>
+                        <span
+                          class="rcx-box rcx-box--full rcx-tag rcx-tag--secondary-warning rcx-css-1drnhgd"
+                        >
+                          <span
+                            class="rcx-tag__inner"
+                          >
+                            Confidential
                           </span>
                         </span>
                         <span
diff --git a/apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx b/apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx
index 161edabde7d..64e11d57827 100644
--- a/apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx
+++ b/apps/meteor/client/components/message/toolbar/items/actions/ForwardMessageAction.tsx
@@ -18,7 +18,6 @@ const ForwardMessageAction = ({ message, room }: ForwardMessageActionProps) => {
 	const { t } = useTranslation();
 
 	const encrypted = isE2EEMessage(message);
-	// @ts-expect-error to be implemented
 	const isABACEnabled = !!room.abacAttributes;
 
 	const getTitle = useMemo(() => {
diff --git a/apps/meteor/client/components/message/toolbar/usePermalinkAction.ts b/apps/meteor/client/components/message/toolbar/usePermalinkAction.ts
index f9b59abca1d..593fdb728bc 100644
--- a/apps/meteor/client/components/message/toolbar/usePermalinkAction.ts
+++ b/apps/meteor/client/components/message/toolbar/usePermalinkAction.ts
@@ -16,7 +16,6 @@ export const usePermalinkAction = (
 
 	const dispatchToastMessage = useToastMessageDispatch();
 
-	// @ts-expect-error - to be implemented
 	const isABACEnabled = !!room.abacAttributes;
 	const encrypted = isE2EEMessage(message);
 	const tooltip = useMemo(() => {
diff --git a/apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts b/apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts
index 6bebb1d8c17..588ab0a6076 100644
--- a/apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts
+++ b/apps/meteor/client/components/message/toolbar/useReplyInDMAction.ts
@@ -16,7 +16,6 @@ export const useReplyInDMAction = (
 	const user = useUser();
 	const router = useRouter();
 	const encrypted = isE2EEMessage(message);
-	// @ts-expect-error - abacAttributes is not yet implemented in IRoom type
 	const isABACEnabled = !!room.abacAttributes;
 	const canCreateDM = usePermission('create-d');
 	const isLayoutEmbedded = useEmbeddedLayout();
diff --git a/apps/meteor/client/lib/links.ts b/apps/meteor/client/lib/links.ts
index 4c97d4696ff..2a1d06ad9da 100644
--- a/apps/meteor/client/lib/links.ts
+++ b/apps/meteor/client/lib/links.ts
@@ -31,6 +31,8 @@ export const links = {
 		trial: `${GO_ROCKET_CHAT_PREFIX}/i/docs-trial`,
 		versionSupport: `${GO_ROCKET_CHAT_PREFIX}/i/version-support`,
 		updateProduct: `${GO_ROCKET_CHAT_PREFIX}/i/update-product`,
+		abacDocs: `${GO_ROCKET_CHAT_PREFIX}/i/abac`,
+		abacLDAPDocs: `${GO_ROCKET_CHAT_PREFIX}/i/abac-ldap`,
 	},
 	/** @deprecated use `go.rocket.chat` links */
 	desktopAppDownload: 'https://rocket.chat/download',
diff --git a/apps/meteor/client/lib/queryKeys.ts b/apps/meteor/client/lib/queryKeys.ts
index e6046a6dd07..d0414b91cd3 100644
--- a/apps/meteor/client/lib/queryKeys.ts
+++ b/apps/meteor/client/lib/queryKeys.ts
@@ -138,3 +138,22 @@ export const appsQueryKeys = {
 	all: ['apps'] as const,
 	slashCommands: () => [...appsQueryKeys.all, 'slashCommands'] as const,
 };
+
+export const ABACQueryKeys = {
+	all: ['abac'] as const,
+	logs: {
+		all: () => [...ABACQueryKeys.all, 'logs'] as const,
+		list: (query?: PaginatedRequest) => [...ABACQueryKeys.logs.all(), 'list', query] as const,
+	},
+	roomAttributes: {
+		all: () => [...ABACQueryKeys.all, 'room-attributes'] as const,
+		list: (query?: PaginatedRequest) => [...ABACQueryKeys.roomAttributes.all(), query] as const,
+		attribute: (attributeId: string) => [...ABACQueryKeys.roomAttributes.all(), attributeId] as const,
+	},
+	rooms: {
+		all: () => [...ABACQueryKeys.all, 'rooms'] as const,
+		list: (query?: PaginatedRequest) => [...ABACQueryKeys.rooms.all(), query] as const,
+		autocomplete: (query?: PaginatedRequest) => [...ABACQueryKeys.rooms.all(), 'autocomplete', query] as const,
+		room: (roomId: string) => [...ABACQueryKeys.rooms.all(), roomId] as const,
+	},
+};
diff --git a/apps/meteor/client/lib/rooms/roomTypes/private.ts b/apps/meteor/client/lib/rooms/roomTypes/private.ts
index 2948c48abfb..31b8fa7ca7f 100644
--- a/apps/meteor/client/lib/rooms/roomTypes/private.ts
+++ b/apps/meteor/client/lib/rooms/roomTypes/private.ts
@@ -82,7 +82,6 @@ roomCoordinator.add(
 		},
 
 		getIcon(room) {
-			// @ts-expect-error TODO: Implement ABAC attributes in rooms
 			if (room.abacAttributes) {
 				if (room.teamMain) {
 					return 'team-shield';
diff --git a/apps/meteor/client/lib/utils/mapSubscriptionFromApi.ts b/apps/meteor/client/lib/utils/mapSubscriptionFromApi.ts
index d0f75a389ab..358efaef0e9 100644
--- a/apps/meteor/client/lib/utils/mapSubscriptionFromApi.ts
+++ b/apps/meteor/client/lib/utils/mapSubscriptionFromApi.ts
@@ -7,6 +7,7 @@ export const mapSubscriptionFromApi = ({
 	_updatedAt,
 	oldRoomKeys,
 	suggestedOldRoomKeys,
+	abacLastTimeChecked,
 	...subscription
 }: Serialized<ISubscription>): ISubscription => ({
 	...subscription,
@@ -14,6 +15,7 @@ export const mapSubscriptionFromApi = ({
 	ls: new Date(ls),
 	lr: new Date(lr),
 	_updatedAt: new Date(_updatedAt),
+	...(abacLastTimeChecked && { abacLastTimeChecked: new Date(abacLastTimeChecked) }),
 	...(oldRoomKeys && { oldRoomKeys: oldRoomKeys.map(({ ts, ...key }) => ({ ...key, ts: new Date(ts) })) }),
 	...(suggestedOldRoomKeys && { suggestedOldRoomKeys: suggestedOldRoomKeys.map(({ ts, ...key }) => ({ ...key, ts: new Date(ts) })) }),
 });
diff --git a/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributeMenu.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributeMenu.tsx
new file mode 100644
index 00000000000..84376fa8608
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributeMenu.tsx
@@ -0,0 +1,28 @@
+import { GenericMenu } from '@rocket.chat/ui-client';
+import { useTranslation } from 'react-i18next';
+
+import { useAttributeOptions } from '../hooks/useAttributeOptions';
+
+type AttributeMenuProps = {
+	attribute: { _id: string; key: string };
+};
+
+const AttributeMenu = ({ attribute }: AttributeMenuProps) => {
+	const { t } = useTranslation();
+
+	const items = useAttributeOptions(attribute);
+
+	return (
+		<GenericMenu
+			title={t('Options')}
+			icon='kebab'
+			sections={[
+				{
+					items,
+				},
+			]}
+		/>
+	);
+};
+
+export default AttributeMenu;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBar.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBar.tsx
new file mode 100644
index 00000000000..a41e7b6b87c
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBar.tsx
@@ -0,0 +1,99 @@
+import { ContextualbarTitle } from '@rocket.chat/fuselage';
+import { ContextualbarClose, ContextualbarHeader } from '@rocket.chat/ui-client';
+import { useEndpoint, useRouteParameter, useToastMessageDispatch } from '@rocket.chat/ui-contexts';
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { FormProvider, useForm } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import type { AttributesFormFormData } from './AttributesForm';
+import AttributesForm from './AttributesForm';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+type AttributesContextualBarProps = {
+	attributeId?: string;
+	attributeData?: {
+		key: string;
+		values: string[];
+	};
+	onClose: () => void;
+};
+
+const AttributesContextualBar = ({ attributeData, onClose }: AttributesContextualBarProps) => {
+	const { t } = useTranslation();
+	const queryClient = useQueryClient();
+
+	const methods = useForm<{
+		name: string;
+		attributeValues: { value: string }[];
+		lockedAttributes: { value: string }[];
+	}>({
+		defaultValues: attributeData
+			? {
+					name: attributeData.key,
+					attributeValues: [{ value: '' }],
+					lockedAttributes: attributeData.values.map((value) => ({ value })),
+				}
+			: {
+					name: '',
+					attributeValues: [{ value: '' }],
+					lockedAttributes: [],
+				},
+		mode: 'onChange',
+	});
+
+	const { getValues } = methods;
+
+	const attributeId = useRouteParameter('id');
+	const createAttribute = useEndpoint('POST', '/v1/abac/attributes');
+	const updateAttribute = useEndpoint('PUT', '/v1/abac/attributes/:_id', {
+		_id: attributeId ?? '',
+	});
+
+	const dispatchToastMessage = useToastMessageDispatch();
+
+	const saveMutation = useMutation({
+		mutationFn: async (data: AttributesFormFormData) => {
+			const payload = {
+				key: data.name,
+				values: [...data.lockedAttributes.map((attribute) => attribute.value), ...data.attributeValues.map((attribute) => attribute.value)],
+			};
+			if (attributeId) {
+				await updateAttribute(payload);
+			} else {
+				await createAttribute(payload);
+			}
+		},
+		onSuccess: () => {
+			if (attributeId) {
+				dispatchToastMessage({ type: 'success', message: t('ABAC_Attribute_updated', { attributeName: getValues('name') }) });
+			} else {
+				dispatchToastMessage({ type: 'success', message: t('ABAC_Attribute_created', { attributeName: getValues('name') }) });
+			}
+			onClose();
+		},
+		onError: (error) => {
+			dispatchToastMessage({ type: 'error', message: error });
+		},
+		onSettled: () => {
+			queryClient.invalidateQueries({ queryKey: ABACQueryKeys.roomAttributes.list() });
+		},
+	});
+
+	return (
+		<>
+			<ContextualbarHeader>
+				<ContextualbarTitle>{t(attributeId ? 'ABAC_Edit_attribute' : 'ABAC_New_attribute')}</ContextualbarTitle>
+				<ContextualbarClose onClick={onClose} />
+			</ContextualbarHeader>
+			<FormProvider {...methods}>
+				<AttributesForm
+					onSave={(values) => saveMutation.mutateAsync(values)}
+					onCancel={onClose}
+					description={t(attributeId ? 'ABAC_Edit_attribute_description' : 'ABAC_New_attribute_description')}
+				/>
+			</FormProvider>
+		</>
+	);
+};
+
+export default AttributesContextualBar;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBarWithData.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBarWithData.tsx
new file mode 100644
index 00000000000..1efb5599bb8
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesContextualBarWithData.tsx
@@ -0,0 +1,28 @@
+import { ContextualbarSkeletonBody } from '@rocket.chat/ui-client';
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+
+import AttributesContextualBar from './AttributesContextualBar';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+type AttributesContextualBarWithDataProps = {
+	id: string;
+	onClose: () => void;
+};
+
+const AttributesContextualBarWithData = ({ id, onClose }: AttributesContextualBarWithDataProps) => {
+	const getAttributes = useEndpoint('GET', '/v1/abac/attributes/:_id', { _id: id });
+	const { data, isLoading, isFetching } = useQuery({
+		queryKey: ABACQueryKeys.roomAttributes.attribute(id),
+		queryFn: () => getAttributes(),
+		staleTime: 0,
+	});
+
+	if (isLoading || isFetching) {
+		return <ContextualbarSkeletonBody />;
+	}
+
+	return <AttributesContextualBar attributeData={data} onClose={onClose} />;
+};
+
+export default AttributesContextualBarWithData;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.spec.tsx
similarity index 84%
rename from apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.spec.tsx
rename to apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.spec.tsx
index 7ffa9ca665d..5cad3a2b227 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.spec.tsx
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.spec.tsx
@@ -7,8 +7,8 @@ import { axe } from 'jest-axe';
 import type { ReactNode } from 'react';
 import { FormProvider, useForm } from 'react-hook-form';
 
-import AdminABACRoomAttributesForm, { type AdminABACRoomAttributesFormFormData } from './AdminABACRoomAttributesForm';
-import * as stories from './AdminABACRoomAttributesForm.stories';
+import AttributesForm, { type AttributesFormFormData } from './AttributesForm';
+import * as stories from './AttributesForm.stories';
 
 const testCases = Object.values(composeStories(stories)).map((Story) => [Story.storyName || 'Story', Story]);
 
@@ -23,14 +23,8 @@ const appRoot = mockAppRoot()
 	})
 	.build();
 
-const FormProviderWrapper = ({
-	children,
-	defaultValues,
-}: {
-	children: ReactNode;
-	defaultValues?: Partial<AdminABACRoomAttributesFormFormData>;
-}) => {
-	const methods = useForm<AdminABACRoomAttributesFormFormData>({
+const FormProviderWrapper = ({ children, defaultValues }: { children: ReactNode; defaultValues?: Partial<AttributesFormFormData> }) => {
+	const methods = useForm<AttributesFormFormData>({
 		defaultValues: {
 			name: '',
 			attributeValues: [{ value: '' }],
@@ -43,7 +37,7 @@ const FormProviderWrapper = ({
 	return <FormProvider {...methods}>{children}</FormProvider>;
 };
 
-describe('AdminABACRoomAttributesForm', () => {
+describe('AttributesForm', () => {
 	const defaultProps = {
 		onSave: jest.fn(),
 		onCancel: jest.fn(),
@@ -70,11 +64,16 @@ describe('AdminABACRoomAttributesForm', () => {
 	it('should show validation errors for required fields', async () => {
 		render(
 			<FormProviderWrapper>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
 
+		// Making the form "touched"
+		const nameInput = screen.getByLabelText('Name*');
+		await userEvent.type(nameInput, 'Test Attribute');
+		await userEvent.clear(nameInput);
+
 		const saveButton = screen.getByRole('button', { name: 'Save' });
 		await userEvent.click(saveButton);
 
@@ -86,7 +85,7 @@ describe('AdminABACRoomAttributesForm', () => {
 	it('should show validation error for empty attribute values', async () => {
 		render(
 			<FormProviderWrapper>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -110,7 +109,7 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -130,12 +129,12 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
 
-		const trashButtons = screen.getAllByRole('button', { name: 'Remove' });
+		const trashButtons = screen.getAllByRole('button', { name: 'ABAC_Remove_attribute' });
 		expect(screen.getByDisplayValue('Value 1')).toBeInTheDocument();
 		expect(screen.getByDisplayValue('Value 2')).toBeInTheDocument();
 
@@ -153,12 +152,12 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
 
-		const trashButtons = screen.queryAllByRole('button', { name: 'Remove' });
+		const trashButtons = screen.queryAllByRole('button', { name: 'ABAC_Remove_attribute' });
 
 		expect(screen.getByDisplayValue('Locked Value 1')).toBeInTheDocument();
 		expect(screen.getByDisplayValue('Locked Value 2')).toBeInTheDocument();
@@ -172,7 +171,7 @@ describe('AdminABACRoomAttributesForm', () => {
 	it('should disable Add Value button when there are empty values', async () => {
 		render(
 			<FormProviderWrapper>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -189,7 +188,7 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -206,12 +205,12 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
 
-		const trashButtons = screen.queryAllByRole('button', { name: 'Remove' });
+		const trashButtons = screen.queryAllByRole('button', { name: 'ABAC_Remove_attribute' });
 		await userEvent.click(trashButtons[0]);
 
 		const saveButton = screen.getByRole('button', { name: 'Save' });
@@ -225,7 +224,7 @@ describe('AdminABACRoomAttributesForm', () => {
 	it('should call onCancel when Cancel button is clicked', async () => {
 		render(
 			<FormProviderWrapper>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -245,7 +244,7 @@ describe('AdminABACRoomAttributesForm', () => {
 
 		render(
 			<FormProviderWrapper defaultValues={defaultValues}>
-				<AdminABACRoomAttributesForm {...defaultProps} />
+				<AttributesForm {...defaultProps} />
 			</FormProviderWrapper>,
 			{ wrapper: appRoot },
 		);
@@ -253,7 +252,7 @@ describe('AdminABACRoomAttributesForm', () => {
 		expect(screen.getByDisplayValue('Locked Value')).toBeDisabled();
 		expect(screen.getByDisplayValue('Regular Value')).not.toBeDisabled();
 
-		const trashButtons = screen.getAllByRole('button', { name: 'Remove' });
+		const trashButtons = screen.getAllByRole('button', { name: 'ABAC_Remove_attribute' });
 		expect(trashButtons).toHaveLength(1);
 	});
 });
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.stories.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.stories.tsx
similarity index 68%
rename from apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.stories.tsx
rename to apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.stories.tsx
index 283996289c5..2b34b06af71 100644
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.stories.tsx
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.stories.tsx
@@ -3,26 +3,37 @@ import { mockAppRoot } from '@rocket.chat/mock-providers';
 import type { Meta, StoryFn } from '@storybook/react';
 import { FormProvider, useForm } from 'react-hook-form';
 
-import AdminABACRoomAttributesForm, { type AdminABACRoomAttributesFormFormData } from './AdminABACRoomAttributesForm';
+import AttributesForm, { type AttributesFormFormData } from './AttributesForm';
 
 export default {
-	component: AdminABACRoomAttributesForm,
+	component: AttributesForm,
 	parameters: {
 		layout: 'padded',
 	},
 	args: {
 		description: 'Create an attribute that can later be assigned to rooms.',
 	},
-	decorators: [mockAppRoot().buildStoryDecorator()],
-} satisfies Meta<typeof AdminABACRoomAttributesForm>;
+	decorators: [
+		mockAppRoot()
+			.withTranslations('en', 'core', {
+				Name: 'Name',
+				Values: 'Values',
+				Add_Value: 'Add Value',
+				Cancel: 'Cancel',
+				Save: 'Save',
+				Required_field: '{{field}} is required',
+			})
+			.buildStoryDecorator(),
+	],
+} satisfies Meta<typeof AttributesForm>;
 
-const Template: StoryFn<typeof AdminABACRoomAttributesForm> = (args) => <AdminABACRoomAttributesForm {...args} />;
+const Template: StoryFn<typeof AttributesForm> = (args) => <AttributesForm {...args} />;
 
 export const NewAttribute = Template.bind({});
 
 NewAttribute.decorators = [
 	(fn) => {
-		const methods = useForm<AdminABACRoomAttributesFormFormData>({
+		const methods = useForm<AttributesFormFormData>({
 			defaultValues: {
 				name: '',
 				attributeValues: [{ value: '' }],
@@ -49,7 +60,7 @@ WithLockedAttributes.args = {
 
 WithLockedAttributes.decorators = [
 	(fn) => {
-		const methods = useForm<AdminABACRoomAttributesFormFormData>({
+		const methods = useForm<AttributesFormFormData>({
 			defaultValues: {
 				name: 'Room Type',
 				lockedAttributes: [{ value: 'Locked Value 1' }, { value: 'Locked Value 2' }, { value: 'Locked Value 3' }],
diff --git a/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.tsx
new file mode 100644
index 00000000000..7e2cb90fba8
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesForm.tsx
@@ -0,0 +1,163 @@
+import {
+	Box,
+	Button,
+	ButtonGroup,
+	ContextualbarFooter,
+	Field,
+	FieldError,
+	FieldLabel,
+	FieldRow,
+	IconButton,
+	TextInput,
+} from '@rocket.chat/fuselage';
+import { ContextualbarScrollableContent } from '@rocket.chat/ui-client';
+import { useCallback, useId, useMemo, Fragment } from 'react';
+import { useFieldArray, useFormContext } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+export type AttributesFormFormData = {
+	name: string;
+	attributeValues: { value: string }[];
+	lockedAttributes: { value: string }[];
+};
+
+type AttributesFormProps = {
+	onSave: (data: AttributesFormFormData) => void;
+	onCancel: () => void;
+	description: string;
+};
+
+const AttributesForm = ({ onSave, onCancel, description }: AttributesFormProps) => {
+	const {
+		handleSubmit,
+		register,
+		formState: { errors, isDirty },
+		watch,
+	} = useFormContext<AttributesFormFormData>();
+
+	const { t } = useTranslation();
+
+	const attributeValues = watch('attributeValues');
+	const lockedAttributes = watch('lockedAttributes');
+
+	const { fields: lockedAttributesFields, remove: removeLockedAttribute } = useFieldArray({
+		name: 'lockedAttributes',
+	});
+
+	const validateRepeatedValues = useCallback(
+		(value: string) => {
+			// Only one instance of the same attribute value is allowed to be in the form at a time
+			const repeatedAttributes = [...lockedAttributes, ...attributeValues].filter((attribute) => attribute.value === value).length > 1;
+			return repeatedAttributes ? t('ABAC_No_repeated_values') : undefined;
+		},
+		[lockedAttributes, attributeValues, t],
+	);
+
+	const { fields, append, remove } = useFieldArray({
+		name: 'attributeValues',
+		rules: {
+			minLength: 1,
+		},
+	});
+
+	const formId = useId();
+	const nameField = useId();
+	const valuesField = useId();
+
+	const getAttributeValuesError = useCallback(() => {
+		if (errors.attributeValues?.length && errors.attributeValues?.length > 0) {
+			return errors.attributeValues[0]?.value?.message;
+		}
+
+		return '';
+	}, [errors.attributeValues]);
+
+	const hasValuesErrors = useMemo(() => {
+		const attributeValuesErrors = Array.isArray(errors?.attributeValues) && errors.attributeValues.some((error) => !!error?.value?.message);
+		const lockedAttributesErrors =
+			Array.isArray(errors?.lockedAttributes) && errors.lockedAttributes.some((error) => !!error?.value?.message);
+		return attributeValuesErrors || lockedAttributesErrors;
+	}, [errors.attributeValues, errors.lockedAttributes]);
+
+	return (
+		<>
+			<ContextualbarScrollableContent>
+				<Box is='form' onSubmit={handleSubmit(onSave)} id={formId}>
+					<Box>{description}</Box>
+					<Field mb={16}>
+						<FieldLabel htmlFor={nameField} required>
+							{t('Name')}
+						</FieldLabel>
+						<FieldRow>
+							<TextInput
+								error={errors.name?.message}
+								id={nameField}
+								{...register('name', { required: t('Required_field', { field: t('Name') }) })}
+							/>
+						</FieldRow>
+						{errors.name && <FieldError>{errors.name.message}</FieldError>}
+					</Field>
+					<Field mb={16}>
+						<FieldLabel required id={valuesField}>
+							{t('Values')}
+						</FieldLabel>
+						{lockedAttributesFields.map((field, index) => (
+							<Fragment key={field.id}>
+								<FieldRow key={field.id}>
+									<TextInput
+										disabled
+										aria-labelledby={valuesField}
+										error={errors.lockedAttributes?.[index]?.value?.message || ''}
+										{...register(`lockedAttributes.${index}.value`, {
+											required: t('Required_field', { field: t('Values') }),
+											validate: (value: string) => validateRepeatedValues(value),
+										})}
+									/>
+									{index !== 0 && (
+										<IconButton title={t('ABAC_Remove_attribute')} icon='trash' onClick={() => removeLockedAttribute(index)} />
+									)}
+								</FieldRow>
+								{errors.lockedAttributes?.[index]?.value && <FieldError>{errors.lockedAttributes?.[index]?.value?.message}</FieldError>}
+							</Fragment>
+						))}
+						{fields.map((field, index) => (
+							<Fragment key={field.id}>
+								<FieldRow>
+									<TextInput
+										aria-labelledby={valuesField}
+										error={errors.attributeValues?.[index]?.value?.message || ''}
+										{...register(`attributeValues.${index}.value`, {
+											required: t('Required_field', { field: t('Values') }),
+											validate: (value: string) => validateRepeatedValues(value),
+										})}
+									/>
+									{(index !== 0 || lockedAttributesFields.length > 0) && (
+										<IconButton title={t('ABAC_Remove_attribute')} icon='trash' onClick={() => remove(index)} />
+									)}
+								</FieldRow>
+								{errors.attributeValues?.[index]?.value && <FieldError>{errors.attributeValues[index].value.message}</FieldError>}
+							</Fragment>
+						))}
+						<Button
+							onClick={() => append({ value: '' })}
+							// Checking for values since rhf does consider the newly added field as dirty after an append() call
+							disabled={!!getAttributeValuesError() || attributeValues?.some((value: { value: string }) => value?.value === '')}
+						>
+							{t('Add_Value')}
+						</Button>
+					</Field>
+				</Box>
+			</ContextualbarScrollableContent>
+			<ContextualbarFooter>
+				<ButtonGroup stretch>
+					<Button onClick={() => onCancel()}>{t('Cancel')}</Button>
+					<Button type='submit' form={formId} disabled={hasValuesErrors || !!errors.name || !isDirty} primary>
+						{t('Save')}
+					</Button>
+				</ButtonGroup>
+			</ContextualbarFooter>
+		</>
+	);
+};
+
+export default AttributesForm;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesPage.tsx b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesPage.tsx
new file mode 100644
index 00000000000..a52d6d4a743
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/AttributesPage.tsx
@@ -0,0 +1,110 @@
+import { Box, Button, Icon, Margins, Pagination, TextInput } from '@rocket.chat/fuselage';
+import { useDebouncedValue, useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import {
+	GenericTable,
+	GenericTableBody,
+	GenericTableCell,
+	GenericTableHeader,
+	GenericTableHeaderCell,
+	GenericTableRow,
+	usePagination,
+} from '@rocket.chat/ui-client';
+import { useEndpoint, useRouter } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+import { useMemo, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import AttributeMenu from './AttributeMenu';
+import GenericNoResults from '../../../../components/GenericNoResults';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+import { useIsABACAvailable } from '../hooks/useIsABACAvailable';
+
+const AttributesPage = () => {
+	const { t } = useTranslation();
+
+	const [text, setText] = useState('');
+	const debouncedText = useDebouncedValue(text, 200);
+	const { current, itemsPerPage, setItemsPerPage, setCurrent, ...paginationProps } = usePagination();
+	const getAttributes = useEndpoint('GET', '/v1/abac/attributes');
+	const isABACAvailable = useIsABACAvailable();
+
+	const router = useRouter();
+	const handleNewAttribute = useEffectEvent(() => {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: {
+				tab: 'room-attributes',
+				context: 'new',
+			},
+		});
+	});
+
+	const query = useMemo(
+		() => ({
+			...(debouncedText ? { key: debouncedText, values: debouncedText } : {}),
+			offset: current,
+			count: itemsPerPage,
+		}),
+		[debouncedText, current, itemsPerPage],
+	);
+
+	const { data, isLoading } = useQuery({
+		queryKey: ABACQueryKeys.roomAttributes.list(query),
+		queryFn: () => getAttributes(query),
+	});
+
+	return (
+		<>
+			<Margins block={24}>
+				<Box display='flex'>
+					<TextInput
+						addon={<Icon name='magnifier' size='x20' />}
+						placeholder={t('ABAC_Search_attributes')}
+						value={text}
+						onChange={(e) => setText((e.target as HTMLInputElement).value)}
+					/>
+					<Button onClick={handleNewAttribute} primary mis={8} disabled={!isABACAvailable}>
+						{t('ABAC_New_attribute')}
+					</Button>
+				</Box>
+			</Margins>
+			{(!data || data.attributes?.length === 0) && !isLoading ? (
+				<Box display='flex' justifyContent='center' height='full'>
+					<GenericNoResults icon='list-alt' title={t('ABAC_No_attributes')} description={t('ABAC_No_attributes_description')} />
+				</Box>
+			) : (
+				<>
+					<GenericTable>
+						<GenericTableHeader>
+							<GenericTableHeaderCell>{t('Name')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('Value')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell key='spacer' w={40} />
+						</GenericTableHeader>
+						<GenericTableBody>
+							{data?.attributes?.map((attribute) => (
+								<GenericTableRow key={attribute._id}>
+									<GenericTableCell withTruncatedText>{attribute.key}</GenericTableCell>
+									<GenericTableCell withTruncatedText>{attribute.values.join(', ')}</GenericTableCell>
+									<GenericTableCell>
+										<AttributeMenu attribute={attribute} />
+									</GenericTableCell>
+								</GenericTableRow>
+							))}
+						</GenericTableBody>
+					</GenericTable>
+					<Pagination
+						divider
+						current={current}
+						itemsPerPage={itemsPerPage}
+						count={data?.total || 0}
+						onSetItemsPerPage={setItemsPerPage}
+						onSetCurrent={setCurrent}
+						{...paginationProps}
+					/>
+				</>
+			)}
+		</>
+	);
+};
+
+export default AttributesPage;
diff --git a/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACRoomAttributesForm.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/__snapshots__/AttributesForm.spec.tsx.snap
similarity index 60%
rename from apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACRoomAttributesForm.spec.tsx.snap
rename to apps/meteor/client/views/admin/ABAC/ABACAttributesTab/__snapshots__/AttributesForm.spec.tsx.snap
index 46ecfca0c51..3e914b776d6 100644
--- a/apps/meteor/client/views/admin/ABAC/__snapshots__/AdminABACRoomAttributesForm.spec.tsx.snap
+++ b/apps/meteor/client/views/admin/ABAC/ABACAttributesTab/__snapshots__/AttributesForm.spec.tsx.snap
@@ -1,45 +1,45 @@
 // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
 
-exports[`AdminABACRoomAttributesForm renders NewAttribute without crashing 1`] = `
+exports[`AttributesForm renders NewAttribute without crashing 1`] = `
 <body>
   <div>
     <div
       class="rcx-box rcx-box--full rcx-vertical-bar rcx-css-1ph8q3"
     >
-      <form
-        class="rcx-box rcx-box--full"
-        id=":r0:"
+      <div
+        class="rcx-box rcx-box--full rcx-css-1svuzur"
       >
         <div
-          class="rcx-box rcx-box--full rcx-css-1svuzur"
+          class="rcx-box rcx-box--full rcx-css-vlo1oi rcx-css-1cb6i7s"
+          data-overlayscrollbars="host"
         >
           <div
-            class="rcx-box rcx-box--full rcx-css-vlo1oi rcx-css-1cb6i7s"
-            data-overlayscrollbars="host"
+            class="os-size-observer"
           >
             <div
-              class="os-size-observer"
-            >
-              <div
-                class="os-size-observer-listener"
-              />
-            </div>
+              class="os-size-observer-listener"
+            />
+          </div>
+          <div
+            class=""
+            data-overlayscrollbars-viewport="scrollbarHidden overflowXHidden overflowYHidden"
+            style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; top: 0px; left: 0px; width: calc(100% + 0px); padding: 0px 0px 0px 0px;"
+            tabindex="-1"
+          >
             <div
-              class=""
-              data-overlayscrollbars-viewport="scrollbarHidden overflowXHidden overflowYHidden"
-              style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; top: 0px; left: 0px; width: calc(100% + 0px); padding: 0px 0px 0px 0px;"
-              tabindex="-1"
+              class="rcx-box rcx-box--full rcx-css-iag4sp"
             >
-              <div
-                class="rcx-box rcx-box--full rcx-css-iag4sp"
+              <form
+                class="rcx-box rcx-box--full rcx-css-1jggbrp rcx-css-1fuhgt0"
+                id=":r0:"
               >
                 <div
-                  class="rcx-box rcx-box--full rcx-css-1jggbrp rcx-css-1fuhgt0"
+                  class="rcx-box rcx-box--full"
                 >
                   Create an attribute that can later be assigned to rooms.
                 </div>
                 <div
-                  class="rcx-box rcx-box--full rcx-field rcx-css-1jggbrp rcx-css-1dd6ilo"
+                  class="rcx-box rcx-box--full rcx-field rcx-css-1jagyun"
                 >
                   <label
                     class="rcx-box rcx-box--full rcx-field__label rcx-label"
@@ -64,12 +64,9 @@ exports[`AdminABACRoomAttributesForm renders NewAttribute without crashing 1`] =
                       type="text"
                     />
                   </span>
-                  <span
-                    class="rcx-box rcx-box--full rcx-field__error"
-                  />
                 </div>
                 <div
-                  class="rcx-box rcx-box--full rcx-field rcx-css-1jggbrp rcx-css-1dd6ilo"
+                  class="rcx-box rcx-box--full rcx-field rcx-css-1jagyun"
                 >
                   <label
                     class="rcx-box rcx-box--full rcx-field__label rcx-label"
@@ -94,9 +91,6 @@ exports[`AdminABACRoomAttributesForm renders NewAttribute without crashing 1`] =
                       type="text"
                     />
                   </span>
-                  <span
-                    class="rcx-box rcx-box--full rcx-field__error"
-                  />
                   <button
                     class="rcx-box rcx-box--full rcx-button"
                     disabled=""
@@ -109,109 +103,111 @@ exports[`AdminABACRoomAttributesForm renders NewAttribute without crashing 1`] =
                     </span>
                   </button>
                 </div>
-              </div>
+              </form>
             </div>
+          </div>
+          <div
+            class="os-scrollbar os-scrollbar-horizontal os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
+            style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+          >
             <div
-              class="os-scrollbar os-scrollbar-horizontal os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
-              style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+              class="os-scrollbar-track"
             >
               <div
-                class="os-scrollbar-track"
-              >
-                <div
-                  class="os-scrollbar-handle"
-                />
-              </div>
+                class="os-scrollbar-handle"
+              />
             </div>
+          </div>
+          <div
+            class="os-scrollbar os-scrollbar-vertical os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
+            style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+          >
             <div
-              class="os-scrollbar os-scrollbar-vertical os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
-              style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+              class="os-scrollbar-track"
             >
               <div
-                class="os-scrollbar-track"
-              >
-                <div
-                  class="os-scrollbar-handle"
-                />
-              </div>
+                class="os-scrollbar-handle"
+              />
             </div>
           </div>
         </div>
+      </div>
+      <div
+        class="rcx-box rcx-box--full rcx-css-m843eh"
+      >
         <div
-          class="rcx-box rcx-box--full rcx-css-m843eh"
+          class="rcx-button-group rcx-button-group--stretch rcx-button-group--align-start"
+          role="group"
         >
-          <div
-            class="rcx-button-group rcx-button-group--stretch rcx-button-group--align-start"
-            role="group"
+          <button
+            class="rcx-box rcx-box--full rcx-button rcx-button-group__item"
+            type="button"
           >
-            <button
-              class="rcx-box rcx-box--full rcx-button rcx-button-group__item"
-              type="button"
+            <span
+              class="rcx-button--content"
             >
-              <span
-                class="rcx-button--content"
-              >
-                Cancel
-              </span>
-            </button>
-            <button
-              class="rcx-box rcx-box--full rcx-button--primary rcx-button rcx-button-group__item"
-              type="submit"
+              Cancel
+            </span>
+          </button>
+          <button
+            class="rcx-box rcx-box--full rcx-button--primary rcx-button rcx-button-group__item"
+            disabled=""
+            form=":r0:"
+            type="submit"
+          >
+            <span
+              class="rcx-button--content"
             >
-              <span
-                class="rcx-button--content"
-              >
-                Save
-              </span>
-            </button>
-          </div>
+              Save
+            </span>
+          </button>
         </div>
-      </form>
+      </div>
     </div>
   </div>
 </body>
 `;
 
-exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashing 1`] = `
+exports[`AttributesForm renders WithLockedAttributes without crashing 1`] = `
 <body>
   <div>
     <div
       class="rcx-box rcx-box--full rcx-vertical-bar rcx-css-1ph8q3"
     >
-      <form
-        class="rcx-box rcx-box--full"
-        id=":r3:"
+      <div
+        class="rcx-box rcx-box--full rcx-css-1svuzur"
       >
         <div
-          class="rcx-box rcx-box--full rcx-css-1svuzur"
+          class="rcx-box rcx-box--full rcx-css-vlo1oi rcx-css-1cb6i7s"
+          data-overlayscrollbars="host"
         >
           <div
-            class="rcx-box rcx-box--full rcx-css-vlo1oi rcx-css-1cb6i7s"
-            data-overlayscrollbars="host"
+            class="os-size-observer"
           >
             <div
-              class="os-size-observer"
-            >
-              <div
-                class="os-size-observer-listener"
-              />
-            </div>
+              class="os-size-observer-listener"
+            />
+          </div>
+          <div
+            class=""
+            data-overlayscrollbars-viewport="scrollbarHidden overflowXHidden overflowYHidden"
+            style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; top: 0px; left: 0px; width: calc(100% + 0px); padding: 0px 0px 0px 0px;"
+            tabindex="-1"
+          >
             <div
-              class=""
-              data-overlayscrollbars-viewport="scrollbarHidden overflowXHidden overflowYHidden"
-              style="margin-right: 0px; margin-bottom: 0px; margin-left: 0px; top: 0px; left: 0px; width: calc(100% + 0px); padding: 0px 0px 0px 0px;"
-              tabindex="-1"
+              class="rcx-box rcx-box--full rcx-css-iag4sp"
             >
-              <div
-                class="rcx-box rcx-box--full rcx-css-iag4sp"
+              <form
+                class="rcx-box rcx-box--full rcx-css-1jggbrp rcx-css-1fuhgt0"
+                id=":r3:"
               >
                 <div
-                  class="rcx-box rcx-box--full rcx-css-1jggbrp rcx-css-1fuhgt0"
+                  class="rcx-box rcx-box--full"
                 >
                   Attribute values cannot be edited, but can be added or deleted.
                 </div>
                 <div
-                  class="rcx-box rcx-box--full rcx-field rcx-css-1jggbrp rcx-css-1dd6ilo"
+                  class="rcx-box rcx-box--full rcx-field rcx-css-1jagyun"
                 >
                   <label
                     class="rcx-box rcx-box--full rcx-field__label rcx-label"
@@ -236,12 +232,9 @@ exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashi
                       type="text"
                     />
                   </span>
-                  <span
-                    class="rcx-box rcx-box--full rcx-field__error"
-                  />
                 </div>
                 <div
-                  class="rcx-box rcx-box--full rcx-field rcx-css-1jggbrp rcx-css-1dd6ilo"
+                  class="rcx-box rcx-box--full rcx-field rcx-css-1jagyun"
                 >
                   <label
                     class="rcx-box rcx-box--full rcx-field__label rcx-label"
@@ -279,8 +272,8 @@ exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashi
                       type="text"
                     />
                     <button
-                      aria-label="Remove"
                       class="rcx-box rcx-box--full rcx-button--large-square rcx-button--square rcx-button--icon rcx-button"
+                      title="ABAC_Remove_attribute"
                       type="button"
                     >
                       <i
@@ -303,8 +296,8 @@ exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashi
                       type="text"
                     />
                     <button
-                      aria-label="Remove"
                       class="rcx-box rcx-box--full rcx-button--large-square rcx-button--square rcx-button--icon rcx-button"
+                      title="ABAC_Remove_attribute"
                       type="button"
                     >
                       <i
@@ -315,9 +308,6 @@ exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashi
                       </i>
                     </button>
                   </span>
-                  <span
-                    class="rcx-box rcx-box--full rcx-field__error"
-                  />
                   <button
                     class="rcx-box rcx-box--full rcx-button"
                     type="button"
@@ -329,64 +319,66 @@ exports[`AdminABACRoomAttributesForm renders WithLockedAttributes without crashi
                     </span>
                   </button>
                 </div>
-              </div>
+              </form>
             </div>
+          </div>
+          <div
+            class="os-scrollbar os-scrollbar-horizontal os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
+            style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+          >
             <div
-              class="os-scrollbar os-scrollbar-horizontal os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
-              style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+              class="os-scrollbar-track"
             >
               <div
-                class="os-scrollbar-track"
-              >
-                <div
-                  class="os-scrollbar-handle"
-                />
-              </div>
+                class="os-scrollbar-handle"
+              />
             </div>
+          </div>
+          <div
+            class="os-scrollbar os-scrollbar-vertical os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
+            style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+          >
             <div
-              class="os-scrollbar os-scrollbar-vertical os-theme-dark os-scrollbar-auto-hide os-scrollbar-auto-hide-hidden os-scrollbar-handle-interactive os-scrollbar-cornerless os-scrollbar-unusable"
-              style="--os-scroll-percent: 0; --os-viewport-percent: 0; --os-scroll-direction: 0;"
+              class="os-scrollbar-track"
             >
               <div
-                class="os-scrollbar-track"
-              >
-                <div
-                  class="os-scrollbar-handle"
-                />
-              </div>
+                class="os-scrollbar-handle"
+              />
             </div>
           </div>
         </div>
+      </div>
+      <div
+        class="rcx-box rcx-box--full rcx-css-m843eh"
+      >
         <div
-          class="rcx-box rcx-box--full rcx-css-m843eh"
+          class="rcx-button-group rcx-button-group--stretch rcx-button-group--align-start"
+          role="group"
         >
-          <div
-            class="rcx-button-group rcx-button-group--stretch rcx-button-group--align-start"
-            role="group"
+          <button
+            class="rcx-box rcx-box--full rcx-button rcx-button-group__item"
+            type="button"
           >
-            <button
-              class="rcx-box rcx-box--full rcx-button rcx-button-group__item"
-              type="button"
+            <span
+              class="rcx-button--content"
             >
-              <span
-                class="rcx-button--content"
-              >
-                Cancel
-              </span>
-            </button>
-            <button
-              class="rcx-box rcx-box--full rcx-button--primary rcx-button rcx-button-group__item"
-              type="submit"
+              Cancel
+            </span>
+          </button>
+          <button
+            class="rcx-box rcx-box--full rcx-button--primary rcx-button rcx-button-group__item"
+            disabled=""
+            form=":r3:"
+            type="submit"
+          >
+            <span
+              class="rcx-button--content"
             >
-              <span
-                class="rcx-button--content"
-              >
-                Save
-              </span>
-            </button>
-          </div>
+              Save
+            </span>
+          </button>
         </div>
-      </form>
+      </div>
     </div>
   </div>
 </body>
diff --git a/apps/meteor/client/views/admin/ABAC/ABACLogsTab/LogsPage.tsx b/apps/meteor/client/views/admin/ABAC/ABACLogsTab/LogsPage.tsx
new file mode 100644
index 00000000000..50b5d49595f
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACLogsTab/LogsPage.tsx
@@ -0,0 +1,213 @@
+import type { AbacAttributeDefinitionChangeType, AbacActionPerformed } from '@rocket.chat/core-typings';
+import { Box, InputBox, Margins, Pagination } from '@rocket.chat/fuselage';
+import { UserAvatar } from '@rocket.chat/ui-avatar';
+import {
+	GenericTable,
+	GenericTableBody,
+	GenericTableCell,
+	GenericTableHeader,
+	GenericTableHeaderCell,
+	GenericTableRow,
+	usePagination,
+} from '@rocket.chat/ui-client';
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+import { useMemo, useEffect, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import GenericNoResults from '../../../../components/GenericNoResults';
+import { useFormatDateAndTime } from '../../../../hooks/useFormatDateAndTime';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+import DateRangePicker from '../../moderation/helpers/DateRangePicker';
+
+const LogsPage = () => {
+	const { t } = useTranslation();
+
+	const [startDate, setStartDate] = useState<string>(new Date().toISOString().split('T')[0]);
+	const [endDate, setEndDate] = useState<string>(new Date().toISOString().split('T')[0]);
+
+	const formatDate = useFormatDateAndTime();
+
+	const { current, itemsPerPage, setItemsPerPage, setCurrent, ...paginationProps } = usePagination();
+	const getLogs = useEndpoint('GET', '/v1/abac/audit');
+	const query = useMemo(
+		() => ({
+			...(startDate && { start: new Date(`${startDate}T00:00:00.000Z`).toISOString() }),
+			...(endDate && { end: new Date(`${endDate}T23:59:59.999Z`).toISOString() }),
+			offset: current,
+			count: itemsPerPage,
+		}),
+		[current, itemsPerPage, startDate, endDate],
+	);
+
+	// Whenever the user changes the filter or the text, reset the pagination to the first page
+	useEffect(() => {
+		setCurrent(0);
+	}, [startDate, endDate, setCurrent]);
+
+	const getActionLabel = (action?: AbacAttributeDefinitionChangeType | AbacActionPerformed | null) => {
+		switch (action) {
+			case 'created':
+				return t('Created');
+			case 'updated':
+				return t('Updated');
+			case 'deleted':
+				return t('Deleted');
+			case 'all-deleted':
+				return t('ABAC_All_Attributes_deleted');
+			case 'key-removed':
+				return t('ABAC_Key_removed');
+			case 'key-renamed':
+				return t('ABAC_Key_renamed');
+			case 'value-removed':
+				return t('ABAC_Value_removed');
+			case 'key-added':
+				return t('ABAC_Key_added');
+			case 'key-updated':
+				return t('ABAC_Key_updated');
+			case 'revoked-object-access':
+				return t('ABAC_Revoked_Object_Access');
+			case 'granted-object-access':
+				return t('ABAC_Granted_Object_Access');
+			default:
+				return '';
+		}
+	};
+
+	const { data, isLoading } = useQuery({
+		queryKey: ABACQueryKeys.logs.list(query),
+		queryFn: () => getLogs(query),
+		select: (data) => ({
+			events: data.events.map((event) => {
+				const eventInfo = {
+					id: event._id,
+					user: event.actor?.type === 'user' ? event.actor.username : t('System'),
+					...(event.actor?.type === 'user' && { userAvatar: <UserAvatar size='x28' userId={event.actor._id} /> }),
+					timestamp: new Date(event.ts),
+					element: t('ABAC_Room'),
+					action: getActionLabel(event.data?.find((item) => item.key === 'change')?.value),
+					room: undefined,
+				};
+				switch (event.t) {
+					case 'abac.attribute.changed':
+						return {
+							...eventInfo,
+							element: t('ABAC_Room_Attribute'),
+							name: event.data?.find((item) => item.key === 'attributeKey')?.value ?? '',
+						};
+					case 'abac.action.performed':
+						return {
+							...eventInfo,
+							name: event.data?.find((item) => item.key === 'subject')?.value?.username ?? '',
+							action: getActionLabel(event.data?.find((item) => item.key === 'action')?.value),
+							room: event.data?.find((item) => item.key === 'object')?.value?.name ?? '',
+							element: t('ABAC_room_membership'),
+						};
+					case 'abac.object.attribute.changed':
+					case 'abac.object.attributes.removed':
+						return {
+							...eventInfo,
+							name:
+								event.data
+									?.find((item) => item.key === 'current')
+									?.value?.map((item) => item.key)
+									.join(', ') ?? t('Empty'),
+							room: event.data?.find((item) => item.key === 'room')?.value?.name ?? '',
+						};
+					default:
+						return null;
+				}
+			}),
+			count: data.count,
+			offset: data.offset,
+			total: data.total,
+		}),
+	});
+
+	return (
+		<>
+			<Margins block={24}>
+				<Box display='flex'>
+					<InputBox
+						type='date'
+						placeholder={t('Start_date')}
+						value={startDate}
+						onChange={(e) => setStartDate((e.target as HTMLInputElement).value)}
+					/>
+					<Margins inlineStart={8}>
+						<InputBox
+							type='date'
+							placeholder={t('End_date')}
+							value={endDate}
+							onChange={(e) => setEndDate((e.target as HTMLInputElement).value)}
+						/>
+					</Margins>
+					<Margins inlineStart={8}>
+						<DateRangePicker
+							defaultSelectedKey='today'
+							onChange={(range) => {
+								setStartDate(range.start);
+								setEndDate(range.end);
+							}}
+						/>
+					</Margins>
+				</Box>
+			</Margins>
+			{(!data || data.events?.length === 0) && !isLoading ? (
+				<Box display='flex' justifyContent='center' height='full'>
+					<GenericNoResults icon='extended-view' title={t('ABAC_No_logs')} description={t('ABAC_No_logs_description')} />
+				</Box>
+			) : (
+				<>
+					<GenericTable>
+						<GenericTableHeader>
+							<GenericTableHeaderCell>{t('User')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('Action')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('Room')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('ABAC_Element')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('ABAC_Element_Name')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('Timestamp')}</GenericTableHeaderCell>
+						</GenericTableHeader>
+						<GenericTableBody>
+							{data?.events.map((eventInfo) => {
+								if (!eventInfo) {
+									return null;
+								}
+								return (
+									<GenericTableRow key={eventInfo.id}>
+										<GenericTableCell withTruncatedText>
+											{eventInfo.userAvatar && (
+												<Box is='span' mie={4}>
+													{eventInfo.userAvatar}
+												</Box>
+											)}
+											{eventInfo.user}
+										</GenericTableCell>
+										<GenericTableCell withTruncatedText>{eventInfo.action}</GenericTableCell>
+										<GenericTableCell withTruncatedText>{eventInfo.room}</GenericTableCell>
+										<GenericTableCell withTruncatedText>{eventInfo.element}</GenericTableCell>
+										<GenericTableCell withTruncatedText title={eventInfo.name}>
+											{eventInfo.name}
+										</GenericTableCell>
+										<GenericTableCell withTruncatedText>{formatDate(eventInfo.timestamp)}</GenericTableCell>
+									</GenericTableRow>
+								);
+							})}
+						</GenericTableBody>
+					</GenericTable>
+					<Pagination
+						divider
+						current={current}
+						itemsPerPage={itemsPerPage}
+						count={data?.total || 0}
+						onSetItemsPerPage={setItemsPerPage}
+						onSetCurrent={setCurrent}
+						{...paginationProps}
+					/>
+				</>
+			)}
+		</>
+	);
+};
+
+export default LogsPage;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.spec.tsx
new file mode 100644
index 00000000000..9ff834dcc63
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.spec.tsx
@@ -0,0 +1,71 @@
+import { faker } from '@faker-js/faker';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+
+import DeleteRoomModal from './DeleteRoomModal';
+
+const mockDispatchToastMessage = jest.fn();
+
+jest.mock('@rocket.chat/ui-contexts', () => ({
+	...jest.requireActual('@rocket.chat/ui-contexts'),
+	useToastMessageDispatch: () => mockDispatchToastMessage,
+}));
+
+const baseAppRoot = mockAppRoot().withTranslations('en', 'core', {
+	Edit: 'Edit',
+	Remove: 'Remove',
+	ABAC_Room_removed: 'Room {{roomName}} removed from ABAC management',
+	ABAC_Delete_room: 'Remove room from ABAC management',
+	ABAC_Delete_room_annotation: 'Proceed with caution',
+	ABAC_Delete_room_content: 'Removing <bold>{{roomName}}</bold> from ABAC management may result in unintended users gaining access.',
+	Cancel: 'Cancel',
+});
+
+describe('DeleteRoomModal', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	const rid = faker.database.mongodbObjectId();
+	const roomName = 'Test Room';
+
+	it('should render without crashing', () => {
+		const { baseElement } = render(<DeleteRoomModal rid={rid} roomName={roomName} onClose={jest.fn()} />, {
+			wrapper: baseAppRoot.build(),
+		});
+
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should call delete endpoint when delete is confirmed', async () => {
+		const deleteEndpointMock = jest.fn().mockResolvedValue(null);
+
+		render(<DeleteRoomModal rid={rid} roomName={roomName} onClose={jest.fn()} />, {
+			wrapper: baseAppRoot.withEndpoint('DELETE', '/v1/abac/rooms/:rid/attributes', deleteEndpointMock).build(),
+		});
+
+		await userEvent.click(screen.getByRole('button', { name: 'Remove' }));
+
+		await waitFor(() => {
+			expect(deleteEndpointMock).toHaveBeenCalled();
+		});
+	});
+
+	it('should show success toast when delete succeeds', async () => {
+		const deleteEndpointMock = jest.fn().mockResolvedValue(null);
+
+		render(<DeleteRoomModal rid={rid} roomName={roomName} onClose={jest.fn()} />, {
+			wrapper: baseAppRoot.withEndpoint('DELETE', '/v1/abac/rooms/:rid/attributes', deleteEndpointMock).build(),
+		});
+
+		await userEvent.click(screen.getByRole('button', { name: 'Remove' }));
+
+		await waitFor(() => {
+			expect(mockDispatchToastMessage).toHaveBeenCalledWith({
+				type: 'success',
+				message: 'Room Test Room removed from ABAC management',
+			});
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.tsx
new file mode 100644
index 00000000000..653a2d8191a
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/DeleteRoomModal.tsx
@@ -0,0 +1,48 @@
+import type { IRoom } from '@rocket.chat/core-typings';
+import { Box } from '@rocket.chat/fuselage';
+import { GenericModal } from '@rocket.chat/ui-client';
+import { useToastMessageDispatch } from '@rocket.chat/ui-contexts';
+import { useQueryClient } from '@tanstack/react-query';
+import { Trans, useTranslation } from 'react-i18next';
+
+import { useEndpointMutation } from '../../../../hooks/useEndpointMutation';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+type DeleteRoomModalProps = {
+	rid: IRoom['_id'];
+	roomName: string;
+	onClose: () => void;
+};
+
+const DeleteRoomModal = ({ rid, roomName, onClose }: DeleteRoomModalProps) => {
+	const { t } = useTranslation();
+
+	const queryClient = useQueryClient();
+	const dispatchToastMessage = useToastMessageDispatch();
+	const deleteMutation = useEndpointMutation('DELETE', '/v1/abac/rooms/:rid/attributes', {
+		keys: { rid },
+		onSuccess: () => {
+			dispatchToastMessage({ type: 'success', message: t('ABAC_Room_removed', { roomName }) });
+		},
+		onSettled: () => {
+			queryClient.invalidateQueries({ queryKey: ABACQueryKeys.rooms.all() });
+			onClose();
+		},
+	});
+
+	return (
+		<GenericModal
+			variant='danger'
+			icon={null}
+			title={t('ABAC_Delete_room')}
+			annotation={t('ABAC_Delete_room_annotation')}
+			confirmText={t('Remove')}
+			onConfirm={() => deleteMutation.mutate(undefined)}
+			onCancel={onClose}
+		>
+			<Trans i18nKey='ABAC_Delete_room_content' values={{ roomName }} components={{ bold: <Box is='span' fontWeight='bold' /> }} />
+		</GenericModal>
+	);
+};
+
+export default DeleteRoomModal;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomForm.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomForm.tsx
new file mode 100644
index 00000000000..ca427d377ea
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomForm.tsx
@@ -0,0 +1,131 @@
+import { Box, Field, FieldLabel, FieldRow, FieldError, ButtonGroup, Button, ContextualbarFooter } from '@rocket.chat/fuselage';
+import { useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import { GenericModal, ContextualbarScrollableContent } from '@rocket.chat/ui-client';
+import { useSetModal } from '@rocket.chat/ui-contexts';
+import type { Dispatch, SetStateAction } from 'react';
+import { useId } from 'react';
+import { Controller, useFieldArray, useFormContext } from 'react-hook-form';
+import { Trans, useTranslation } from 'react-i18next';
+
+import RoomFormAttributeFields from './RoomFormAttributeFields';
+import RoomFormAutocomplete from './RoomFormAutocomplete';
+import RoomFormAutocompleteDummy from './RoomFormAutocompleteDummy';
+
+type RoomFormProps = {
+	onClose: () => void;
+	onSave: (data: RoomFormData) => void;
+	roomInfo?: { rid: string; name: string };
+	setSelectedRoomLabel: Dispatch<SetStateAction<string>>;
+};
+
+export type RoomFormData = {
+	room: string;
+	attributes: { key: string; values: string[] }[];
+};
+
+const RoomForm = ({ onClose, onSave, roomInfo, setSelectedRoomLabel }: RoomFormProps) => {
+	const {
+		control,
+		handleSubmit,
+		formState: { isValid, errors, isDirty },
+	} = useFormContext<RoomFormData>();
+
+	const { t } = useTranslation();
+	const formId = useId();
+	const nameField = useId();
+
+	const { fields, append, remove } = useFieldArray({
+		name: 'attributes',
+		control,
+	});
+
+	const setModal = useSetModal();
+
+	const updateAction = useEffectEvent(async (action: () => void) => {
+		setModal(
+			<GenericModal
+				variant='info'
+				icon={null}
+				title={t('ABAC_Update_room_confirmation_modal_title')}
+				annotation={t('ABAC_Update_room_confirmation_modal_annotation')}
+				confirmText={t('Save_changes')}
+				onConfirm={() => {
+					action();
+					setModal(null);
+				}}
+				onCancel={() => setModal(null)}
+			>
+				<Trans
+					i18nKey='ABAC_Update_room_content'
+					values={{ roomName: roomInfo?.name }}
+					components={{ bold: <Box is='span' fontWeight='bold' /> }}
+				/>
+			</GenericModal>,
+		);
+	});
+
+	const handleSave = useEffectEvent(() => {
+		if (roomInfo) {
+			updateAction(handleSubmit(onSave));
+		} else {
+			handleSubmit(onSave)();
+		}
+	});
+
+	return (
+		<>
+			<ContextualbarScrollableContent>
+				<Box is='form' onSubmit={handleSubmit(handleSave)} id={formId}>
+					<Field mb={16}>
+						<FieldLabel id={nameField} required>
+							{t('ABAC_Room_to_be_managed')}
+						</FieldLabel>
+						<FieldRow>
+							{roomInfo ? (
+								<RoomFormAutocompleteDummy roomInfo={roomInfo} />
+							) : (
+								<Controller
+									name='room'
+									control={control}
+									rules={{ required: t('Required_field', { field: t('ABAC_Room_to_be_managed') }) }}
+									render={({ field }) => (
+										<RoomFormAutocomplete
+											{...field}
+											error={!!errors.room?.message}
+											aria-labelledby={nameField}
+											onSelectedRoom={(value: string, label: string) => {
+												field.onChange(value);
+												setSelectedRoomLabel(label);
+											}}
+										/>
+									)}
+								/>
+							)}
+						</FieldRow>
+						{errors.room && <FieldError>{errors.room.message}</FieldError>}
+					</Field>
+					<RoomFormAttributeFields fields={fields} remove={remove} />
+					<Button
+						w='full'
+						disabled={fields.length >= 10}
+						onClick={() => {
+							append({ key: '', values: [] });
+						}}
+					>
+						{t('ABAC_Add_Attribute')}
+					</Button>
+				</Box>
+			</ContextualbarScrollableContent>
+			<ContextualbarFooter>
+				<ButtonGroup stretch>
+					<Button onClick={onClose}>{t('Cancel')}</Button>
+					<Button type='submit' form={formId} disabled={!isValid || !isDirty} primary>
+						{t('Save')}
+					</Button>
+				</ButtonGroup>
+			</ContextualbarFooter>
+		</>
+	);
+};
+
+export default RoomForm;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.spec.tsx
new file mode 100644
index 00000000000..b8c3cd71c17
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.spec.tsx
@@ -0,0 +1,13 @@
+import { composeStories } from '@storybook/react';
+import { render } from '@testing-library/react';
+
+import * as stories from './RoomFormAttributeField.stories';
+
+describe('RoomFormAttributeField', () => {
+	const testCases = Object.values(composeStories(stories)).map((Story) => [Story.storyName || 'Story', Story]);
+
+	test.each(testCases)(`renders %s without crashing`, async (_storyname, Story) => {
+		const { baseElement } = render(<Story />);
+		expect(baseElement).toMatchSnapshot();
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.stories.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.stories.tsx
new file mode 100644
index 00000000000..00f42f32320
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.stories.tsx
@@ -0,0 +1,73 @@
+import { Field } from '@rocket.chat/fuselage';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { action } from '@storybook/addon-actions';
+import type { Meta, StoryObj } from '@storybook/react';
+import { FormProvider, useForm } from 'react-hook-form';
+
+import type { RoomFormData } from './RoomForm';
+import RoomFormAttributeField from './RoomFormAttributeField';
+
+const mockAttribute1 = {
+	_id: 'attr1',
+	_updatedAt: new Date().toISOString(),
+	key: 'Department',
+	values: ['Engineering', 'Sales', 'Marketing'],
+};
+
+const mockAttribute2 = {
+	_id: 'attr2',
+	_updatedAt: new Date().toISOString(),
+	key: 'Security-Level',
+	values: ['Public', 'Internal', 'Confidential'],
+};
+
+const mockAttribute3 = {
+	_id: 'attr3',
+	_updatedAt: new Date().toISOString(),
+	key: 'Location',
+	values: ['US', 'EU', 'APAC'],
+};
+
+const meta: Meta<typeof RoomFormAttributeField> = {
+	component: RoomFormAttributeField,
+	parameters: {
+		layout: 'padded',
+	},
+	decorators: [
+		(Story) => {
+			const AppRoot = mockAppRoot().build();
+
+			const methods = useForm<RoomFormData>({
+				defaultValues: {
+					room: '',
+					attributes: [{ key: '', values: [] }],
+				},
+				mode: 'onChange',
+			});
+
+			return (
+				<AppRoot>
+					<FormProvider {...methods}>
+						<Field>
+							<Story />
+						</Field>
+					</FormProvider>
+				</AppRoot>
+			);
+		},
+	],
+	args: {
+		onRemove: action('onRemove'),
+		attributeList: [
+			{ value: mockAttribute1.key, label: mockAttribute1.key, attributeValues: mockAttribute1.values },
+			{ value: mockAttribute2.key, label: mockAttribute2.key, attributeValues: mockAttribute2.values },
+			{ value: mockAttribute3.key, label: mockAttribute3.key, attributeValues: mockAttribute3.values },
+		],
+		index: 0,
+	},
+};
+
+export default meta;
+type Story = StoryObj<typeof RoomFormAttributeField>;
+
+export const Default: Story = {};
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.tsx
new file mode 100644
index 00000000000..d9a4247c3db
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeField.tsx
@@ -0,0 +1,93 @@
+import type { SelectOption } from '@rocket.chat/fuselage';
+import { Box, Button, FieldError, FieldRow, MultiSelect, SelectFiltered } from '@rocket.chat/fuselage';
+import { useCallback, useMemo } from 'react';
+import { useController, useFormContext } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import type { RoomFormData } from './RoomForm';
+
+type ABACAttributeAutocompleteProps = {
+	onRemove: () => void;
+	index: number;
+	attributeList: { value: string; label: string; attributeValues: string[] }[];
+};
+
+const RoomFormAttributeField = ({ onRemove, index, attributeList }: ABACAttributeAutocompleteProps) => {
+	const { t } = useTranslation();
+
+	const { control, getValues, resetField } = useFormContext<RoomFormData>();
+
+	const options: SelectOption[] = useMemo(() => attributeList.map((attribute) => [attribute.value, attribute.label]), [attributeList]);
+
+	const validateRepeatedAttributes = useCallback(
+		(value: string) => {
+			const attributes = getValues('attributes');
+			// Only one instance of the same attribute is allowed to be in the form at a time
+			const repeatedAttributes = attributes.filter((attribute) => attribute.key === value).length > 1;
+			return repeatedAttributes ? t('ABAC_No_repeated_attributes') : undefined;
+		},
+		[getValues, t],
+	);
+
+	const { field: keyField, fieldState: keyFieldState } = useController({
+		name: `attributes.${index}.key`,
+		control,
+		rules: {
+			required: t('Required_field', { field: t('Attribute') }),
+			validate: validateRepeatedAttributes,
+		},
+	});
+
+	const { field: valuesField, fieldState: valuesFieldState } = useController({
+		name: `attributes.${index}.values`,
+		control,
+		rules: { required: t('Required_field', { field: t('Attribute_Values') }) },
+	});
+
+	const valueOptions: [string, string][] = useMemo(() => {
+		if (!keyField.value) {
+			return [];
+		}
+
+		const selectedAttributeData = attributeList.find((option) => option.value === keyField.value);
+
+		return selectedAttributeData?.attributeValues.map((value) => [value, value]) || [];
+	}, [attributeList, keyField.value]);
+
+	return (
+		<Box display='flex' flexDirection='column' w='full'>
+			<FieldRow>
+				<SelectFiltered
+					{...keyField}
+					options={options}
+					placeholder={t('ABAC_Search_Attribute')}
+					mbe={4}
+					error={keyFieldState.error?.message}
+					withTruncatedText
+					onChange={(value) => {
+						keyField.onChange(value);
+						resetField(`attributes.${index}.values`, { defaultValue: [] });
+					}}
+				/>
+			</FieldRow>
+			{keyFieldState.error && <FieldError>{keyFieldState.error.message}</FieldError>}
+
+			<FieldRow>
+				<MultiSelect
+					withTruncatedText
+					{...valuesField}
+					options={valueOptions}
+					placeholder={t('ABAC_Select_Attribute_Values')}
+					error={valuesFieldState.error?.message}
+				/>
+			</FieldRow>
+			{valuesFieldState.error && <FieldError>{valuesFieldState.error.message}</FieldError>}
+
+			<Button onClick={onRemove} title={t('Remove')} mbs={4}>
+				{t('Remove')}
+			</Button>
+		</Box>
+	);
+};
+
+export default RoomFormAttributeField;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.spec.tsx
new file mode 100644
index 00000000000..5f585e3099e
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.spec.tsx
@@ -0,0 +1,136 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { render, screen } from '@testing-library/react';
+import type { ReactNode } from 'react';
+import { FormProvider, useForm } from 'react-hook-form';
+
+import type { RoomFormData } from './RoomForm';
+import RoomFormAttributeFields from './RoomFormAttributeFields';
+
+const mockAttribute1 = {
+	_id: 'attr1',
+	key: 'Department',
+	values: ['Engineering', 'Sales', 'Marketing'],
+};
+
+const mockAttribute2 = {
+	_id: 'attr2',
+	key: 'Security-Level',
+	values: ['Public', 'Internal', 'Confidential'],
+};
+
+const mockAttribute3 = {
+	_id: 'attr3',
+	key: 'Location',
+	values: ['US', 'EU', 'APAC'],
+};
+
+jest.mock('../hooks/useAttributeList', () => ({
+	useAttributeList: jest.fn(() => ({
+		data: {
+			attributes: [
+				{ value: mockAttribute1.key, label: mockAttribute1.key, attributeValues: mockAttribute1.values },
+				{ value: mockAttribute2.key, label: mockAttribute2.key, attributeValues: mockAttribute2.values },
+				{ value: mockAttribute3.key, label: mockAttribute3.key, attributeValues: mockAttribute3.values },
+			],
+		},
+		isLoading: false,
+	})),
+}));
+
+const appRoot = mockAppRoot()
+	.withTranslations('en', 'core', {
+		Attribute: 'Attribute',
+		ABAC_Search_Attribute: 'Search attribute',
+		ABAC_Select_Attribute_Values: 'Select attribute values',
+		Remove: 'Remove',
+	})
+	.build();
+
+const FormProviderWrapper = ({ children, defaultValues }: { children: ReactNode; defaultValues?: Partial<RoomFormData> }) => {
+	const methods = useForm<RoomFormData>({
+		defaultValues: {
+			room: '',
+			attributes: [{ key: '', values: [] }],
+			...defaultValues,
+		},
+		mode: 'onChange',
+	});
+
+	return <FormProvider {...methods}>{children}</FormProvider>;
+};
+
+describe('RoomFormAttributeFields', () => {
+	const mockRemove = jest.fn();
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	it('should render the correct number of fields', () => {
+		const fields = [{ id: 'field-1' }, { id: 'field-2' }, { id: 'field-3' }];
+
+		render(
+			<FormProviderWrapper>
+				<RoomFormAttributeFields fields={fields} remove={mockRemove} />
+			</FormProviderWrapper>,
+			{ wrapper: appRoot },
+		);
+
+		const attributeLabels = screen.getAllByText('Attribute');
+		expect(attributeLabels).toHaveLength(3);
+	});
+
+	it('should render a single field', () => {
+		const fields = [{ id: 'field-1' }];
+
+		render(
+			<FormProviderWrapper>
+				<RoomFormAttributeFields fields={fields} remove={mockRemove} />
+			</FormProviderWrapper>,
+			{ wrapper: appRoot },
+		);
+
+		const attributeLabels = screen.getAllByText('Attribute');
+		expect(attributeLabels).toHaveLength(1);
+	});
+
+	it('should render multiple fields', () => {
+		const fields = [{ id: 'field-1' }, { id: 'field-2' }, { id: 'field-3' }, { id: 'field-4' }, { id: 'field-5' }];
+
+		render(
+			<FormProviderWrapper>
+				<RoomFormAttributeFields fields={fields} remove={mockRemove} />
+			</FormProviderWrapper>,
+			{ wrapper: appRoot },
+		);
+
+		const attributeLabels = screen.getAllByText('Attribute');
+		expect(attributeLabels).toHaveLength(5);
+	});
+
+	it('should render fields with provided default values', () => {
+		const fields = [{ id: 'field-1' }, { id: 'field-2' }];
+
+		render(
+			<FormProviderWrapper
+				defaultValues={{
+					attributes: [
+						{ key: 'Department', values: ['Engineering'] },
+						{ key: 'Security-Level', values: ['Public', 'Internal'] },
+					],
+				}}
+			>
+				<RoomFormAttributeFields fields={fields} remove={mockRemove} />
+			</FormProviderWrapper>,
+			{ wrapper: appRoot },
+		);
+
+		const attributeLabels = screen.getAllByText('Attribute');
+		expect(attributeLabels).toHaveLength(2);
+		expect(screen.getByText('Department')).toBeInTheDocument();
+		expect(screen.getByText('Engineering')).toBeInTheDocument();
+		expect(screen.getByText('Security-Level')).toBeInTheDocument();
+		expect(screen.getByText('Public')).toBeInTheDocument();
+		expect(screen.getByText('Internal')).toBeInTheDocument();
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.tsx
new file mode 100644
index 00000000000..bfcdf21464b
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAttributeFields.tsx
@@ -0,0 +1,37 @@
+import { Field, FieldLabel, InputBoxSkeleton } from '@rocket.chat/fuselage';
+import { useTranslation } from 'react-i18next';
+
+import RoomFormAttributeField from './RoomFormAttributeField';
+import { useAttributeList } from '../hooks/useAttributeList';
+
+type RoomFormAttributeFieldsProps = {
+	fields: { id: string }[];
+	remove: (index: number) => void;
+};
+
+const RoomFormAttributeFields = ({ fields, remove }: RoomFormAttributeFieldsProps) => {
+	const { t } = useTranslation();
+
+	const { data: attributeList, isLoading } = useAttributeList();
+
+	if (isLoading || !attributeList) {
+		return <InputBoxSkeleton />;
+	}
+
+	return fields.map((field, index) => (
+		<Field key={field.id} mb={16}>
+			<FieldLabel htmlFor={field.id} required>
+				{t('Attribute')}
+			</FieldLabel>
+			<RoomFormAttributeField
+				attributeList={attributeList.attributes}
+				onRemove={() => {
+					remove(index);
+				}}
+				index={index}
+			/>
+		</Field>
+	));
+};
+
+export default RoomFormAttributeFields;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.spec.tsx
new file mode 100644
index 00000000000..2b5c6ad38a3
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.spec.tsx
@@ -0,0 +1,60 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { composeStories } from '@storybook/react';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { axe } from 'jest-axe';
+
+import RoomFormAutocomplete from './RoomFormAutocomplete';
+import * as stories from './RoomFormAutocomplete.stories';
+import { createFakeRoom } from '../../../../../tests/mocks/data';
+
+const mockRoom1 = createFakeRoom({ t: 'p', name: 'Room 1', fname: 'Room 1' });
+const mockRoom2 = createFakeRoom({ t: 'p', name: 'Room 2', fname: 'Room 2' });
+const mockRoom3 = createFakeRoom({ t: 'p', name: 'Room 3', fname: 'Room 3', abacAttributes: [] });
+
+const appRoot = mockAppRoot()
+	.withEndpoint('GET', '/v1/rooms.adminRooms.privateRooms', () => ({
+		rooms: [mockRoom1 as any, mockRoom2 as any, mockRoom3 as any],
+		count: 3,
+		offset: 0,
+		total: 3,
+	}))
+	.build();
+
+describe('RoomFormAutocomplete', () => {
+	const testCases = Object.values(composeStories(stories)).map((Story) => [Story.storyName || 'Story', Story]);
+
+	test.each(testCases)(`renders %s without crashing`, async (_storyname, Story) => {
+		const { baseElement } = render(<Story />);
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	test.each(testCases)('%s should have no a11y violations', async (_storyname, Story) => {
+		// Aria label added in a higher level
+		const { container } = render(<Story aria-label='ABAC Room Autocomplete' />);
+
+		const results = await axe(container);
+		expect(results).toHaveNoViolations();
+	});
+
+	it('should populate select options correctly', async () => {
+		render(<RoomFormAutocomplete value='' onSelectedRoom={jest.fn()} />, {
+			wrapper: appRoot,
+		});
+
+		const input = screen.getByRole('textbox');
+		await userEvent.click(input);
+
+		await waitFor(() => {
+			expect(screen.getByText('Room 1')).toBeInTheDocument();
+		});
+
+		await waitFor(() => {
+			expect(screen.getByText('Room 2')).toBeInTheDocument();
+		});
+
+		await waitFor(() => {
+			expect(screen.getByText('Room 3')).toBeInTheDocument();
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.stories.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.stories.tsx
new file mode 100644
index 00000000000..4345892d3cb
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.stories.tsx
@@ -0,0 +1,42 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { action } from '@storybook/addon-actions';
+import type { Meta, StoryObj } from '@storybook/react';
+
+import RoomFormAutocomplete from './RoomFormAutocomplete';
+import { createFakeRoom } from '../../../../../tests/mocks/data';
+
+const mockRoom1 = createFakeRoom({ t: 'p', name: 'Room 1' });
+const mockRoom2 = createFakeRoom({ t: 'p', name: 'Room 2' });
+
+const meta: Meta<typeof RoomFormAutocomplete> = {
+	component: RoomFormAutocomplete,
+	parameters: {
+		layout: 'padded',
+	},
+	decorators: [
+		(Story) => {
+			const AppRoot = mockAppRoot()
+				.withEndpoint('GET', '/v1/rooms.adminRooms', () => ({
+					rooms: [mockRoom1 as any, mockRoom2 as any],
+					count: 2,
+					offset: 0,
+					total: 2,
+				}))
+				.build();
+			return (
+				<AppRoot>
+					<Story />
+				</AppRoot>
+			);
+		},
+	],
+	args: {
+		value: '',
+		onSelectedRoom: action('onChange'),
+	},
+};
+
+export default meta;
+type Story = StoryObj<typeof RoomFormAutocomplete>;
+
+export const Default: Story = {};
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.tsx
new file mode 100644
index 00000000000..506c2e3a1f8
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocomplete.tsx
@@ -0,0 +1,58 @@
+import { AutoComplete, Option, Box } from '@rocket.chat/fuselage';
+import { useDebouncedValue } from '@rocket.chat/fuselage-hooks';
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { keepPreviousData, useQuery } from '@tanstack/react-query';
+import type { ComponentProps } from 'react';
+import { memo, useState } from 'react';
+
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+const generateQuery = (
+	term = '',
+): {
+	filter: string;
+} => ({ filter: term });
+
+type RoomFormAutocompleteProps = Omit<ComponentProps<typeof AutoComplete>, 'filter' | 'onChange'> & {
+	onSelectedRoom: (value: string, label: string) => void;
+};
+
+const RoomFormAutocomplete = ({ value, onSelectedRoom, ...props }: RoomFormAutocompleteProps) => {
+	const [filter, setFilter] = useState('');
+	const filterDebounced = useDebouncedValue(filter, 300);
+	const roomsAutoCompleteEndpoint = useEndpoint('GET', '/v1/rooms.adminRooms.privateRooms');
+
+	const result = useQuery({
+		queryKey: ABACQueryKeys.rooms.autocomplete(generateQuery(filterDebounced)),
+		queryFn: () => roomsAutoCompleteEndpoint(generateQuery(filterDebounced)),
+		placeholderData: keepPreviousData,
+		select: (data) =>
+			data.rooms
+				.filter((room) => !room.abacAttributes || room.abacAttributes.length === 0)
+				.map((room) => ({
+					value: room._id,
+					label: { name: room.fname || room.name },
+				})),
+	});
+
+	return (
+		<AutoComplete
+			{...props}
+			onChange={(val) => {
+				onSelectedRoom(val as string, result.data?.find(({ value }) => value === val)?.label?.name || '');
+			}}
+			value={value}
+			filter={filter}
+			setFilter={setFilter}
+			renderSelected={({ selected: { label } }) => (
+				<Box margin='none' mi={2}>
+					{label?.name}
+				</Box>
+			)}
+			renderItem={({ label, ...props }) => <Option {...props} label={label.name} />}
+			options={result.data}
+		/>
+	);
+};
+
+export default memo(RoomFormAutocomplete);
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocompleteDummy.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocompleteDummy.tsx
new file mode 100644
index 00000000000..ef4c133ec0f
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomFormAutocompleteDummy.tsx
@@ -0,0 +1,11 @@
+import { Input } from '@rocket.chat/fuselage';
+
+type RoomFormAutocompleteDummyProps = {
+	roomInfo: { rid: string; name: string };
+};
+
+const RoomFormAutocompleteDummy = ({ roomInfo }: RoomFormAutocompleteDummyProps) => {
+	return <Input value={roomInfo.name} disabled />;
+};
+
+export default RoomFormAutocompleteDummy;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomMenu.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomMenu.tsx
new file mode 100644
index 00000000000..fcac598f62a
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomMenu.tsx
@@ -0,0 +1,28 @@
+import { GenericMenu } from '@rocket.chat/ui-client';
+import { useTranslation } from 'react-i18next';
+
+import { useRoomItems } from '../hooks/useRoomItems';
+
+type RoomMenuProps = {
+	room: { rid: string; name: string };
+};
+
+const RoomMenu = ({ room }: RoomMenuProps) => {
+	const { t } = useTranslation();
+
+	const items = useRoomItems(room);
+
+	return (
+		<GenericMenu
+			title={t('Options')}
+			icon='kebab'
+			sections={[
+				{
+					items,
+				},
+			]}
+		/>
+	);
+};
+
+export default RoomMenu;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBar.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBar.tsx
new file mode 100644
index 00000000000..25c9037c86e
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBar.tsx
@@ -0,0 +1,89 @@
+import { ContextualbarTitle } from '@rocket.chat/fuselage';
+import { ContextualbarClose, ContextualbarHeader } from '@rocket.chat/ui-client';
+import { useEndpoint, useRouteParameter, useToastMessageDispatch } from '@rocket.chat/ui-contexts';
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { useState } from 'react';
+import { FormProvider, useForm } from 'react-hook-form';
+import { useTranslation } from 'react-i18next';
+
+import RoomForm from './RoomForm';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+type RoomsContextualBarProps = {
+	attributeId?: string;
+	roomInfo?: { rid: string; name: string };
+	attributesData?: { key: string; values: string[] }[];
+
+	onClose: () => void;
+};
+
+const RoomsContextualBar = ({ roomInfo, attributesData, onClose }: RoomsContextualBarProps) => {
+	const { t } = useTranslation();
+	const queryClient = useQueryClient();
+
+	const methods = useForm<{
+		room: string;
+		attributes: { key: string; values: string[] }[];
+	}>({
+		defaultValues: {
+			room: roomInfo?.rid || '',
+			attributes: attributesData ?? [{ key: '', values: [] }],
+		},
+		mode: 'onChange',
+	});
+
+	const { watch } = methods;
+
+	const [selectedRoomLabel, setSelectedRoomLabel] = useState<string>('');
+
+	const attributeId = useRouteParameter('id');
+	const createOrUpdateABACRoom = useEndpoint('POST', '/v1/abac/rooms/:rid/attributes', { rid: watch('room') });
+
+	const dispatchToastMessage = useToastMessageDispatch();
+
+	const saveMutation = useMutation({
+		mutationFn: async (data: { room: string; attributes: { key: string; values: string[] }[] }) => {
+			const payload = {
+				attributes: data.attributes.reduce((acc: Record<string, string[]>, attribute) => {
+					acc[attribute.key] = attribute.values;
+					return acc;
+				}, {}),
+			};
+
+			await createOrUpdateABACRoom(payload);
+		},
+		onSuccess: () => {
+			if (attributeId) {
+				dispatchToastMessage({ type: 'success', message: t('ABAC_Room_updated', { roomName: selectedRoomLabel }) });
+			} else {
+				dispatchToastMessage({ type: 'success', message: t('ABAC_Room_created', { roomName: selectedRoomLabel }) });
+			}
+			onClose();
+		},
+		onError: (error) => {
+			dispatchToastMessage({ type: 'error', message: error });
+		},
+		onSettled: () => {
+			queryClient.invalidateQueries({ queryKey: ABACQueryKeys.rooms.list() });
+		},
+	});
+
+	return (
+		<>
+			<ContextualbarHeader>
+				<ContextualbarTitle>{t(attributeId ? 'ABAC_Edit_Room' : 'ABAC_Add_room')}</ContextualbarTitle>
+				<ContextualbarClose onClick={onClose} />
+			</ContextualbarHeader>
+			<FormProvider {...methods}>
+				<RoomForm
+					roomInfo={roomInfo}
+					onSave={(values) => saveMutation.mutateAsync(values)}
+					onClose={onClose}
+					setSelectedRoomLabel={setSelectedRoomLabel}
+				/>
+			</FormProvider>
+		</>
+	);
+};
+
+export default RoomsContextualBar;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBarWithData.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBarWithData.tsx
new file mode 100644
index 00000000000..e0c22404108
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsContextualBarWithData.tsx
@@ -0,0 +1,34 @@
+import { ContextualbarSkeletonBody } from '@rocket.chat/ui-client';
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+
+import RoomsContextualBar from './RoomsContextualBar';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+type RoomsContextualBarWithDataProps = {
+	id: string;
+	onClose: () => void;
+};
+
+const RoomsContextualBarWithData = ({ id, onClose }: RoomsContextualBarWithDataProps) => {
+	const getRoomAttributes = useEndpoint('GET', '/v1/rooms.adminRooms.getRoom');
+	const { data, isLoading, isFetching } = useQuery({
+		queryKey: ABACQueryKeys.rooms.room(id),
+		queryFn: () => getRoomAttributes({ rid: id }),
+		staleTime: 0,
+	});
+
+	if (isLoading || isFetching) {
+		return <ContextualbarSkeletonBody />;
+	}
+
+	return (
+		<RoomsContextualBar
+			roomInfo={{ rid: id, name: data?.fname || data?.name || id }}
+			attributesData={data?.abacAttributes}
+			onClose={onClose}
+		/>
+	);
+};
+
+export default RoomsContextualBarWithData;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsPage.tsx b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsPage.tsx
new file mode 100644
index 00000000000..7c6222531d8
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/RoomsPage.tsx
@@ -0,0 +1,137 @@
+import { Box, Button, Icon, Margins, Pagination, Select, TextInput } from '@rocket.chat/fuselage';
+import { useDebouncedValue, useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import {
+	GenericTable,
+	GenericTableBody,
+	GenericTableCell,
+	GenericTableHeader,
+	GenericTableHeaderCell,
+	GenericTableRow,
+	usePagination,
+} from '@rocket.chat/ui-client';
+import { useEndpoint, useRouter } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+import { useMemo, useState, useEffect } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import RoomMenu from './RoomMenu';
+import GenericNoResults from '../../../../components/GenericNoResults';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+import { useIsABACAvailable } from '../hooks/useIsABACAvailable';
+
+const RoomsPage = () => {
+	const { t } = useTranslation();
+
+	const [text, setText] = useState('');
+	const [filterType, setFilterType] = useState<'all' | 'roomName' | 'attribute' | 'value'>('all');
+	const debouncedText = useDebouncedValue(text, 200);
+	const { current, itemsPerPage, setItemsPerPage, setCurrent, ...paginationProps } = usePagination();
+	const getRooms = useEndpoint('GET', '/v1/abac/rooms');
+	const isABACAvailable = useIsABACAvailable();
+
+	const router = useRouter();
+	const handleNewAttribute = useEffectEvent(() => {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: {
+				tab: 'rooms',
+				context: 'new',
+			},
+		});
+	});
+
+	const query = useMemo(
+		() => ({
+			...(debouncedText ? { filter: debouncedText } : {}),
+			...(filterType !== 'all' ? { filterType } : {}),
+			offset: current,
+			count: itemsPerPage,
+		}),
+		[debouncedText, current, itemsPerPage, filterType],
+	);
+
+	// Whenever the user changes the filter or the text, reset the pagination to the first page
+	useEffect(() => {
+		setCurrent(0);
+	}, [debouncedText, filterType, setCurrent]);
+
+	const { data, isLoading } = useQuery({
+		queryKey: ABACQueryKeys.rooms.list(query),
+		queryFn: () => getRooms(query),
+	});
+
+	return (
+		<>
+			<Margins block={24}>
+				<Box display='flex'>
+					<TextInput
+						addon={<Icon name='magnifier' size='x20' />}
+						placeholder={t('ABAC_Search_rooms')}
+						value={text}
+						onChange={(e) => setText((e.target as HTMLInputElement).value)}
+					/>
+					<Box pis={8} maxWidth={200}>
+						<Select
+							options={[
+								['all', t('All'), true],
+								['roomName', t('Rooms'), false],
+								['attribute', t('Attributes'), false],
+								['value', t('Values'), false],
+							]}
+							value={filterType}
+							onChange={(value) => setFilterType(value as 'all' | 'roomName' | 'attribute' | 'value')}
+						/>
+					</Box>
+					<Button onClick={handleNewAttribute} primary mis={8} disabled={isABACAvailable !== true}>
+						{t('Add_room')}
+					</Button>
+				</Box>
+			</Margins>
+			{(!data || data.rooms?.length === 0) && !isLoading ? (
+				<Box display='flex' justifyContent='center' height='full'>
+					<GenericNoResults icon='list-alt' title={t('ABAC_No_rooms')} description={t('ABAC_No_rooms_description')} />
+				</Box>
+			) : (
+				<>
+					<GenericTable>
+						<GenericTableHeader>
+							<GenericTableHeaderCell>{t('Room')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('Members')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('ABAC_Attributes')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell>{t('ABAC_Attribute_Values')}</GenericTableHeaderCell>
+							<GenericTableHeaderCell key='spacer' w={40} />
+						</GenericTableHeader>
+						<GenericTableBody>
+							{data?.rooms?.map((room) => (
+								<GenericTableRow key={room._id}>
+									<GenericTableCell>{room.fname || room.name}</GenericTableCell>
+									<GenericTableCell>{room.usersCount}</GenericTableCell>
+									<GenericTableCell withTruncatedText>
+										{room.abacAttributes?.flatMap((attribute) => attribute.key ?? []).join(', ')}
+									</GenericTableCell>
+									<GenericTableCell withTruncatedText>
+										{room.abacAttributes?.flatMap((attribute) => attribute.values ?? []).join(', ')}
+									</GenericTableCell>
+									<GenericTableCell>
+										<RoomMenu room={{ rid: room._id, name: room.fname || room.name || room._id }} />
+									</GenericTableCell>
+								</GenericTableRow>
+							))}
+						</GenericTableBody>
+					</GenericTable>
+					<Pagination
+						divider
+						current={current}
+						itemsPerPage={itemsPerPage}
+						count={data?.total || 0}
+						onSetItemsPerPage={setItemsPerPage}
+						onSetCurrent={setCurrent}
+						{...paginationProps}
+					/>
+				</>
+			)}
+		</>
+	);
+};
+
+export default RoomsPage;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/DeleteRoomModal.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/DeleteRoomModal.spec.tsx.snap
new file mode 100644
index 00000000000..18954bf8497
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/DeleteRoomModal.spec.tsx.snap
@@ -0,0 +1,98 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`DeleteRoomModal should render without crashing 1`] = `
+<body>
+  <div>
+    <dialog
+      aria-labelledby=":r0:-title"
+      aria-modal="true"
+      class="rcx-box rcx-box--full rcx-modal"
+      open=""
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-modal__inner rcx-css-1euli2f"
+      >
+        <header
+          class="rcx-box rcx-box--full rcx-modal__header"
+        >
+          <div
+            class="rcx-box rcx-box--full rcx-modal__header-inner"
+          >
+            <div
+              class="rcx-box rcx-box--full rcx-modal__header-text rcx-css-trljwa rcx-css-lma364"
+            >
+              <h2
+                class="rcx-box rcx-box--full rcx-modal__title"
+                id=":r0:-title"
+              >
+                Remove room from ABAC management
+              </h2>
+            </div>
+            <button
+              aria-label="Close"
+              class="rcx-box rcx-box--full rcx-button--small-square rcx-button--square rcx-button--icon rcx-button rcx-css-trljwa rcx-css-lma364"
+              type="button"
+            >
+              <i
+                aria-hidden="true"
+                class="rcx-box rcx-box--full rcx-icon--name-cross rcx-icon rcx-css-4pvxx3"
+              >
+                
+              </i>
+            </button>
+          </div>
+        </header>
+        <div
+          class="rcx-box rcx-box--full rcx-modal__content rcx-css-1vw7itl"
+        >
+          <div
+            class="rcx-box rcx-box--full rcx-modal__content-wrapper rcx-css-r1bpeb"
+          >
+            Removing 
+            <span
+              class="rcx-box rcx-box--full rcx-css-skyl9j"
+            >
+              Test Room
+            </span>
+             from ABAC management may result in unintended users gaining access.
+          </div>
+        </div>
+        <div
+          class="rcx-box rcx-box--full rcx-modal__footer rcx-css-rzpqmp"
+        >
+          <div
+            class="rcx-box rcx-box--full rcx-modal__footer-annotation"
+          >
+            Proceed with caution
+          </div>
+          <div
+            class="rcx-button-group rcx-button-group--align-end"
+            role="group"
+          >
+            <button
+              class="rcx-box rcx-box--full rcx-button--secondary rcx-button rcx-button-group__item"
+              type="button"
+            >
+              <span
+                class="rcx-button--content"
+              >
+                Cancel
+              </span>
+            </button>
+            <button
+              class="rcx-box rcx-box--full rcx-button--danger rcx-button rcx-button-group__item"
+              type="button"
+            >
+              <span
+                class="rcx-button--content"
+              >
+                Remove
+              </span>
+            </button>
+          </div>
+        </div>
+      </div>
+    </dialog>
+  </div>
+</body>
+`;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAttributeField.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAttributeField.spec.tsx.snap
new file mode 100644
index 00000000000..999e90812d4
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAttributeField.spec.tsx.snap
@@ -0,0 +1,95 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`RoomFormAttributeField renders Default without crashing 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-1g16yxh"
+      >
+        <span
+          class="rcx-box rcx-box--full rcx-field__row"
+        >
+          <div
+            class="rcx-box rcx-box--full rcx-select rcx-css-1hx4au7"
+            name="attributes.0.key"
+          >
+            <div
+              class="rcx-box rcx-box--full rcx-select__wrapper--hidden rcx-select__wrapper rcx-css-bpb89k"
+            >
+              <span
+                class="rcx-box rcx-box--full rcx-select__item rcx-css-4wu0oz"
+              >
+                ABAC_Search_Attribute
+              </span>
+              <input
+                class="rcx-box rcx-box--full rcx-box--animated rcx-input-box--undecorated rcx-input-box rcx-select__focus rcx-css-1l0s473"
+                placeholder="ABAC_Search_Attribute"
+                value=""
+              />
+              <div
+                class="rcx-box rcx-box--full rcx-select__addon rcx-css-x7bl3q rcx-css-6bg1ps"
+              >
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-icon--name-chevron-down rcx-icon rcx-css-4pvxx3"
+                >
+                  
+                </i>
+              </div>
+            </div>
+          </div>
+        </span>
+        <span
+          class="rcx-box rcx-box--full rcx-field__row"
+        >
+          <div
+            class="rcx-box rcx-box--full rcx-select rcx-css-1te28na"
+            name="attributes.0.values"
+          >
+            <div
+              class="rcx-box rcx-box--full rcx-css-1sr8su7"
+            >
+              <div
+                class="rcx-box rcx-box--full rcx-css-w398ts"
+                role="listbox"
+              >
+                <button
+                  aria-haspopup="listbox"
+                  class="rcx-box rcx-box--full rcx-input-box--undecorated rcx-select__focus rcx-css-trljwa rcx-css-3fq6z9"
+                  type="button"
+                >
+                  ABAC_Select_Attribute_Values
+                </button>
+              </div>
+            </div>
+            <div
+              class="rcx-box rcx-box--full rcx-select__addon rcx-css-x7bl3q rcx-css-1bprq55"
+            >
+              <i
+                aria-hidden="true"
+                class="rcx-box rcx-box--full rcx-icon--name-chevron-down rcx-icon rcx-css-4pvxx3"
+              >
+                
+              </i>
+            </div>
+          </div>
+        </span>
+        <button
+          class="rcx-box rcx-box--full rcx-button rcx-css-1qsx7et"
+          title="Remove"
+          type="button"
+        >
+          <span
+            class="rcx-button--content"
+          >
+            Remove
+          </span>
+        </button>
+      </div>
+    </div>
+  </div>
+</body>
+`;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAutocomplete.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAutocomplete.spec.tsx.snap
new file mode 100644
index 00000000000..e50aec9686e
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACRoomsTab/__snapshots__/RoomFormAutocomplete.spec.tsx.snap
@@ -0,0 +1,31 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`RoomFormAutocomplete renders Default without crashing 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-autocomplete rcx-css-t3n91h"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-6d871f"
+        role="group"
+      >
+        <input
+          class="rcx-box rcx-box--full rcx-box--animated rcx-input-box--undecorated rcx-input-box rcx-css-trljwa rcx-css-rcil7k"
+          value=""
+        />
+      </div>
+      <div
+        class="rcx-box rcx-box--full rcx-autocomplete__addon"
+      >
+        <i
+          aria-hidden="true"
+          class="rcx-box rcx-box--full rcx-icon--name-magnifier rcx-icon rcx-css-1wz6xj9"
+        >
+          
+        </i>
+      </div>
+    </div>
+  </div>
+</body>
+`;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/AbacEnabledToggle.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/AbacEnabledToggle.tsx
new file mode 100644
index 00000000000..264f0fc07d4
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/AbacEnabledToggle.tsx
@@ -0,0 +1,95 @@
+import type { SettingValue } from '@rocket.chat/core-typings';
+import { useSetModal, useSettingsDispatch } from '@rocket.chat/ui-contexts';
+import { useCallback, useEffect, useState } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import WarningModal from './WarningModal';
+import type { EditableSetting } from '../../EditableSettingsContext';
+import { useEditableSetting } from '../../EditableSettingsContext';
+import MemoizedSetting from '../../settings/Setting/MemoizedSetting';
+import SettingSkeleton from '../../settings/Setting/SettingSkeleton';
+
+type ABACEnabledToggleProps = {
+	hasABAC: 'loading' | boolean;
+};
+
+const ABACEnabledToggle = ({ hasABAC }: ABACEnabledToggleProps) => {
+	const setting = useEditableSetting('ABAC_Enabled');
+	const setModal = useSetModal();
+	const dispatch = useSettingsDispatch();
+	const { t } = useTranslation();
+
+	const [value, setValue] = useState<boolean>(setting?.value === true);
+
+	useEffect(() => {
+		setValue(setting?.value === true);
+	}, [setting]);
+
+	const onChange = useCallback(
+		(value: boolean) => {
+			if (!setting) {
+				return;
+			}
+
+			const handleChange = (value: boolean, setting: EditableSetting) => {
+				setValue(value);
+				dispatch([{ _id: setting._id, value }]);
+			};
+
+			if (value === false) {
+				return setModal(
+					<WarningModal
+						onConfirm={() => {
+							handleChange(value, setting);
+							setModal();
+						}}
+						onCancel={() => setModal()}
+					/>,
+				);
+			}
+			handleChange(value, setting);
+		},
+		[dispatch, setModal, setting],
+	);
+
+	const onReset = useCallback(() => {
+		if (!setting) {
+			return;
+		}
+		const value = setting.packageValue as boolean;
+		setModal(
+			<WarningModal
+				onConfirm={() => {
+					setValue(value);
+					dispatch([{ _id: setting._id, value }]);
+					setModal();
+				}}
+				onCancel={() => setModal()}
+			/>,
+		);
+	}, [dispatch, setModal, setting]);
+
+	if (!setting) {
+		return null;
+	}
+
+	if (hasABAC === 'loading') {
+		return <SettingSkeleton />;
+	}
+
+	return (
+		<MemoizedSetting
+			type='boolean'
+			_id={setting._id}
+			label={t(setting.i18nLabel)}
+			value={value}
+			packageValue={setting.packageValue === true}
+			hint={t(setting.i18nDescription || '')}
+			disabled={!hasABAC || setting.blocked}
+			hasResetButton={hasABAC && setting.packageValue !== setting.value}
+			onChangeValue={(value: SettingValue) => onChange(value === true)}
+			onResetButtonClick={() => onReset()}
+		/>
+	);
+};
+export default ABACEnabledToggle;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.spec.tsx
new file mode 100644
index 00000000000..77e52759a43
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.spec.tsx
@@ -0,0 +1,58 @@
+import type { ISetting } from '@rocket.chat/core-typings';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+
+import SettingField from './SettingField';
+import EditableSettingsProvider from '../../settings/EditableSettingsProvider';
+
+const settingStructure = {
+	packageValue: false,
+	blocked: false,
+	public: true,
+	type: 'boolean',
+	i18nLabel: 'Test_Setting',
+	i18nDescription: 'Test_Setting_Description',
+	enableQuery: undefined,
+	displayQuery: undefined,
+} as Partial<ISetting>;
+
+const dispatchMock = jest.fn();
+
+jest.mock('@rocket.chat/ui-contexts', () => ({
+	...jest.requireActual('@rocket.chat/ui-contexts'),
+	useSettingsDispatch: () => dispatchMock,
+}));
+jest.mock('@rocket.chat/core-typings', () => ({
+	...jest.requireActual('@rocket.chat/core-typings'),
+	isSetting: jest.fn().mockReturnValue(true),
+}));
+
+describe('SettingField', () => {
+	beforeEach(() => {
+		jest.useFakeTimers();
+	});
+
+	afterEach(() => {
+		jest.runOnlyPendingTimers();
+		jest.useRealTimers();
+	});
+
+	it('should call dispatch when setting value is changed', async () => {
+		const user = userEvent.setup({ advanceTimers: jest.advanceTimersByTime });
+
+		render(<SettingField settingId='Test_Setting' />, {
+			wrapper: mockAppRoot()
+				.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
+				.withSetting('Test_Setting', false, settingStructure)
+				.build(),
+		});
+
+		const checkbox = screen.getByRole('checkbox');
+		await user.click(checkbox);
+
+		await waitFor(() => {
+			expect(dispatchMock).toHaveBeenCalled();
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.tsx
new file mode 100644
index 00000000000..6d743296c73
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingField.tsx
@@ -0,0 +1,145 @@
+import type { ISettingColor, SettingEditor, SettingValue } from '@rocket.chat/core-typings';
+import { isSettingColor, isSetting } from '@rocket.chat/core-typings';
+import { useDebouncedCallback } from '@rocket.chat/fuselage-hooks';
+import { useSettingsDispatch, useSettingStructure } from '@rocket.chat/ui-contexts';
+import DOMPurify from 'dompurify';
+import type { ReactElement } from 'react';
+import { useEffect, useMemo, useState, useCallback } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import MarkdownText from '../../../../components/MarkdownText';
+import { useEditableSetting, useEditableSettingVisibilityQuery } from '../../EditableSettingsContext';
+import MemoizedSetting from '../../settings/Setting/MemoizedSetting';
+import { useHasSettingModule } from '../../settings/hooks/useHasSettingModule';
+
+type SettingFieldProps = {
+	className?: string;
+	settingId: string;
+	sectionChanged?: boolean;
+};
+
+function SettingField({ className = undefined, settingId, sectionChanged }: SettingFieldProps): ReactElement {
+	const setting = useEditableSetting(settingId);
+	const persistedSetting = useSettingStructure(settingId);
+	const hasSettingModule = useHasSettingModule(setting);
+
+	if (!setting || !persistedSetting) {
+		throw new Error(`Setting ${settingId} not found`);
+	}
+
+	// Checks if setting has at least required fields before doing anything
+	if (!isSetting(setting)) {
+		throw new Error(`Setting ${settingId} is not valid`);
+	}
+
+	const dispatch = useSettingsDispatch();
+
+	const update = useDebouncedCallback(
+		({ value, editor }: { value?: SettingValue; editor?: SettingEditor }) => {
+			if (!persistedSetting) {
+				return;
+			}
+
+			dispatch([
+				{
+					_id: persistedSetting._id,
+					...(value !== undefined && { value }),
+					...(editor !== undefined && { editor }),
+				},
+			]);
+		},
+		230,
+		[persistedSetting, dispatch],
+	);
+
+	const { t, i18n } = useTranslation();
+
+	const [value, setValue] = useState(setting.value);
+	const [editor, setEditor] = useState(isSettingColor(setting) ? setting.editor : undefined);
+
+	useEffect(() => {
+		setValue(setting.value);
+	}, [setting.value]);
+
+	useEffect(() => {
+		setEditor(isSettingColor(setting) ? setting.editor : undefined);
+		// eslint-disable-next-line react-hooks/exhaustive-deps
+	}, [(setting as ISettingColor).editor]);
+
+	const onChangeValue = useCallback(
+		(value: SettingValue) => {
+			setValue(value);
+			update({ value });
+		},
+		[update],
+	);
+
+	const onChangeEditor = useCallback(
+		(editor: SettingEditor) => {
+			setEditor(editor);
+			update({ editor });
+		},
+		[update],
+	);
+
+	const onResetButtonClick = useCallback(() => {
+		setValue(setting.value);
+		setEditor(isSettingColor(setting) ? setting.editor : undefined);
+		update({
+			value: persistedSetting.packageValue,
+			...(isSettingColor(persistedSetting) && { editor: persistedSetting.packageEditor }),
+		});
+		// eslint-disable-next-line react-hooks/exhaustive-deps
+	}, [setting.value, (setting as ISettingColor).editor, update, persistedSetting]);
+
+	const { _id, readonly, type, packageValue, i18nLabel, i18nDescription, alert } = setting;
+
+	const disabled = !useEditableSettingVisibilityQuery(persistedSetting.enableQuery);
+	const invisible = !useEditableSettingVisibilityQuery(persistedSetting.displayQuery);
+
+	const labelText = (i18n.exists(i18nLabel) && t(i18nLabel)) || (i18n.exists(_id) && t(_id)) || i18nLabel || _id;
+
+	const hint = useMemo(
+		() => (i18nDescription && i18n.exists(i18nDescription) ? <MarkdownText variant='inline' content={t(i18nDescription)} /> : undefined),
+		[i18n, i18nDescription, t],
+	);
+
+	const callout = useMemo(
+		() =>
+			alert && <span dangerouslySetInnerHTML={{ __html: i18n.exists(alert) ? DOMPurify.sanitize(t(alert)) : DOMPurify.sanitize(alert) }} />,
+		[alert, i18n, t],
+	);
+
+	const shouldDisableEnterprise = setting.enterprise && !hasSettingModule;
+
+	const hasResetButton =
+		!shouldDisableEnterprise &&
+		!readonly &&
+		type !== 'asset' &&
+		((isSettingColor(setting) && JSON.stringify(setting.packageEditor) !== JSON.stringify(editor)) ||
+			JSON.stringify(value) !== JSON.stringify(packageValue)) &&
+		!disabled;
+
+	// @todo: type check props based on setting type
+
+	return (
+		<MemoizedSetting
+			className={className}
+			label={labelText}
+			hint={hint}
+			callout={callout}
+			sectionChanged={sectionChanged}
+			{...setting}
+			disabled={disabled || shouldDisableEnterprise}
+			value={value}
+			editor={editor}
+			hasResetButton={hasResetButton}
+			onChangeValue={onChangeValue}
+			onChangeEditor={onChangeEditor}
+			onResetButtonClick={onResetButtonClick}
+			invisible={invisible}
+		/>
+	);
+}
+
+export default SettingField;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.spec.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.spec.tsx
new file mode 100644
index 00000000000..df5c6d8fe63
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.spec.tsx
@@ -0,0 +1,142 @@
+import type { ISetting } from '@rocket.chat/core-typings';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { axe } from 'jest-axe';
+
+import AbacEnabledToggle from './AbacEnabledToggle';
+import EditableSettingsProvider from '../../settings/EditableSettingsProvider';
+
+const settingStructure = {
+	packageValue: false,
+	blocked: false,
+	public: true,
+	type: 'boolean',
+	i18nLabel: 'ABAC_Enabled',
+	i18nDescription: 'ABAC_Enabled_Description',
+} as Partial<ISetting>;
+
+const baseAppRoot = mockAppRoot()
+	.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
+	.withTranslations('en', 'core', {
+		ABAC_Enabled: 'Enable ABAC',
+		ABAC_Enabled_Description: 'Enable Attribute-Based Access Control',
+		ABAC_Warning_Modal_Title: 'Disable ABAC',
+		ABAC_Warning_Modal_Confirm_Text: 'Disable',
+		Cancel: 'Cancel',
+	});
+
+describe('AbacEnabledToggle', () => {
+	it('should render the setting toggle when setting exists', () => {
+		const { baseElement } = render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should show warning modal when disabling ABAC', async () => {
+		const user = userEvent.setup();
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		await waitFor(() => {
+			expect(toggle).not.toBeDisabled();
+		});
+		await user.click(toggle);
+
+		await waitFor(() => {
+			expect(screen.getByText('Disable ABAC')).toBeInTheDocument();
+		});
+
+		// TODO: discover how to automatically unmount all modals after each test
+		const cancelButton = screen.getByRole('button', { name: /cancel/i });
+		await user.click(cancelButton);
+	});
+
+	it('should not show warning modal when enabling ABAC', async () => {
+		const user = userEvent.setup();
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		await user.click(toggle);
+
+		// The modal should not appear when enabling ABAC
+		expect(screen.queryByText('Disable ABAC')).not.toBeInTheDocument();
+	});
+
+	it('should show warning modal when resetting setting', async () => {
+		const user = userEvent.setup();
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+
+		const resetButton = screen.getByRole('button', { name: /reset/i });
+		await user.click(resetButton);
+
+		await waitFor(() => {
+			expect(screen.getByText('Disable ABAC')).toBeInTheDocument();
+		});
+
+		// TODO: discover how to automatically unmount all modals after each test
+		const cancelButton = screen.getByRole('button', { name: /cancel/i });
+		await user.click(cancelButton);
+	});
+
+	it('should have no accessibility violations', async () => {
+		const { container } = render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+		const results = await axe(container);
+		expect(results).toHaveNoViolations();
+	});
+
+	it('should handle setting change correctly', async () => {
+		const user = userEvent.setup();
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
+		});
+
+		const toggle = await screen.findByRole('checkbox', { busy: false });
+		expect(toggle).not.toBeChecked();
+
+		await user.click(toggle);
+		expect(toggle).toBeChecked();
+	});
+
+	it('should be disabled when abac license is not installed', () => {
+		const { baseElement } = render(<AbacEnabledToggle hasABAC={false} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+
+		const toggle = screen.getByRole('checkbox');
+		expect(toggle).toBeDisabled();
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should show skeleton when loading', () => {
+		const { baseElement } = render(<AbacEnabledToggle hasABAC='loading' />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+		expect(baseElement).toMatchSnapshot();
+	});
+
+	it('should show reset button when value differs from package value', () => {
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', true, settingStructure).build(),
+		});
+
+		expect(screen.getByRole('button', { name: /reset/i })).toBeInTheDocument();
+	});
+
+	it('should not show reset button when value matches package value', () => {
+		render(<AbacEnabledToggle hasABAC={true} />, {
+			wrapper: baseAppRoot.withSetting('ABAC_Enabled', false, settingStructure).build(),
+		});
+
+		expect(screen.queryByRole('button', { name: /reset/i })).not.toBeInTheDocument();
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.stories.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.stories.tsx
new file mode 100644
index 00000000000..7fb4027aafd
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingToggle.stories.tsx
@@ -0,0 +1,64 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import type { Meta, StoryObj } from '@storybook/react';
+
+import AbacEnabledToggle from './AbacEnabledToggle';
+import EditableSettingsProvider from '../../settings/EditableSettingsProvider';
+
+const meta: Meta<typeof AbacEnabledToggle> = {
+	component: AbacEnabledToggle,
+	parameters: {
+		layout: 'padded',
+	},
+	decorators: [
+		(Story) => {
+			const AppRoot = mockAppRoot()
+				.wrap((children) => <EditableSettingsProvider>{children}</EditableSettingsProvider>)
+				.withTranslations('en', 'core', {
+					ABAC_Enabled: 'Enable ABAC',
+					ABAC_Enabled_Description: 'Enable Attribute-Based Access Control',
+					ABAC_Warning_Modal_Title: 'Disable ABAC',
+					ABAC_Warning_Modal_Confirm_Text: 'Disable',
+					Cancel: 'Cancel',
+				})
+				.withSetting('ABAC_Enabled', true, {
+					packageValue: false,
+					blocked: false,
+					public: true,
+					type: 'boolean',
+					i18nLabel: 'ABAC_Enabled',
+					i18nDescription: 'ABAC_Enabled_Description',
+				})
+				.build();
+
+			return (
+				<AppRoot>
+					<Story />
+				</AppRoot>
+			);
+		},
+	],
+	args: {
+		hasABAC: true,
+	},
+};
+
+export default meta;
+type Story = StoryObj<typeof AbacEnabledToggle>;
+
+export const Default: Story = {
+	args: {
+		hasABAC: true,
+	},
+};
+
+export const Loading: Story = {
+	args: {
+		hasABAC: 'loading',
+	},
+};
+
+export const False: Story = {
+	args: {
+		hasABAC: false,
+	},
+};
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingsPage.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingsPage.tsx
new file mode 100644
index 00000000000..c6fb3108eb6
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/SettingsPage.tsx
@@ -0,0 +1,33 @@
+import { Box, Callout, Margins } from '@rocket.chat/fuselage';
+import { Trans } from 'react-i18next';
+
+import AbacEnabledToggle from './AbacEnabledToggle';
+import SettingField from './SettingField';
+import { useHasLicenseModule } from '../../../../hooks/useHasLicenseModule';
+import { links } from '../../../../lib/links';
+
+const SettingsPage = () => {
+	const { data: hasABAC = false } = useHasLicenseModule('abac');
+	return (
+		<Box maxWidth='x600' w='full' alignSelf='center'>
+			<Box>
+				<Margins block={24}>
+					<AbacEnabledToggle hasABAC={hasABAC} />
+					<SettingField settingId='ABAC_ShowAttributesInRooms' />
+					<SettingField settingId='Abac_Cache_Decision_Time_Seconds' />
+
+					<Callout>
+						<Trans i18nKey='ABAC_Enabled_callout'>
+							User attributes are synchronized via LDAP
+							<a href={links.go.abacLDAPDocs} rel='noopener noreferrer' target='_blank'>
+								Learn more
+							</a>
+						</Trans>
+					</Callout>
+				</Margins>
+			</Box>
+		</Box>
+	);
+};
+
+export default SettingsPage;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/WarningModal.tsx b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/WarningModal.tsx
new file mode 100644
index 00000000000..887c5fb4fb7
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/WarningModal.tsx
@@ -0,0 +1,48 @@
+import { Box } from '@rocket.chat/fuselage';
+import { GenericModal } from '@rocket.chat/ui-client';
+import { useRouter } from '@rocket.chat/ui-contexts';
+import { Trans, useTranslation } from 'react-i18next';
+
+type WarningModalProps = {
+	onConfirm: () => void;
+	onCancel: () => void;
+};
+
+const WarningModal = ({ onConfirm, onCancel }: WarningModalProps) => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const handleNavigate = () => {
+		onCancel();
+		router.navigate({
+			name: 'admin-ABAC',
+			params: {
+				tab: 'rooms',
+			},
+		});
+	};
+
+	return (
+		<GenericModal
+			title={t('ABAC_Warning_Modal_Title')}
+			variant='secondary-danger'
+			confirmText={t('ABAC_Warning_Modal_Confirm_Text')}
+			cancelText={t('Cancel')}
+			onConfirm={onConfirm}
+			onCancel={onCancel}
+			onClose={onCancel}
+			onDismiss={onCancel}
+		>
+			<Trans i18nKey='ABAC_Warning_Modal_Content'>
+				You will not be able to automatically or manually manage users in existing ABAC-managed rooms. To restore a room's default access
+				control, it must be removed from ABAC management in
+				<Box is='a' onClick={handleNavigate}>
+					{' '}
+					ABAC {'>'} Rooms
+				</Box>
+				.
+			</Trans>
+		</GenericModal>
+	);
+};
+
+export default WarningModal;
diff --git a/apps/meteor/client/views/admin/ABAC/ABACSettingTab/__snapshots__/SettingToggle.spec.tsx.snap b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/__snapshots__/SettingToggle.spec.tsx.snap
new file mode 100644
index 00000000000..7c48a94fb68
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/ABACSettingTab/__snapshots__/SettingToggle.spec.tsx.snap
@@ -0,0 +1,152 @@
+// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
+
+exports[`AbacEnabledToggle should be disabled when abac license is not installed 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field rcx-css-1gfu76s"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-1u2ihfm"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-field"
+        >
+          <span
+            class="rcx-box rcx-box--full rcx-field__row rcx-css-ctk2ij"
+          >
+            <label
+              class="rcx-box rcx-box--full rcx-field__label rcx-label"
+              for="ABAC_Enabled"
+              title="ABAC_Enabled"
+            >
+              Enable ABAC
+            </label>
+            <div
+              class="rcx-box rcx-box--full rcx-css-127j9mz"
+            >
+              <label
+                class="rcx-box rcx-box--full rcx-toggle-switch"
+              >
+                <input
+                  checked=""
+                  class="rcx-box rcx-box--full rcx-toggle-switch__input"
+                  data-qa-setting-id="ABAC_Enabled"
+                  disabled=""
+                  id="ABAC_Enabled"
+                  type="checkbox"
+                />
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-toggle-switch__fake"
+                />
+              </label>
+            </div>
+          </span>
+          <span
+            class="rcx-box rcx-box--full rcx-field__hint"
+          >
+            Enable Attribute-Based Access Control
+          </span>
+        </div>
+      </div>
+    </div>
+  </div>
+</body>
+`;
+
+exports[`AbacEnabledToggle should render the setting toggle when setting exists 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field rcx-css-1gfu76s"
+    >
+      <div
+        class="rcx-box rcx-box--full rcx-css-1u2ihfm"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-field"
+        >
+          <span
+            class="rcx-box rcx-box--full rcx-field__row rcx-css-ctk2ij"
+          >
+            <label
+              class="rcx-box rcx-box--full rcx-field__label rcx-label"
+              for="ABAC_Enabled"
+              title="ABAC_Enabled"
+            >
+              Enable ABAC
+            </label>
+            <div
+              class="rcx-box rcx-box--full rcx-css-127j9mz"
+            >
+              <button
+                class="rcx-box rcx-box--full rcx-button--small-square rcx-button--icon-danger rcx-button--square rcx-button--icon rcx-button rcx-css-1rtu0k9"
+                data-qa-reset-setting-id="ABAC_Enabled"
+                title="Reset"
+                type="button"
+              >
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-icon--name-undo rcx-icon rcx-css-4pvxx3"
+                >
+                  ❰
+                </i>
+              </button>
+              <label
+                class="rcx-box rcx-box--full rcx-toggle-switch"
+              >
+                <input
+                  checked=""
+                  class="rcx-box rcx-box--full rcx-toggle-switch__input"
+                  data-qa-setting-id="ABAC_Enabled"
+                  id="ABAC_Enabled"
+                  type="checkbox"
+                />
+                <i
+                  aria-hidden="true"
+                  class="rcx-box rcx-box--full rcx-toggle-switch__fake"
+                />
+              </label>
+            </div>
+          </span>
+          <span
+            class="rcx-box rcx-box--full rcx-field__hint"
+          >
+            Enable Attribute-Based Access Control
+          </span>
+        </div>
+      </div>
+    </div>
+  </div>
+</body>
+`;
+
+exports[`AbacEnabledToggle should show skeleton when loading 1`] = `
+<body>
+  <div>
+    <div
+      class="rcx-box rcx-box--full rcx-field"
+    >
+      <label
+        class="rcx-box rcx-box--full rcx-field__label rcx-label rcx-css-1exa5vl"
+      >
+        <span
+          class="rcx-skeleton rcx-skeleton--text rcx-css-1v1eapn"
+        />
+      </label>
+      <span
+        class="rcx-box rcx-box--full rcx-field__row"
+      >
+        <div
+          class="rcx-box rcx-box--full rcx-skeleton__input"
+        >
+          <span
+            class="rcx-skeleton rcx-skeleton--text rcx-css-1qcz93u"
+          />
+        </div>
+      </span>
+    </div>
+  </div>
+</body>
+`;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
new file mode 100644
index 00000000000..ae7b2062887
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACPage.tsx
@@ -0,0 +1,103 @@
+import { Box, Button, Callout } from '@rocket.chat/fuselage';
+import { useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import { ContextualbarDialog, Page, PageContent, PageHeader } from '@rocket.chat/ui-client';
+import { useRouteParameter, useRouter } from '@rocket.chat/ui-contexts';
+import { Trans, useTranslation } from 'react-i18next';
+
+import AttributesContextualBar from './ABACAttributesTab/AttributesContextualBar';
+import AttributesContextualBarWithData from './ABACAttributesTab/AttributesContextualBarWithData';
+import AttributesPage from './ABACAttributesTab/AttributesPage';
+import LogsPage from './ABACLogsTab/LogsPage';
+import RoomsContextualBar from './ABACRoomsTab/RoomsContextualBar';
+import RoomsContextualBarWithData from './ABACRoomsTab/RoomsContextualBarWithData';
+import RoomsPage from './ABACRoomsTab/RoomsPage';
+import SettingsPage from './ABACSettingTab/SettingsPage';
+import AdminABACTabs from './AdminABACTabs';
+import { useIsABACAvailable } from './hooks/useIsABACAvailable';
+import { useExternalLink } from '../../../hooks/useExternalLink';
+import { links } from '../../../lib/links';
+
+type AdminABACPageProps = {
+	shouldShowWarning: boolean;
+};
+
+const AdminABACPage = ({ shouldShowWarning }: AdminABACPageProps) => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const tab = useRouteParameter('tab');
+	const _id = useRouteParameter('id');
+	const context = useRouteParameter('context');
+	const learnMore = useExternalLink();
+	const isABACAvailable = useIsABACAvailable();
+
+	const handleCloseContextualbar = useEffectEvent((): void => {
+		if (!context) {
+			return;
+		}
+
+		router.navigate(
+			{
+				name: 'admin-ABAC',
+				params: { ...router.getRouteParameters(), context: '', id: '' },
+			},
+			{ replace: true },
+		);
+	});
+
+	return (
+		<Page flexDirection='row'>
+			<Page>
+				<PageHeader title={t('ABAC')}>
+					<Button icon='new-window' secondary onClick={() => learnMore(links.go.abacDocs)}>
+						{t('ABAC_Learn_More')}
+					</Button>
+				</PageHeader>
+				{shouldShowWarning && (
+					<Box mi={24} mb={16}>
+						<Callout type='warning' title={t('ABAC_automatically_disabled_callout')}>
+							<Trans
+								i18nKey='ABAC_automatically_disabled_callout_description'
+								components={{
+									1: (
+										<a href={links.go.abacDocs} rel='noopener noreferrer' target='_blank'>
+											ABAC capabilities without restriction.
+										</a>
+									),
+								}}
+							/>
+						</Callout>
+					</Box>
+				)}
+				<AdminABACTabs />
+				<PageContent>
+					{tab === 'settings' && <SettingsPage />}
+					{tab === 'room-attributes' && <AttributesPage />}
+					{tab === 'rooms' && <RoomsPage />}
+					{tab === 'logs' && <LogsPage />}
+				</PageContent>
+			</Page>
+			{tab !== undefined && context !== undefined && (
+				<ContextualbarDialog onClose={() => handleCloseContextualbar()}>
+					{tab === 'room-attributes' && (
+						<>
+							{context === 'new' && isABACAvailable === true && <AttributesContextualBar onClose={() => handleCloseContextualbar()} />}
+							{context === 'edit' && _id && isABACAvailable === true && (
+								<AttributesContextualBarWithData id={_id} onClose={() => handleCloseContextualbar()} />
+							)}
+						</>
+					)}
+					{tab === 'rooms' && (
+						<>
+							{context === 'new' && isABACAvailable === true && <RoomsContextualBar onClose={() => handleCloseContextualbar()} />}
+							{context === 'edit' && _id && isABACAvailable === true && (
+								<RoomsContextualBarWithData id={_id} onClose={() => handleCloseContextualbar()} />
+							)}
+						</>
+					)}
+				</ContextualbarDialog>
+			)}
+		</Page>
+	);
+};
+
+export default AdminABACPage;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.tsx
deleted file mode 100644
index 58fea8aca40..00000000000
--- a/apps/meteor/client/views/admin/ABAC/AdminABACRoomAttributesForm.tsx
+++ /dev/null
@@ -1,135 +0,0 @@
-import {
-	Box,
-	Button,
-	ButtonGroup,
-	ContextualbarFooter,
-	Field,
-	FieldError,
-	FieldLabel,
-	FieldRow,
-	IconButton,
-	TextInput,
-} from '@rocket.chat/fuselage';
-import { ContextualbarScrollableContent } from '@rocket.chat/ui-client';
-import { useCallback, useId, useMemo } from 'react';
-import { useFieldArray, useFormContext } from 'react-hook-form';
-import { useTranslation } from 'react-i18next';
-
-export type AdminABACRoomAttributesFormFormData = {
-	name: string;
-	attributeValues: { value: string }[];
-	lockedAttributes: { value: string }[];
-};
-
-type AdminABACRoomAttributesFormProps = {
-	onSave: (data: unknown) => void;
-	onCancel: () => void;
-	description: string;
-};
-
-const AdminABACRoomAttributesForm = ({ onSave, onCancel, description }: AdminABACRoomAttributesFormProps) => {
-	const {
-		handleSubmit,
-		register,
-		formState: { errors },
-		watch,
-	} = useFormContext<AdminABACRoomAttributesFormFormData>();
-
-	const { fields: lockedAttributesFields, remove: removeLockedAttribute } = useFieldArray({
-		name: 'lockedAttributes',
-	});
-
-	const { fields, append, remove } = useFieldArray({
-		name: 'attributeValues',
-		rules: {
-			minLength: 1,
-		},
-	});
-	const { t } = useTranslation();
-
-	const formId = useId();
-	const nameField = useId();
-	const valuesField = useId();
-	const attributeValues = watch('attributeValues');
-
-	const getAttributeValuesError = useCallback(() => {
-		if (errors.attributeValues?.length && errors.attributeValues?.length > 0) {
-			return t('Required_field', { field: t('Values') });
-		}
-		return '';
-	}, [errors.attributeValues, t]);
-
-	const hasValuesErrors = useMemo(() => {
-		const attributeValuesErrors = Array.isArray(errors?.attributeValues) && errors.attributeValues.some((error) => !!error?.value?.message);
-		const lockedAttributesErrors =
-			Array.isArray(errors?.lockedAttributes) && errors.lockedAttributes.some((error) => !!error?.value?.message);
-		return attributeValuesErrors || lockedAttributesErrors;
-	}, [errors.attributeValues, errors.lockedAttributes]);
-
-	return (
-		<Box is='form' onSubmit={handleSubmit(onSave)} id={formId}>
-			<ContextualbarScrollableContent>
-				<Box>{description}</Box>
-				<Field mb={16}>
-					<FieldLabel htmlFor={nameField} required>
-						{t('Name')}
-					</FieldLabel>
-					<FieldRow>
-						<TextInput
-							error={errors.name?.message}
-							id={nameField}
-							{...register('name', { required: t('Required_field', { field: t('Name') }) })}
-						/>
-					</FieldRow>
-					<FieldError>{errors.name?.message || ''}</FieldError>
-				</Field>
-				<Field mb={16}>
-					<FieldLabel required id={valuesField}>
-						{t('Values')}
-					</FieldLabel>
-					{lockedAttributesFields.map((field, index) => (
-						<FieldRow key={field.id}>
-							<TextInput
-								disabled
-								aria-labelledby={valuesField}
-								error={errors.lockedAttributes?.[index]?.value?.message || ''}
-								{...register(`lockedAttributes.${index}.value`, { required: t('Required_field', { field: t('Values') }) })}
-							/>
-							{index !== 0 && <IconButton aria-label={t('Remove')} icon='trash' onClick={() => removeLockedAttribute(index)} />}
-						</FieldRow>
-					))}
-					{fields.map((field, index) => (
-						<FieldRow key={field.id}>
-							<TextInput
-								aria-labelledby={valuesField}
-								error={errors.attributeValues?.[index]?.value?.message || ''}
-								{...register(`attributeValues.${index}.value`, { required: t('Required_field', { field: t('Values') }) })}
-							/>
-							{(index !== 0 || lockedAttributesFields.length > 0) && (
-								<IconButton aria-label={t('Remove')} icon='trash' onClick={() => remove(index)} />
-							)}
-						</FieldRow>
-					))}
-					<FieldError>{getAttributeValuesError()}</FieldError>
-					<Button
-						onClick={() => append({ value: '' })}
-						// Checking for values since rhf does consider the newly added field as dirty after an append() call
-						disabled={!!getAttributeValuesError() || attributeValues?.some((value: { value: string }) => value?.value === '')}
-					>
-						{t('Add Value')}
-					</Button>
-				</Field>
-			</ContextualbarScrollableContent>
-			<ContextualbarFooter>
-				<ButtonGroup stretch>
-					<Button onClick={() => onCancel()}>{t('Cancel')}</Button>
-					<Button type='submit' disabled={hasValuesErrors || !!errors.name} primary>
-						{t('Save')}
-					</Button>
-				</ButtonGroup>
-			</ContextualbarFooter>
-		</Box>
-	);
-};
-
-export default AdminABACRoomAttributesForm;
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
new file mode 100644
index 00000000000..05538b79448
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACRoute.tsx
@@ -0,0 +1,64 @@
+import { usePermission, useSetModal, useCurrentModal, useRouter, useRouteParameter, useSettingStructure } from '@rocket.chat/ui-contexts';
+import type { ReactElement } from 'react';
+import { memo, useEffect, useLayoutEffect } from 'react';
+import { useTranslation } from 'react-i18next';
+
+import AdminABACPage from './AdminABACPage';
+import ABACUpsellModal from '../../../components/ABAC/ABACUpsellModal/ABACUpsellModal';
+import { useUpsellActions } from '../../../components/GenericUpsellModal/hooks';
+import PageSkeleton from '../../../components/PageSkeleton';
+import { useHasLicenseModule } from '../../../hooks/useHasLicenseModule';
+import SettingsProvider from '../../../providers/SettingsProvider';
+import NotAuthorizedPage from '../../notAuthorized/NotAuthorizedPage';
+import EditableSettingsProvider from '../settings/EditableSettingsProvider';
+
+const AdminABACRoute = (): ReactElement => {
+	const { t } = useTranslation();
+	// TODO: Check what permission is needed to view the ABAC page
+	const canViewABACPage = usePermission('abac-management');
+	const { data: hasABAC = false } = useHasLicenseModule('abac');
+	const isModalOpen = !!useCurrentModal();
+	const tab = useRouteParameter('tab');
+	const router = useRouter();
+
+	// Check if setting exists in the DB to decide if we show warning or upsell
+	const ABACEnabledSetting = useSettingStructure('ABAC_Enabled');
+
+	useLayoutEffect(() => {
+		if (!tab) {
+			router.navigate({
+				name: 'admin-ABAC',
+				params: { tab: 'settings' },
+			});
+		}
+	}, [tab, router]);
+
+	const { shouldShowUpsell, handleManageSubscription } = useUpsellActions(hasABAC);
+
+	const setModal = useSetModal();
+
+	useEffect(() => {
+		// WS has never activated ABAC
+		if (shouldShowUpsell && ABACEnabledSetting === undefined) {
+			setModal(<ABACUpsellModal onClose={() => setModal(null)} onConfirm={handleManageSubscription} />);
+		}
+	}, [shouldShowUpsell, setModal, t, handleManageSubscription, ABACEnabledSetting]);
+
+	if (isModalOpen) {
+		return <PageSkeleton />;
+	}
+
+	if (!canViewABACPage || (ABACEnabledSetting === undefined && !hasABAC)) {
+		return <NotAuthorizedPage />;
+	}
+
+	return (
+		<SettingsProvider>
+			<EditableSettingsProvider>
+				<AdminABACPage shouldShowWarning={ABACEnabledSetting !== undefined && !hasABAC} />
+			</EditableSettingsProvider>
+		</SettingsProvider>
+	);
+};
+
+export default memo(AdminABACRoute);
diff --git a/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx b/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
new file mode 100644
index 00000000000..11b315242ac
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/AdminABACTabs.tsx
@@ -0,0 +1,33 @@
+import { Tabs, TabsItem } from '@rocket.chat/fuselage';
+import { useRouteParameter, useRouter } from '@rocket.chat/ui-contexts';
+import { useTranslation } from 'react-i18next';
+
+const AdminABACTabs = () => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const tab = useRouteParameter('tab');
+	const handleTabClick = (tab: string) => {
+		router.navigate({
+			name: 'admin-ABAC',
+			params: { tab },
+		});
+	};
+	return (
+		<Tabs>
+			<TabsItem selected={tab === 'settings'} onClick={() => handleTabClick('settings')}>
+				{t('Settings')}
+			</TabsItem>
+			<TabsItem selected={tab === 'room-attributes'} onClick={() => handleTabClick('room-attributes')}>
+				{t('ABAC_Room_Attributes')}
+			</TabsItem>
+			<TabsItem selected={tab === 'rooms'} onClick={() => handleTabClick('rooms')}>
+				{t('Rooms')}
+			</TabsItem>
+			<TabsItem selected={tab === 'logs'} onClick={() => handleTabClick('logs')}>
+				{t('ABAC_Logs')}
+			</TabsItem>
+		</Tabs>
+	);
+};
+
+export default AdminABACTabs;
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useAttributeList.ts b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeList.ts
new file mode 100644
index 00000000000..d17fac26ea5
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeList.ts
@@ -0,0 +1,39 @@
+import { useEndpoint } from '@rocket.chat/ui-contexts';
+import { useQuery } from '@tanstack/react-query';
+
+import { useIsABACAvailable } from './useIsABACAvailable';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+const COUNT = 150;
+
+export const useAttributeList = () => {
+	const attributesAutoCompleteEndpoint = useEndpoint('GET', '/v1/abac/attributes');
+	const isABACAvailable = useIsABACAvailable();
+
+	return useQuery({
+		enabled: isABACAvailable,
+		queryKey: ABACQueryKeys.roomAttributes.list(),
+		queryFn: async () => {
+			const firstPage = await attributesAutoCompleteEndpoint({ offset: 0, count: COUNT });
+			const { attributes: firstPageAttributes, total } = firstPage;
+
+			let currentPage = COUNT;
+			const pages = [];
+
+			while (currentPage < total) {
+				pages.push(attributesAutoCompleteEndpoint({ offset: currentPage, count: COUNT }));
+				currentPage += COUNT;
+			}
+			const remainingPages = await Promise.all(pages);
+
+			return {
+				attributes: [...firstPageAttributes, ...remainingPages.flatMap((page) => page.attributes)].map((attribute) => ({
+					_id: attribute._id,
+					label: attribute.key,
+					value: attribute.key,
+					attributeValues: attribute.values,
+				})),
+			};
+		},
+	});
+};
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.spec.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.spec.tsx
new file mode 100644
index 00000000000..acaddac0e2d
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.spec.tsx
@@ -0,0 +1,267 @@
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { renderHook, waitFor } from '@testing-library/react';
+
+import { useAttributeOptions } from './useAttributeOptions';
+import { createFakeLicenseInfo } from '../../../../../tests/mocks/data';
+
+const mockNavigate = jest.fn();
+const mockSetModal = jest.fn();
+const mockDispatchToastMessage = jest.fn();
+const useIsABACAvailableMock = jest.fn(() => true);
+
+jest.mock('./useIsABACAvailable', () => ({
+	useIsABACAvailable: () => useIsABACAvailableMock(),
+}));
+
+jest.mock('@rocket.chat/ui-contexts', () => ({
+	...jest.requireActual('@rocket.chat/ui-contexts'),
+	useRouter: () => ({
+		navigate: mockNavigate,
+	}),
+	useSetModal: () => mockSetModal,
+	useToastMessageDispatch: () => mockDispatchToastMessage,
+}));
+
+const mockAttribute = {
+	_id: 'attribute-1',
+	key: 'Room Type',
+};
+
+const baseAppRoot = mockAppRoot()
+	.withTranslations('en', 'core', {
+		Edit: 'Edit',
+		Delete: 'Delete',
+		ABAC_Attribute_deleted: 'Attribute {{attributeName}} deleted',
+		ABAC_Cannot_delete_attribute: 'Cannot delete attribute',
+		ABAC_Cannot_delete_attribute_content:
+			'The attribute <bold>{{attributeName}}</bold> is currently in use and cannot be deleted. Please remove it from all rooms before deleting.',
+		ABAC_Delete_room_attribute: 'Delete room attribute',
+		ABAC_Delete_room_attribute_content:
+			'Are you sure you want to delete the attribute <bold>{{attributeName}}</bold>? This action cannot be undone.',
+		View_rooms: 'View rooms',
+		Cancel: 'Cancel',
+	})
+	.withSetting('ABAC_Enabled', true, {
+		packageValue: false,
+		blocked: false,
+		public: true,
+		type: 'boolean',
+		i18nLabel: 'ABAC_Enabled',
+		i18nDescription: 'ABAC_Enabled_Description',
+	})
+	.withEndpoint('GET', '/v1/licenses.info', async () => ({
+		license: createFakeLicenseInfo({ activeModules: ['abac'] }),
+	}));
+
+describe('useAttributeOptions', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		mockNavigate.mockClear();
+		mockSetModal.mockClear();
+		mockDispatchToastMessage.mockClear();
+	});
+
+	it('should return menu items with correct structure', () => {
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', async () => null)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		expect(result.current).toHaveLength(2);
+		expect(result.current[0]).toMatchObject({
+			id: 'edit',
+			icon: 'edit',
+			content: 'Edit',
+		});
+		expect(result.current[1]).toMatchObject({
+			id: 'delete',
+			icon: 'trash',
+			iconColor: 'danger',
+		});
+	});
+
+	it('should enable edit when ABAC is available', async () => {
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', async () => null)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		await waitFor(() => {
+			expect(result.current[0].disabled).toBe(false);
+		});
+	});
+
+	it('should navigate to edit page when edit action is clicked', async () => {
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', async () => null)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		const editAction = result.current[0].onClick;
+		if (editAction) {
+			editAction();
+		}
+
+		expect(mockNavigate).toHaveBeenCalledWith(
+			{
+				name: 'admin-ABAC',
+				params: {
+					tab: 'room-attributes',
+					context: 'edit',
+					id: mockAttribute._id,
+				},
+			},
+			{ replace: true },
+		);
+	});
+
+	it('should disable edit when ABAC is not available', () => {
+		useIsABACAvailableMock.mockReturnValue(false);
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withSetting('ABAC_Enabled', false, {
+					packageValue: false,
+					blocked: false,
+					public: true,
+					type: 'boolean',
+					i18nLabel: 'ABAC_Enabled',
+					i18nDescription: 'ABAC_Enabled_Description',
+				})
+				.withEndpoint('GET', '/v1/licenses.info', async () => ({
+					license: createFakeLicenseInfo({ activeModules: [] }),
+				}))
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', async () => null)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		expect(result.current[0].disabled).toBe(true);
+	});
+
+	it('should show warning modal when delete is clicked and attribute is in use', async () => {
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', async () => null)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: true }))
+				.build(),
+		});
+
+		const deleteAction = result.current[1].onClick;
+		if (deleteAction) {
+			deleteAction();
+		}
+
+		await waitFor(() => {
+			expect(mockSetModal).toHaveBeenCalled();
+		});
+
+		const modalCall = mockSetModal.mock.calls[0][0];
+		expect(modalCall.props.variant).toBe('warning');
+		expect(modalCall.props.title).toBe('Cannot delete attribute');
+	});
+
+	it('should show delete confirmation modal when delete is clicked and attribute is not in use', async () => {
+		const deleteEndpointMock = jest.fn().mockResolvedValue(null);
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', deleteEndpointMock)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		const deleteAction = result.current[1].onClick;
+		if (deleteAction) {
+			deleteAction();
+		}
+
+		await waitFor(() => {
+			expect(mockSetModal).toHaveBeenCalled();
+		});
+
+		const modalCall = mockSetModal.mock.calls[0][0];
+		expect(modalCall.props.variant).toBe('danger');
+		expect(modalCall.props.title).toBe('Delete room attribute');
+		expect(modalCall.props.confirmText).toBe('Delete');
+	});
+
+	it('should call delete endpoint when delete is confirmed', async () => {
+		const deleteEndpointMock = jest.fn().mockResolvedValue(null);
+
+		let confirmHandler: (() => void) | undefined;
+
+		mockSetModal.mockImplementation((modal) => {
+			if (modal?.props?.onConfirm) {
+				confirmHandler = modal.props.onConfirm;
+			}
+		});
+
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', deleteEndpointMock)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		const deleteAction = result.current[1].onClick;
+		if (deleteAction) {
+			deleteAction();
+		}
+
+		await waitFor(() => {
+			expect(mockSetModal).toHaveBeenCalled();
+		});
+
+		if (confirmHandler) {
+			confirmHandler();
+		}
+
+		await waitFor(() => {
+			expect(deleteEndpointMock).toHaveBeenCalled();
+		});
+	});
+
+	it('should show success toast when delete succeeds', async () => {
+		const deleteEndpointMock = jest.fn().mockResolvedValue(null);
+
+		let confirmHandler: (() => void) | undefined;
+
+		mockSetModal.mockImplementation((modal) => {
+			if (modal?.props?.onConfirm) {
+				confirmHandler = modal.props.onConfirm;
+			}
+		});
+
+		const { result } = renderHook(() => useAttributeOptions(mockAttribute), {
+			wrapper: baseAppRoot
+				.withEndpoint('DELETE', '/v1/abac/attributes/:_id', deleteEndpointMock)
+				.withEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', async () => ({ inUse: false }))
+				.build(),
+		});
+
+		const deleteAction = result.current[1].onClick;
+		if (deleteAction) {
+			deleteAction();
+		}
+
+		await waitFor(() => {
+			expect(mockSetModal).toHaveBeenCalled();
+		});
+
+		if (confirmHandler) {
+			confirmHandler();
+		}
+
+		await waitFor(() => {
+			expect(mockDispatchToastMessage).toHaveBeenCalledWith({
+				type: 'success',
+				message: 'Attribute Room Type deleted',
+			});
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.tsx
new file mode 100644
index 00000000000..f9623076ab0
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useAttributeOptions.tsx
@@ -0,0 +1,101 @@
+import { Box } from '@rocket.chat/fuselage';
+import { useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import type { GenericMenuItemProps } from '@rocket.chat/ui-client';
+import { GenericModal } from '@rocket.chat/ui-client';
+import { useRouter, useSetModal, useEndpoint, useToastMessageDispatch } from '@rocket.chat/ui-contexts';
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { Trans, useTranslation } from 'react-i18next';
+
+import { useIsABACAvailable } from './useIsABACAvailable';
+import { ABACQueryKeys } from '../../../../lib/queryKeys';
+
+export const useAttributeOptions = (attribute: { _id: string; key: string }): GenericMenuItemProps[] => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const setModal = useSetModal();
+	const queryClient = useQueryClient();
+	const deleteAttribute = useEndpoint('DELETE', '/v1/abac/attributes/:_id', { _id: attribute._id });
+	const isAttributeUsed = useEndpoint('GET', '/v1/abac/attributes/:key/is-in-use', { key: attribute.key });
+	const dispatchToastMessage = useToastMessageDispatch();
+	const isABACAvailable = useIsABACAvailable();
+
+	const editAction = useEffectEvent(() => {
+		return router.navigate(
+			{
+				name: 'admin-ABAC',
+				params: {
+					tab: 'room-attributes',
+					context: 'edit',
+					id: attribute._id,
+				},
+			},
+			{ replace: true },
+		);
+	});
+
+	const deleteMutation = useMutation({
+		mutationFn: deleteAttribute,
+		onSuccess: () => {
+			dispatchToastMessage({ type: 'success', message: t('ABAC_Attribute_deleted', { attributeName: attribute.key }) });
+		},
+		onError: (error) => {
+			dispatchToastMessage({ type: 'error', message: error });
+		},
+		onSettled: () => {
+			queryClient.invalidateQueries({ queryKey: ABACQueryKeys.roomAttributes.all() });
+			setModal(null);
+		},
+	});
+
+	const deleteAction = useEffectEvent(async () => {
+		const isUsed = await isAttributeUsed();
+		if (isUsed.inUse) {
+			return setModal(
+				<GenericModal
+					variant='warning'
+					icon={null}
+					title={t('ABAC_Cannot_delete_attribute')}
+					confirmText={t('View_rooms')}
+					// TODO Route to rooms tab once implemented
+					onConfirm={() => setModal(null)}
+					onCancel={() => setModal(null)}
+				>
+					<Trans
+						i18nKey='ABAC_Cannot_delete_attribute_content'
+						values={{ attributeName: attribute.key }}
+						components={{ bold: <Box is='span' fontWeight='bold' /> }}
+					/>
+				</GenericModal>,
+			);
+		}
+		setModal(
+			<GenericModal
+				variant='danger'
+				icon={null}
+				title={t('ABAC_Delete_room_attribute')}
+				confirmText={t('Delete')}
+				onConfirm={() => {
+					deleteMutation.mutateAsync(undefined);
+				}}
+				onCancel={() => setModal(null)}
+			>
+				<Trans
+					i18nKey='ABAC_Delete_room_attribute_content'
+					values={{ attributeName: attribute.key }}
+					components={{ bold: <Box is='span' fontWeight='bold' /> }}
+				/>
+			</GenericModal>,
+		);
+	});
+
+	return [
+		{ id: 'edit', icon: 'edit' as const, content: t('Edit'), onClick: () => editAction(), disabled: !isABACAvailable },
+		{
+			id: 'delete',
+			iconColor: 'danger',
+			icon: 'trash' as const,
+			content: <Box color='danger'>{t('Delete')}</Box>,
+			onClick: () => deleteAction(),
+		},
+	];
+};
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.spec.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.spec.tsx
new file mode 100644
index 00000000000..cba54bbc816
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.spec.tsx
@@ -0,0 +1,52 @@
+import { faker } from '@faker-js/faker';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { renderHook, waitFor } from '@testing-library/react';
+
+import { useDeleteRoomModal } from './useDeleteRoomModal';
+
+const mockSetModal = jest.fn();
+
+jest.mock('@rocket.chat/ui-contexts', () => {
+	const originalModule = jest.requireActual('@rocket.chat/ui-contexts');
+	return {
+		...originalModule,
+		useSetModal: () => mockSetModal,
+	};
+});
+
+describe('useDeleteRoomModal', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		mockSetModal.mockClear();
+	});
+
+	it('should show delete confirmation modal when hook is called', async () => {
+		const { result } = renderHook(
+			() =>
+				useDeleteRoomModal({
+					rid: faker.database.mongodbObjectId(),
+					name: faker.lorem.words(3),
+				}),
+			{
+				wrapper: mockAppRoot()
+					.withTranslations('en', 'core', {
+						Edit: 'Edit',
+						Remove: 'Remove',
+						ABAC_Room_removed: 'Room {{roomName}} removed from ABAC management',
+						ABAC_Delete_room: 'Remove room from ABAC management',
+						ABAC_Delete_room_annotation: 'Proceed with caution',
+						ABAC_Delete_room_content:
+							'Removing <bold>{{roomName}}</bold> from ABAC management may result in unintended users gaining access.',
+						Cancel: 'Cancel',
+					})
+					.build(),
+			},
+		);
+
+		result.current();
+
+		await waitFor(() => {
+			expect(mockSetModal).toHaveBeenCalled();
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.tsx
new file mode 100644
index 00000000000..e7d542e1ca4
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useDeleteRoomModal.tsx
@@ -0,0 +1,11 @@
+import { useSetModal } from '@rocket.chat/ui-contexts';
+
+import DeleteRoomModal from '../ABACRoomsTab/DeleteRoomModal';
+
+export const useDeleteRoomModal = (room: { rid: string; name: string }) => {
+	const setModal = useSetModal();
+
+	return () => {
+		setModal(<DeleteRoomModal rid={room.rid} roomName={room.name} onClose={() => setModal(null)} />);
+	};
+};
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useIsABACAvailable.ts b/apps/meteor/client/views/admin/ABAC/hooks/useIsABACAvailable.ts
new file mode 100644
index 00000000000..357ea543f2c
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useIsABACAvailable.ts
@@ -0,0 +1,10 @@
+import { useSetting } from '@rocket.chat/ui-contexts';
+
+import { useHasLicenseModule } from '../../../../hooks/useHasLicenseModule';
+
+export const useIsABACAvailable = () => {
+	const { data: hasABAC = false } = useHasLicenseModule('abac');
+	const isABACSettingEnabled = useSetting('ABAC_Enabled', false);
+
+	return hasABAC && isABACSettingEnabled;
+};
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.spec.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.spec.tsx
new file mode 100644
index 00000000000..a0c2a5da18d
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.spec.tsx
@@ -0,0 +1,124 @@
+import { faker } from '@faker-js/faker';
+import { mockAppRoot } from '@rocket.chat/mock-providers';
+import { renderHook, waitFor } from '@testing-library/react';
+
+import { useRoomItems } from './useRoomItems';
+
+const navigateMock = jest.fn();
+const setDeleteRoomModalMock = jest.fn();
+const useIsABACAvailableMock = jest.fn(() => true);
+
+jest.mock('./useIsABACAvailable', () => ({
+	useIsABACAvailable: () => useIsABACAvailableMock(),
+}));
+jest.mock('./useDeleteRoomModal', () => ({
+	useDeleteRoomModal: () => setDeleteRoomModalMock,
+}));
+jest.mock('@rocket.chat/ui-contexts', () => ({
+	...jest.requireActual('@rocket.chat/ui-contexts'),
+	useRouter: () => ({
+		navigate: navigateMock,
+	}),
+}));
+
+const mockRoom = {
+	rid: faker.database.mongodbObjectId(),
+	name: 'Test Room',
+};
+
+const createAppRoot = () =>
+	mockAppRoot()
+		.withTranslations('en', 'core', {
+			Edit: 'Edit',
+			Remove: 'Remove',
+			ABAC_Room_removed: 'Room {{roomName}} removed from ABAC management',
+			ABAC_Delete_room: 'Remove room from ABAC management',
+			ABAC_Delete_room_annotation: 'Proceed with caution',
+			ABAC_Delete_room_content: 'Removing <bold>{{roomName}}</bold> from ABAC management may result in unintended users gaining access.',
+			Cancel: 'Cancel',
+		})
+		.withEndpoint('DELETE', '/v1/abac/rooms/:rid/attributes', async () => null);
+
+describe('useRoomItems', () => {
+	beforeEach(() => {
+		jest.clearAllMocks();
+		navigateMock.mockClear();
+		useIsABACAvailableMock.mockReturnValue(true);
+	});
+
+	it('should return menu items with correct structure', () => {
+		const { result } = renderHook(() => useRoomItems(mockRoom), {
+			wrapper: createAppRoot().build(),
+		});
+
+		expect(result.current).toHaveLength(2);
+		expect(result.current[0]).toMatchObject({
+			id: 'edit',
+			icon: 'edit',
+			content: 'Edit',
+		});
+		expect(result.current[1]).toMatchObject({
+			id: 'delete',
+			icon: 'cross',
+			iconColor: 'danger',
+		});
+	});
+
+	it('should enable edit when ABAC is available', async () => {
+		const { result } = renderHook(() => useRoomItems(mockRoom), {
+			wrapper: createAppRoot().build(),
+		});
+
+		await waitFor(() => {
+			expect(result.current[0].disabled).toBe(false);
+		});
+	});
+
+	it('should navigate to edit page when edit action is clicked', async () => {
+		const { result } = renderHook(() => useRoomItems(mockRoom), {
+			wrapper: createAppRoot().build(),
+		});
+
+		const editAction = result.current[0].onClick;
+		if (editAction) {
+			editAction();
+		}
+
+		expect(navigateMock).toHaveBeenCalledWith(
+			{
+				name: 'admin-ABAC',
+				params: {
+					tab: 'rooms',
+					context: 'edit',
+					id: mockRoom.rid,
+				},
+			},
+			{ replace: true },
+		);
+	});
+
+	it('should disable edit when ABAC is not available', () => {
+		useIsABACAvailableMock.mockReturnValue(false);
+
+		const { result } = renderHook(() => useRoomItems(mockRoom), {
+			wrapper: createAppRoot().build(),
+		});
+
+		expect(result.current[0].disabled).toBe(true);
+	});
+
+	it('should show delete modal when delete is clicked', async () => {
+		const { result } = renderHook(() => useRoomItems(mockRoom), {
+			wrapper: createAppRoot().build(),
+		});
+
+		const deleteAction = result.current[1].onClick;
+		if (deleteAction) {
+			deleteAction();
+		}
+
+		await waitFor(() => {
+			expect(setDeleteRoomModalMock).toHaveBeenCalled();
+		});
+	});
+});
diff --git a/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.tsx b/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.tsx
new file mode 100644
index 00000000000..da0a91fe390
--- /dev/null
+++ b/apps/meteor/client/views/admin/ABAC/hooks/useRoomItems.tsx
@@ -0,0 +1,40 @@
+import { Box } from '@rocket.chat/fuselage';
+import { useEffectEvent } from '@rocket.chat/fuselage-hooks';
+import type { GenericMenuItemProps } from '@rocket.chat/ui-client';
+import { useRouter } from '@rocket.chat/ui-contexts';
+import { useTranslation } from 'react-i18next';
+
+import { useDeleteRoomModal } from './useDeleteRoomModal';
+import { useIsABACAvailable } from './useIsABACAvailable';
+
+export const useRoomItems = (room: { rid: string; name: string }): GenericMenuItemProps[] => {
+	const { t } = useTranslation();
+	const router = useRouter();
+	const setDeleteRoomModal = useDeleteRoomModal(room);
+	const isABACAvailable = useIsABACAvailable();
+
+	const editAction = useEffectEvent(() => {
+		return router.navigate(
+			{
+				name: 'admin-ABAC',
+				params: {
+					tab: 'rooms',
+					context: 'edit',
+					id: room.rid,
+				},
+			},
+			{ replace: true },
+		);
+	});
+
+	return [
+		{ id: 'edit', icon: 'edit' as const, content: t('Edit'), onClick: () => editAction(), disabled: isABACAvailable !== true },
+		{
+			id: 'delete',
+			iconColor: 'danger',
+			icon: 'cross' as const,
+			content: <Box color='danger'>{t('Remove')}</Box>,
+			onClick: setDeleteRoomModal,
+		},
+	];
+};
diff --git a/apps/meteor/client/views/admin/moderation/helpers/DateRangePicker.tsx b/apps/meteor/client/views/admin/moderation/helpers/DateRangePicker.tsx
index ae4180ead2c..82b3d7419d5 100644
--- a/apps/meteor/client/views/admin/moderation/helpers/DateRangePicker.tsx
+++ b/apps/meteor/client/views/admin/moderation/helpers/DateRangePicker.tsx
@@ -7,6 +7,7 @@ import { useTranslation } from 'react-i18next';
 
 type DateRangePickerProps = {
 	onChange(range: { start: string; end: string }): void;
+	defaultSelectedKey?: 'today' | 'yesterday' | 'thisWeek' | 'previousWeek' | 'thisMonth' | 'alldates';
 };
 
 const formatToDateInput = (date: Moment) => date.locale('en').format('YYYY-MM-DD');
@@ -23,7 +24,7 @@ const getWeekRange = (daysToSubtractFromStart: number, daysToSubtractFromEnd: nu
 	end: formatToDateInput(moment().subtract(daysToSubtractFromEnd, 'day')),
 });
 
-const DateRangePicker = ({ onChange }: DateRangePickerProps) => {
+const DateRangePicker = ({ onChange, defaultSelectedKey = 'alldates' }: DateRangePickerProps) => {
 	const { t } = useTranslation();
 
 	const handleRange = useEffectEvent((range: { start: string; end: string }) => {
@@ -41,13 +42,6 @@ const DateRangePicker = ({ onChange }: DateRangePickerProps) => {
 		].map(([value, label]) => [value, label] as SelectOption);
 	}, [t]);
 
-	useEffect(() => {
-		handleRange({
-			start: formatToDateInput(moment(0)),
-			end: todayDate,
-		});
-	}, [handleRange]);
-
 	const handleOptionClick = useEffectEvent((action: Key) => {
 		switch (action) {
 			case 'today':
@@ -76,9 +70,13 @@ const DateRangePicker = ({ onChange }: DateRangePickerProps) => {
 		}
 	});
 
+	useEffect(() => {
+		handleOptionClick(defaultSelectedKey);
+	}, []);
+
 	return (
 		<Box flexGrow={0}>
-			<Select defaultSelectedKey='alldates' width='100%' options={timeOptions} onChange={handleOptionClick} />
+			<Select defaultSelectedKey={defaultSelectedKey} width='100%' options={timeOptions} onChange={handleOptionClick} />
 		</Box>
 	);
 };
diff --git a/apps/meteor/client/views/admin/routes.tsx b/apps/meteor/client/views/admin/routes.tsx
index 233da80cd10..55b06e6fa8f 100644
--- a/apps/meteor/client/views/admin/routes.tsx
+++ b/apps/meteor/client/views/admin/routes.tsx
@@ -104,6 +104,10 @@ declare module '@rocket.chat/ui-contexts' {
 			pathname: '/admin/feature-preview';
 			pattern: '/admin/feature-preview';
 		};
+		'admin-ABAC': {
+			pathname: '/admin/ABAC';
+			pattern: '/admin/ABAC/:tab?/:context?/:id?';
+		};
 	}
 }
 
@@ -237,3 +241,8 @@ registerAdminRoute('/feature-preview', {
 	name: 'admin-feature-preview',
 	component: lazy(() => import('./featurePreview/AdminFeaturePreviewRoute')),
 });
+
+registerAdminRoute('/ABAC/:tab?/:context?/:id?', {
+	name: 'admin-ABAC',
+	component: lazy(() => import('./ABAC/AdminABACRoute')),
+});
diff --git a/apps/meteor/client/views/admin/sidebarItems.ts b/apps/meteor/client/views/admin/sidebarItems.ts
index 2c70d9e173c..ae82ea6584f 100644
--- a/apps/meteor/client/views/admin/sidebarItems.ts
+++ b/apps/meteor/client/views/admin/sidebarItems.ts
@@ -64,6 +64,12 @@ export const {
 		icon: 'user-lock',
 		permissionGranted: (): boolean => hasAtLeastOnePermission(['access-permissions', 'access-setting-permissions']),
 	},
+	{
+		href: '/admin/ABAC',
+		i18nLabel: 'ABAC',
+		icon: 'team-lock',
+		permissionGranted: (): boolean => hasPermission('abac-management'),
+	},
 	{
 		href: '/admin/device-management',
 		i18nLabel: 'Device_Management',
diff --git a/apps/meteor/client/views/admin/users/AdminUserInfoWithData.tsx b/apps/meteor/client/views/admin/users/AdminUserInfoWithData.tsx
index 8179d68150d..8ef62241df1 100644
--- a/apps/meteor/client/views/admin/users/AdminUserInfoWithData.tsx
+++ b/apps/meteor/client/views/admin/users/AdminUserInfoWithData.tsx
@@ -68,6 +68,7 @@ const AdminUserInfoWithData = ({ uid, onReload, tab }: AdminUserInfoWithDataProp
 			canViewAllInfo,
 			reason,
 			freeSwitchExtension,
+			abacAttributes,
 		} = data.user;
 
 		return {
@@ -92,6 +93,7 @@ const AdminUserInfoWithData = ({ uid, onReload, tab }: AdminUserInfoWithDataProp
 			nickname,
 			reason,
 			freeSwitchExtension,
+			abacAttributes,
 		};
 	}, [approveManuallyUsers, data, getRoles]);
 
diff --git a/apps/meteor/client/views/omnichannel/currentChats/CurrentChatsPage.tsx b/apps/meteor/client/views/omnichannel/currentChats/CurrentChatsPage.tsx
index 5bbe454ad0c..1252b05cb2e 100644
--- a/apps/meteor/client/views/omnichannel/currentChats/CurrentChatsPage.tsx
+++ b/apps/meteor/client/views/omnichannel/currentChats/CurrentChatsPage.tsx
@@ -350,7 +350,7 @@ const CurrentChatsPage = ({ id, onRowClick }: { id?: string; onRowClick: (_id: s
 							</GenericTableBody>
 						</GenericTable>
 					)}
-					{isSuccess && data?.rooms.length > 0 && (
+					{isSuccess && data?.rooms?.length > 0 && (
 						<>
 							<GenericTable>
 								<GenericTableHeader>{headers}</GenericTableHeader>
diff --git a/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfo.stories.tsx b/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfo.stories.tsx
index 4090fddacc8..a8c7a06e477 100644
--- a/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfo.stories.tsx
+++ b/apps/meteor/client/views/room/contextualBar/Info/RoomInfo/RoomInfo.stories.tsx
@@ -83,11 +83,10 @@ ABAC.args = {
 	...Default.args,
 	room: {
 		...roomArgs,
-		// @ts-expect-error - abacAttributes is not yet implemented in Rooms properties
 		abacAttributes: [
-			{ name: 'Chat-sensitivity', values: ['Classified', 'Top-Secret'] },
-			{ name: 'Country', values: ['US-only'] },
-			{ name: 'Project', values: ['Ruminator-2000'] },
+			{ key: 'Chat-sensitivity', values: ['Classified', 'Top-Secret'] },
+			{ key: 'Country', values: ['US-only'] },
+			{ key: 'Project', values: ['Ruminator-2000'] },
 		],
 	},
 };
diff --git a/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx b/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
index ee4b01689ba..81f55030454 100644
--- a/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
+++ b/apps/meteor/client/views/room/contextualBar/RoomMembers/RoomMembersWithData.tsx
@@ -123,7 +123,6 @@ const RoomMembersWithData = ({ rid }: { rid: IRoom['_id'] }): ReactElement => {
 			reload={refetch}
 			onClickInvite={canCreateInviteLinks && canAddUsers ? openInvite : undefined}
 			onClickAdd={canAddUsers ? openAddUser : undefined}
-			// @ts-expect-error to be implemented in ABAC Feature branch
 			isABACRoom={Boolean(room?.abacAttributes)}
 		/>
 	);
diff --git a/apps/meteor/ee/server/api/abac/index.ts b/apps/meteor/ee/server/api/abac/index.ts
new file mode 100644
index 00000000000..0ed503678f5
--- /dev/null
+++ b/apps/meteor/ee/server/api/abac/index.ts
@@ -0,0 +1,421 @@
+import { Abac } from '@rocket.chat/core-services';
+import type { AbacActor } from '@rocket.chat/core-services';
+import type { IServerEvents, IUser } from '@rocket.chat/core-typings';
+import { ServerEvents, Users } from '@rocket.chat/models';
+import { validateUnauthorizedErrorResponse } from '@rocket.chat/rest-typings/src/v1/Ajv';
+import { convertSubObjectsIntoPaths } from '@rocket.chat/tools';
+
+import {
+	GenericSuccessSchema,
+	PUTAbacAttributeUpdateBodySchema,
+	GETAbacAttributesQuerySchema,
+	GETAbacAttributesResponseSchema,
+	GETAbacAttributeByIdResponseSchema,
+	POSTAbacAttributeDefinitionSchema,
+	GETAbacAttributeIsInUseResponseSchema,
+	POSTRoomAbacAttributesBodySchema,
+	POSTSingleRoomAbacAttributeBodySchema,
+	PUTRoomAbacAttributeValuesBodySchema,
+	POSTAbacUsersSyncBodySchema,
+	GenericErrorSchema,
+	GETAbacRoomsListQueryValidator,
+	GETAbacRoomsResponseValidator,
+	GETAbacAuditEventsQuerySchema,
+	GETAbacAuditEventsResponseSchema,
+} from './schemas';
+import { API } from '../../../../app/api/server';
+import type { ExtractRoutesFromAPI } from '../../../../app/api/server/ApiClass';
+import { getPaginationItems } from '../../../../app/api/server/helpers/getPaginationItems';
+import { settings } from '../../../../app/settings/server';
+import { LDAPEE } from '../../sdk';
+
+const getActorFromUser = (user?: IUser | null): AbacActor | undefined =>
+	user?._id
+		? {
+				_id: user._id,
+				username: user.username,
+				name: user.name,
+			}
+		: undefined;
+
+const abacEndpoints = API.v1
+	.post(
+		'abac/rooms/:rid/attributes',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			body: POSTRoomAbacAttributesBodySchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+			license: ['abac'],
+		},
+		async function action() {
+			const { rid } = this.urlParams;
+			const { attributes } = this.bodyParams;
+
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			// This is a replace-all operation
+			// IF you need fine grained, use the other endpoints for removing, editing & adding single attributes
+			await Abac.setRoomAbacAttributes(rid, attributes, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	.delete(
+		'abac/rooms/:rid/attributes',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { rid } = this.urlParams;
+
+			// We don't need to check if ABAC is enabled to clear attributes
+			// Since we're always allowing this operation
+			// license check is also not required
+			await Abac.setRoomAbacAttributes(rid, {}, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// add an abac attribute by key
+	.post(
+		'abac/rooms/:rid/attributes/:key',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			license: ['abac'],
+			body: POSTSingleRoomAbacAttributeBodySchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { rid, key } = this.urlParams;
+			const { values } = this.bodyParams;
+
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			await Abac.addRoomAbacAttributeByKey(rid, key, values, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// edit a room attribute
+	.put(
+		'abac/rooms/:rid/attributes/:key',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			body: PUTRoomAbacAttributeValuesBodySchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+			license: ['abac'],
+		},
+		async function action() {
+			const { rid, key } = this.urlParams;
+			const { values } = this.bodyParams;
+
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			await Abac.replaceRoomAbacAttributeByKey(rid, key, values, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// delete a room attribute
+	.delete(
+		'abac/rooms/:rid/attributes/:key',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { rid, key } = this.urlParams;
+
+			await Abac.removeRoomAbacAttribute(rid, key, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// attribute endpoints
+	// list attributes
+	.get(
+		'abac/attributes',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			query: GETAbacAttributesQuerySchema,
+			response: {
+				200: GETAbacAttributesResponseSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { offset, count } = await getPaginationItems(this.queryParams as Record<string, string | string[] | number | null | undefined>);
+			const { key, values } = this.queryParams;
+
+			return API.v1.success(
+				await Abac.listAbacAttributes(
+					{
+						key,
+						values,
+						offset,
+						count,
+					},
+					getActorFromUser(this.user),
+				),
+			);
+		},
+	)
+
+	.post(
+		'abac/users/sync',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			license: ['abac', 'ldap-enterprise'],
+			body: POSTAbacUsersSyncBodySchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			const { usernames, ids, emails, ldapIds } = this.bodyParams;
+
+			await LDAPEE.syncUsersAbacAttributes(Users.findUsersByIdentifiers({ usernames, ids, emails, ldapIds }));
+
+			return API.v1.success();
+		},
+	)
+	.post(
+		'abac/attributes',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			license: ['abac'],
+			body: POSTAbacAttributeDefinitionSchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			await Abac.addAbacAttribute(this.bodyParams, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// update attribute definition (key and/or values)
+	.put(
+		'abac/attributes/:_id',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			license: ['abac'],
+			body: PUTAbacAttributeUpdateBodySchema,
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { _id } = this.urlParams;
+			if (!settings.get('ABAC_Enabled')) {
+				throw new Error('error-abac-not-enabled');
+			}
+
+			await Abac.updateAbacAttributeById(_id, this.bodyParams, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// get single attribute with usage
+	.get(
+		'abac/attributes/:_id',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GETAbacAttributeByIdResponseSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { _id } = this.urlParams;
+			const result = await Abac.getAbacAttributeById(_id, getActorFromUser(this.user));
+			return API.v1.success(result);
+		},
+	)
+	// delete attribute (only if not in use)
+	.delete(
+		'abac/attributes/:_id',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GenericSuccessSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { _id } = this.urlParams;
+			await Abac.deleteAbacAttributeById(_id, getActorFromUser(this.user));
+			return API.v1.success();
+		},
+	)
+	// check if attribute is in use
+	.get(
+		'abac/attributes/:key/is-in-use',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GETAbacAttributeIsInUseResponseSchema,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+		},
+		async function action() {
+			const { key } = this.urlParams;
+			const inUse = await Abac.isAbacAttributeInUseByKey(key);
+			return API.v1.success({ inUse });
+		},
+	)
+	.get(
+		'abac/rooms',
+		{
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			response: {
+				200: GETAbacRoomsResponseValidator,
+				401: validateUnauthorizedErrorResponse,
+				400: GenericErrorSchema,
+				403: validateUnauthorizedErrorResponse,
+			},
+			query: GETAbacRoomsListQueryValidator,
+		},
+		async function action() {
+			const { offset, count } = await getPaginationItems(this.queryParams as Record<string, string | string[] | number | null | undefined>);
+			const { filter, filterType } = this.queryParams;
+
+			const result = await Abac.listAbacRooms(
+				{
+					offset,
+					count,
+					filter,
+					filterType,
+				},
+				getActorFromUser(this.user),
+			);
+
+			return API.v1.success(result);
+		},
+	)
+	.get(
+		'abac/audit',
+		{
+			response: {
+				200: GETAbacAuditEventsResponseSchema,
+				400: GenericErrorSchema,
+				401: validateUnauthorizedErrorResponse,
+				403: validateUnauthorizedErrorResponse,
+			},
+			query: GETAbacAuditEventsQuerySchema,
+			authRequired: true,
+			permissionsRequired: ['abac-management'],
+			license: ['abac', 'auditing'],
+		},
+		async function action() {
+			const { start, end, actor } = this.queryParams;
+
+			const { offset, count } = await getPaginationItems(this.queryParams as Record<string, string | number | null | undefined>);
+			const { sort } = await this.parseJsonQuery();
+			const _sort = { ts: sort?.ts ? sort?.ts : -1 };
+
+			const { cursor, totalCount } = ServerEvents.findPaginated(
+				{
+					...(actor && convertSubObjectsIntoPaths({ actor })),
+					ts: {
+						$gte: start ? new Date(start) : new Date(0),
+						$lte: end ? new Date(end) : new Date(),
+					},
+					t: {
+						$in: ['abac.attribute.changed', 'abac.object.attribute.changed', 'abac.object.attributes.removed', 'abac.action.performed'],
+					},
+				},
+				{
+					sort: _sort,
+					skip: offset,
+					limit: count,
+					allowDiskUse: true,
+				},
+			);
+
+			const [events, total] = await Promise.all([cursor.toArray(), totalCount]);
+
+			return API.v1.success({
+				events: events as (
+					| IServerEvents['abac.action.performed']
+					| IServerEvents['abac.attribute.changed']
+					| IServerEvents['abac.object.attribute.changed']
+					| IServerEvents['abac.object.attributes.removed']
+				)[],
+				count: events.length,
+				offset,
+				total,
+			});
+		},
+	);
+
+export type AbacEndpoints = ExtractRoutesFromAPI<typeof abacEndpoints>;
+
+declare module '@rocket.chat/rest-typings' {
+	// eslint-disable-next-line @typescript-eslint/naming-convention, @typescript-eslint/no-empty-interface
+	interface Endpoints extends AbacEndpoints {}
+}
diff --git a/apps/meteor/ee/server/api/abac/schemas.ts b/apps/meteor/ee/server/api/abac/schemas.ts
new file mode 100644
index 00000000000..0d679293fcc
--- /dev/null
+++ b/apps/meteor/ee/server/api/abac/schemas.ts
@@ -0,0 +1,389 @@
+import type { IAbacAttribute, IAbacAttributeDefinition, IAuditServerActor, IRoom, IServerEvents } from '@rocket.chat/core-typings';
+import type { PaginatedResult, PaginatedRequest } from '@rocket.chat/rest-typings';
+import { ajv } from '@rocket.chat/rest-typings';
+
+const ATTRIBUTE_KEY_PATTERN = '^[A-Za-z0-9_-]+$';
+const MAX_ROOM_ATTRIBUTE_VALUES = 10;
+const MAX_USERS_SYNC_ITEMS = 100;
+const MAX_ROOM_ATTRIBUTE_KEYS = 10;
+
+const GenericSuccess = {
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+	},
+	additionalProperties: false,
+};
+
+export const GenericSuccessSchema = ajv.compile<void>(GenericSuccess);
+
+// Update ABAC attribute (request body)
+const UpdateAbacAttributeBody = {
+	type: 'object',
+	properties: {
+		key: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			uniqueItems: true,
+		},
+	},
+	additionalProperties: false,
+	anyOf: [{ required: ['key'] }, { required: ['values'] }],
+};
+
+export const PUTAbacAttributeUpdateBodySchema = ajv.compile<IAbacAttributeDefinition>(UpdateAbacAttributeBody);
+
+const AbacAttributeDefinition = {
+	type: 'object',
+
+	properties: {
+		key: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			uniqueItems: true,
+		},
+	},
+	required: ['key', 'values'],
+	additionalProperties: false,
+};
+
+export const POSTAbacAttributeDefinitionSchema = ajv.compile<IAbacAttributeDefinition>(AbacAttributeDefinition);
+
+const GetAbacAttributesQuery = {
+	type: 'object',
+	properties: {
+		key: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		values: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		offset: { type: 'number' },
+		count: { type: 'number' },
+	},
+	additionalProperties: false,
+};
+
+export const GETAbacAttributesQuerySchema = ajv.compile<{ key?: string; values?: string; offset: number; count?: number }>(
+	GetAbacAttributesQuery,
+);
+
+const AbacAttributeRecord = {
+	type: 'object',
+	properties: {
+		_id: { type: 'string', minLength: 1 },
+		key: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			uniqueItems: true,
+		},
+	},
+	required: ['_id', 'key', 'values'],
+	additionalProperties: false,
+};
+
+const GetAbacAttributesResponse = {
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+		attributes: {
+			type: 'array',
+			items: AbacAttributeRecord,
+		},
+		offset: { type: 'number' },
+		count: { type: 'number' },
+		total: { type: 'number' },
+	},
+	required: ['attributes', 'offset', 'count', 'total'],
+	additionalProperties: false,
+};
+
+export const GETAbacAttributesResponseSchema = ajv.compile<{
+	attributes: IAbacAttribute[];
+	offset: number;
+	count: number;
+	total: number;
+}>(GetAbacAttributesResponse);
+
+const GetAbacAttributeByIdResponse = {
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+		_id: { type: 'string', minLength: 1 },
+		key: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			uniqueItems: true,
+		},
+	},
+	required: ['key', 'values'],
+	additionalProperties: false,
+};
+
+export const GETAbacAttributeByIdResponseSchema = ajv.compile<{
+	key: string;
+	values: string[];
+}>(GetAbacAttributeByIdResponse);
+
+const GetAbacAttributeIsInUseResponse = {
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+		inUse: { type: 'boolean' },
+	},
+	required: ['inUse'],
+	additionalProperties: false,
+};
+
+export const GETAbacAttributeIsInUseResponseSchema = ajv.compile<{ inUse: boolean }>(GetAbacAttributeIsInUseResponse);
+
+const GetAbacAuditEventsQuerySchemaObject = {
+	type: 'object',
+	properties: {
+		start: { type: 'string', format: 'date-time', nullable: true },
+		end: { type: 'string', format: 'date-time', nullable: true },
+		offset: { type: 'number', nullable: true },
+		count: { type: 'number', nullable: true },
+		actor: {
+			type: 'object',
+			nullable: true,
+			properties: {
+				type: {
+					type: 'string',
+					nullable: true,
+				},
+				_id: {
+					type: 'string',
+					nullable: true,
+				},
+				username: {
+					type: 'string',
+					nullable: true,
+				},
+				ip: {
+					type: 'string',
+					nullable: true,
+				},
+				useragent: {
+					type: 'string',
+					nullable: true,
+				},
+				reason: {
+					type: 'string',
+					nullable: true,
+				},
+			},
+		},
+	},
+	additionalProperties: false,
+};
+
+export const GETAbacAuditEventsQuerySchema = ajv.compile<
+	PaginatedRequest<{
+		start?: string;
+		end?: string;
+		actor?: IAuditServerActor;
+	}>
+>(GetAbacAuditEventsQuerySchemaObject);
+
+const GetAbacAuditEventsResponseSchemaObject = {
+	type: 'object',
+	properties: {
+		success: { type: 'boolean', enum: [true] },
+		events: {
+			type: 'array',
+			items: {
+				type: 'object',
+			},
+		},
+		count: {
+			type: 'number',
+			description: 'The number of events returned in this response.',
+		},
+		offset: {
+			type: 'number',
+			description: 'The number of events that were skipped in this response.',
+		},
+		total: {
+			type: 'number',
+			description: 'The total number of events that match the query.',
+		},
+	},
+	required: ['events', 'count', 'offset', 'total'],
+	additionalProperties: false,
+};
+
+export const GETAbacAuditEventsResponseSchema = ajv.compile<{
+	events: (
+		| IServerEvents['abac.action.performed']
+		| IServerEvents['abac.attribute.changed']
+		| IServerEvents['abac.object.attribute.changed']
+		| IServerEvents['abac.object.attributes.removed']
+	)[];
+	count: number;
+	offset: number;
+	total: number;
+}>(GetAbacAuditEventsResponseSchemaObject);
+
+const PostRoomAbacAttributesBody = {
+	type: 'object',
+	properties: {
+		attributes: {
+			type: 'object',
+			propertyNames: { type: 'string', pattern: ATTRIBUTE_KEY_PATTERN },
+			minProperties: 1,
+			maxProperties: MAX_ROOM_ATTRIBUTE_KEYS,
+			additionalProperties: {
+				type: 'array',
+				items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+				maxItems: MAX_ROOM_ATTRIBUTE_VALUES,
+				uniqueItems: true,
+			},
+		},
+	},
+	required: ['attributes'],
+	additionalProperties: false,
+};
+
+export const POSTRoomAbacAttributesBodySchema = ajv.compile<{ attributes: Record<string, string[]> }>(PostRoomAbacAttributesBody);
+
+const PostSingleRoomAbacAttributeBody = {
+	type: 'object',
+	properties: {
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			maxItems: MAX_ROOM_ATTRIBUTE_VALUES,
+			uniqueItems: true,
+		},
+	},
+	required: ['values'],
+	additionalProperties: false,
+};
+
+export const POSTSingleRoomAbacAttributeBodySchema = ajv.compile<{ values: string[] }>(PostSingleRoomAbacAttributeBody);
+
+const PutRoomAbacAttributeValuesBody = {
+	type: 'object',
+	properties: {
+		values: {
+			type: 'array',
+			items: { type: 'string', minLength: 1, pattern: ATTRIBUTE_KEY_PATTERN },
+			minItems: 1,
+			maxItems: MAX_ROOM_ATTRIBUTE_VALUES,
+			uniqueItems: true,
+		},
+	},
+	required: ['values'],
+	additionalProperties: false,
+};
+
+export const PUTRoomAbacAttributeValuesBodySchema = ajv.compile<{ values: string[] }>(PutRoomAbacAttributeValuesBody);
+
+const GenericError = {
+	type: 'object',
+	properties: {
+		success: {
+			type: 'boolean',
+		},
+		message: {
+			type: 'string',
+		},
+	},
+};
+
+const PostAbacUsersSyncBody = {
+	type: 'object',
+	properties: {
+		usernames: {
+			type: 'array',
+			items: { type: 'string', minLength: 1 },
+			minItems: 1,
+			maxItems: MAX_USERS_SYNC_ITEMS,
+			uniqueItems: true,
+		},
+		ids: {
+			type: 'array',
+			items: { type: 'string', minLength: 1 },
+			minItems: 1,
+			maxItems: MAX_USERS_SYNC_ITEMS,
+			uniqueItems: true,
+		},
+		emails: {
+			type: 'array',
+			items: { type: 'string', minLength: 1 },
+			minItems: 1,
+			maxItems: MAX_USERS_SYNC_ITEMS,
+			uniqueItems: true,
+		},
+		ldapIds: {
+			type: 'array',
+			items: { type: 'string', minLength: 1 },
+			minItems: 1,
+			maxItems: MAX_USERS_SYNC_ITEMS,
+			uniqueItems: true,
+		},
+	},
+	additionalProperties: false,
+	anyOf: [{ required: ['usernames'] }, { required: ['ids'] }, { required: ['emails'] }, { required: ['ldapIds'] }],
+};
+
+export const POSTAbacUsersSyncBodySchema = ajv.compile<{
+	usernames?: string[];
+	ids?: string[];
+	emails?: string[];
+	ldapIds?: string[];
+}>(PostAbacUsersSyncBody);
+
+export const GenericErrorSchema = ajv.compile<{ success: boolean; message: string }>(GenericError);
+
+const GETAbacRoomsListQuerySchema = {
+	type: 'object',
+	properties: {
+		filter: { type: 'string', minLength: 1 },
+		filterType: { type: 'string', enum: ['all', 'roomName', 'attribute', 'value'] },
+		offset: { type: 'number' },
+		count: { type: 'number' },
+	},
+	additionalProperties: false,
+};
+
+type GETAbacRoomsListQuery = PaginatedRequest<{ filter?: string; filterType?: 'all' | 'roomName' | 'attribute' | 'value' }>;
+
+export const GETAbacRoomsListQueryValidator = ajv.compile<GETAbacRoomsListQuery>(GETAbacRoomsListQuerySchema);
+
+export const GETAbacRoomsResponseSchema = {
+	type: 'object',
+	properties: {
+		success: {
+			type: 'boolean',
+			enum: [true],
+		},
+		rooms: {
+			type: 'array',
+			items: { type: 'object' },
+		},
+		offset: {
+			type: 'number',
+		},
+		count: {
+			type: 'number',
+		},
+		total: {
+			type: 'number',
+		},
+	},
+	required: ['rooms', 'offset', 'count', 'total'],
+	additionalProperties: false,
+};
+
+type GETAbacRoomsResponse = PaginatedResult<{
+	rooms: IRoom[];
+}>;
+
+export const GETAbacRoomsResponseValidator = ajv.compile<GETAbacRoomsResponse>(GETAbacRoomsResponseSchema);
diff --git a/apps/meteor/ee/server/api/index.ts b/apps/meteor/ee/server/api/index.ts
index 93a4c99d8f1..35e8b0f0f60 100644
--- a/apps/meteor/ee/server/api/index.ts
+++ b/apps/meteor/ee/server/api/index.ts
@@ -7,3 +7,4 @@ import './roles';
 import '../apps/communication/uikit';
 import './engagementDashboard';
 import './audit';
+import './abac';
diff --git a/apps/meteor/ee/server/configuration/abac.ts b/apps/meteor/ee/server/configuration/abac.ts
new file mode 100644
index 00000000000..490ed6e3fb0
--- /dev/null
+++ b/apps/meteor/ee/server/configuration/abac.ts
@@ -0,0 +1,29 @@
+import { License } from '@rocket.chat/license';
+import { Users } from '@rocket.chat/models';
+
+import { settings } from '../../../app/settings/server';
+import { LDAPEE } from '../sdk';
+
+Meteor.startup(async () => {
+	let stopWatcher: () => void;
+	License.onToggledFeature('abac', {
+		up: async () => {
+			const { addSettings } = await import('../settings/abac');
+			const { createPermissions } = await import('../lib/abac');
+
+			await addSettings();
+			await createPermissions();
+
+			await import('../hooks/abac');
+
+			stopWatcher = settings.watch('ABAC_Enabled', async (value) => {
+				if (value) {
+					await LDAPEE.syncUsersAbacAttributes(Users.findLDAPUsers());
+				}
+			});
+		},
+		down: () => {
+			stopWatcher?.();
+		},
+	});
+});
diff --git a/apps/meteor/ee/server/configuration/index.ts b/apps/meteor/ee/server/configuration/index.ts
index 6469ef287d8..8e422c47cc1 100644
--- a/apps/meteor/ee/server/configuration/index.ts
+++ b/apps/meteor/ee/server/configuration/index.ts
@@ -5,3 +5,4 @@ import './outlookCalendar';
 import './saml';
 import './videoConference';
 import './voip';
+import './abac';
diff --git a/apps/meteor/ee/server/configuration/ldap.ts b/apps/meteor/ee/server/configuration/ldap.ts
index 026a7f964a7..b68a310a424 100644
--- a/apps/meteor/ee/server/configuration/ldap.ts
+++ b/apps/meteor/ee/server/configuration/ldap.ts
@@ -60,14 +60,23 @@ Meteor.startup(async () => {
 			() => LDAPEE.syncLogout(),
 		);
 
+		const addAbacCronJob = configureBackgroundSync(
+			'LDAP_AbacSync',
+			'LDAP_Background_Sync_ABAC_Attributes',
+			'LDAP_Background_Sync_ABAC_Attributes_Interval',
+			() => LDAPEE.syncAbacAttributes(),
+		);
+
 		settings.watchMultiple(['LDAP_Background_Sync', 'LDAP_Background_Sync_Interval'], addCronJob);
 		settings.watchMultiple(['LDAP_Background_Sync_Avatars', 'LDAP_Background_Sync_Avatars_Interval'], addAvatarCronJob);
 		settings.watchMultiple(['LDAP_Sync_AutoLogout_Enabled', 'LDAP_Sync_AutoLogout_Interval'], addLogoutCronJob);
+		settings.watchMultiple(['LDAP_Background_Sync_ABAC_Attributes', 'LDAP_Background_Sync_ABAC_Attributes_Interval'], addAbacCronJob);
 
 		settings.watch('LDAP_Enable', async () => {
 			await addCronJob();
 			await addAvatarCronJob();
 			await addLogoutCronJob();
+			await addAbacCronJob();
 		});
 
 		settings.watch<string>('LDAP_Groups_To_Rocket_Chat_Teams', (value) => {
@@ -78,6 +87,14 @@ Meteor.startup(async () => {
 			}
 		});
 
+		settings.watch<string>('LDAP_ABAC_AttributeMap', (value) => {
+			try {
+				LDAPEEManager.validateLDAPABACAttributeMap(value);
+			} catch (error) {
+				logger.error(error);
+			}
+		});
+
 		callbacks.add(
 			'mapLDAPUserData',
 			(userData: IImportUser, ldapUser?: ILDAPEntry) => {
diff --git a/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts b/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
new file mode 100644
index 00000000000..4260161d143
--- /dev/null
+++ b/apps/meteor/ee/server/hooks/abac/beforeAddUserToRoom.ts
@@ -0,0 +1,22 @@
+import { Abac } from '@rocket.chat/core-services';
+import { License } from '@rocket.chat/license';
+
+import { beforeAddUserToRoom } from '../../../../app/lib/server/lib/beforeAddUserToRoom';
+import { settings } from '../../../../app/settings/server';
+
+beforeAddUserToRoom.patch(async (prev, users, room, actor) => {
+	await prev(users, room, actor);
+
+	const validUsers = users.filter(Boolean);
+	// No need to check ABAC when theres no users or when room is not private or when room is not ABAC managed
+	if (!validUsers.length || room.t !== 'p' || !room?.abacAttributes?.length) {
+		return;
+	}
+
+	// Throw error (prevent add) if ABAC is disabled (setting, license) but room is ABAC managed
+	if (!settings.get('ABAC_Enabled') || !License.hasModule('abac')) {
+		throw new Error('error-room-is-abac-managed');
+	}
+
+	await Abac.checkUsernamesMatchAttributes(validUsers as string[], room.abacAttributes, room);
+});
diff --git a/apps/meteor/ee/server/hooks/abac/index.ts b/apps/meteor/ee/server/hooks/abac/index.ts
new file mode 100644
index 00000000000..8f93423047a
--- /dev/null
+++ b/apps/meteor/ee/server/hooks/abac/index.ts
@@ -0,0 +1 @@
+import './beforeAddUserToRoom';
diff --git a/apps/meteor/ee/server/lib/abac/index.ts b/apps/meteor/ee/server/lib/abac/index.ts
new file mode 100644
index 00000000000..1b03e8d4574
--- /dev/null
+++ b/apps/meteor/ee/server/lib/abac/index.ts
@@ -0,0 +1,9 @@
+import { Permissions } from '@rocket.chat/models';
+
+export const createPermissions = async () => {
+	const permissions = [{ _id: 'abac-management', roles: ['admin'] }];
+
+	for (const permission of permissions) {
+		void Permissions.create(permission._id, permission.roles);
+	}
+};
diff --git a/apps/meteor/ee/server/lib/audit/methods.ts b/apps/meteor/ee/server/lib/audit/methods.ts
index 27b97e1b8f4..40d1b06e316 100644
--- a/apps/meteor/ee/server/lib/audit/methods.ts
+++ b/apps/meteor/ee/server/lib/audit/methods.ts
@@ -37,7 +37,8 @@ const getRoomInfoByAuditParams = async ({
 	userId: string;
 }) => {
 	if (rid) {
-		return getValue(await Rooms.findOne({ _id: rid }));
+		// When ABAC is enabled, only rooms without ABAC attributes are considered for auditing by room ID.
+		return getValue(await Rooms.findOne({ _id: rid, abacAttributes: { $exists: false } }));
 	}
 
 	if (type === 'd') {
@@ -165,7 +166,7 @@ Meteor.methods<ServerMethods>({
 		} else {
 			const roomInfo = await getRoomInfoByAuditParams({ type, roomId: rid, users: usernames, visitor, agent, userId: user._id });
 			if (!roomInfo) {
-				throw new Meteor.Error('Room doesn`t exist');
+				throw new Meteor.Error(`Room doesn't exist`);
 			}
 
 			rids = roomInfo.rids;
diff --git a/apps/meteor/ee/server/lib/ldap/Manager.ts b/apps/meteor/ee/server/lib/ldap/Manager.ts
index 5baf73e6f93..88b505b0026 100644
--- a/apps/meteor/ee/server/lib/ldap/Manager.ts
+++ b/apps/meteor/ee/server/lib/ldap/Manager.ts
@@ -1,7 +1,9 @@
-import { Team } from '@rocket.chat/core-services';
+import { Abac, Team } from '@rocket.chat/core-services';
 import type { ILDAPEntry, IUser, IRoom, IRole, IImportUser, IImportRecord } from '@rocket.chat/core-typings';
+import { License } from '@rocket.chat/license';
 import { Users, Roles, Subscriptions as SubscriptionsRaw, Rooms } from '@rocket.chat/models';
 import type ldapjs from 'ldapjs';
+import type { FindCursor } from 'mongodb';
 
 import type {
 	ImporterAfterImportCallback,
@@ -102,6 +104,52 @@ export class LDAPEEManager extends LDAPManager {
 		}
 	}
 
+	public static async syncAbacAttributes(): Promise<void> {
+		if (
+			!settings.get('LDAP_Enable') ||
+			!settings.get('LDAP_Background_Sync_ABAC_Attributes') ||
+			!License.hasModule('abac') ||
+			!settings.get('ABAC_Enabled')
+		) {
+			return;
+		}
+
+		try {
+			const ldap = new LDAPConnection();
+			await ldap.connect();
+
+			try {
+				await this.updateUserAbacAttributes(ldap);
+			} finally {
+				ldap.disconnect();
+			}
+		} catch (error) {
+			logger.error(error);
+		}
+	}
+
+	public static async syncUsersAbacAttributes(users: FindCursor<IUser>): Promise<void> {
+		if (!settings.get('LDAP_Enable') || !License.hasModule('abac') || !settings.get('ABAC_Enabled')) {
+			return;
+		}
+
+		try {
+			const ldap = new LDAPConnection();
+			await ldap.connect();
+
+			try {
+				logger.debug({ msg: 'Starting ABAC attributes sync for LDAP users' });
+				for await (const user of users) {
+					await this.syncUserAbacAttribute(ldap, user);
+				}
+			} finally {
+				ldap.disconnect();
+			}
+		} catch (error) {
+			logger.error(error);
+		}
+	}
+
 	public static validateLDAPTeamsMappingChanges(json: string): void {
 		if (!json) {
 			return;
@@ -123,6 +171,32 @@ export class LDAPEEManager extends LDAPManager {
 		}
 	}
 
+	public static validateLDAPABACAttributeMap(json: string): void {
+		if (!json) {
+			return;
+		}
+
+		const mappedAttributes = this.parseJson(json);
+
+		// attributes are { key: value } with key being the ldap attribute and value being the abac attribute in rocketchat
+		// both strings
+		// There's no need for the attribute to exist in rocketchat, we just add whatever the admin wants to map
+
+		if (!mappedAttributes || Object.keys(mappedAttributes).length === 0) {
+			return;
+		}
+
+		const validStructureMapping = Object.entries(mappedAttributes).every(
+			([key, value]) => typeof key === 'string' && typeof value === 'string',
+		);
+
+		if (!validStructureMapping) {
+			throw new Error(
+				'Please verify your mapping for LDAP X RocketChat ABAC Attributes. The structure is invalid, the structure should be an object like: {key: LdapAttribute, value: RocketChatAbacAttribute}',
+			);
+		}
+	}
+
 	public static async syncLogout(): Promise<void> {
 		if (settings.get('LDAP_Enable') !== true || settings.get('LDAP_Sync_AutoLogout_Enabled') !== true) {
 			return;
@@ -358,6 +432,11 @@ export class LDAPEEManager extends LDAPManager {
 					return;
 				}
 
+				if (settings.get('ABAC_Enabled') && room?.abacAttributes?.length) {
+					logger.error({ msg: 'Cannot add user to channel. Channel is ABAC managed', userChannelName });
+					continue;
+				}
+
 				if (room.teamMain) {
 					logger.error(`Can't add user to channel ${userChannelName} because it is a team.`);
 				} else {
@@ -430,7 +509,23 @@ export class LDAPEEManager extends LDAPManager {
 		});
 		const currentTeamIds = currentTeams?.map(({ teamId }) => teamId);
 		const teamsToRemove = currentTeamIds?.filter((teamId) => notInTeamIds.includes(teamId));
-		const teamsToAdd = inTeamIds.filter((teamId) => !currentTeamIds?.includes(teamId));
+		let teamsToAdd = inTeamIds.filter((teamId) => !currentTeamIds?.includes(teamId));
+
+		if (settings.get('ABAC_Enabled')) {
+			const roomsWithAbacAttributes = await Rooms.findPrivateRoomsByIdsWithAbacAttributes(
+				allTeams.filter((t) => teamsToAdd.includes(t._id)).map((t) => t.roomId),
+				{ projection: { teamId: 1 } },
+			)
+				.map((r) => r.teamId)
+				.toArray();
+
+			logger.debug({ msg: 'Some teams will be ignored from sync because they are abac managed', roomsWithAbacAttributes });
+
+			teamsToAdd = teamsToAdd.filter((teamId) => !roomsWithAbacAttributes.includes(teamId));
+			if (!teamsToAdd.length) {
+				return;
+			}
+		}
 
 		await Team.insertMemberOnTeams(user._id, teamsToAdd);
 		if (teamsToRemove) {
@@ -644,6 +739,38 @@ export class LDAPEEManager extends LDAPManager {
 		}
 	}
 
+	private static async updateUserAbacAttributes(ldap: LDAPConnection): Promise<void> {
+		const mapping = this.parseJson(settings.get('LDAP_ABAC_AttributeMap'));
+		if (!mapping) {
+			logger.error('LDAP to ABAC attribute mapping is not valid JSON');
+			return;
+		}
+
+		for await (const user of Users.findLDAPUsers()) {
+			const ldapUser = await this.findLDAPUser(ldap, user);
+			if (!ldapUser) {
+				continue;
+			}
+
+			await Abac.addSubjectAttributes(user, ldapUser, mapping, undefined);
+		}
+	}
+
+	private static async syncUserAbacAttribute(ldap: LDAPConnection, user: IUser): Promise<void> {
+		const mapping = this.parseJson(settings.get('LDAP_ABAC_AttributeMap'));
+		if (!mapping) {
+			logger.error('LDAP to ABAC attribute mapping is not valid JSON');
+			return;
+		}
+
+		const ldapUser = await this.findLDAPUser(ldap, user);
+		if (!ldapUser) {
+			return;
+		}
+
+		await Abac.addSubjectAttributes(user, ldapUser, mapping, undefined);
+	}
+
 	private static async findLDAPUser(ldap: LDAPConnection, user: IUser): Promise<ILDAPEntry | undefined> {
 		if (user.services?.ldap?.id) {
 			return ldap.findOneById(user.services.ldap.id, user.services.ldap.idAttribute);
diff --git a/apps/meteor/ee/server/local-services/ldap/service.ts b/apps/meteor/ee/server/local-services/ldap/service.ts
index 3c38152ed22..2493ed674be 100644
--- a/apps/meteor/ee/server/local-services/ldap/service.ts
+++ b/apps/meteor/ee/server/local-services/ldap/service.ts
@@ -1,4 +1,6 @@
 import { ServiceClassInternal } from '@rocket.chat/core-services';
+import type { IUser } from '@rocket.chat/core-typings';
+import type { FindCursor } from 'mongodb';
 
 import { LDAPEEManager } from '../../lib/ldap/Manager';
 import type { ILDAPEEService } from '../../sdk/types/ILDAPEEService';
@@ -17,4 +19,12 @@ export class LDAPEEService extends ServiceClassInternal implements ILDAPEEServic
 	async syncLogout(): Promise<void> {
 		return LDAPEEManager.syncLogout();
 	}
+
+	async syncAbacAttributes(): Promise<void> {
+		return LDAPEEManager.syncAbacAttributes();
+	}
+
+	async syncUsersAbacAttributes(users: FindCursor<IUser>): Promise<void> {
+		return LDAPEEManager.syncUsersAbacAttributes(users);
+	}
 }
diff --git a/apps/meteor/ee/server/sdk/types/ILDAPEEService.ts b/apps/meteor/ee/server/sdk/types/ILDAPEEService.ts
index 246d52884a8..1a51c1cbb88 100644
--- a/apps/meteor/ee/server/sdk/types/ILDAPEEService.ts
+++ b/apps/meteor/ee/server/sdk/types/ILDAPEEService.ts
@@ -1,5 +1,10 @@
+import type { IUser } from '@rocket.chat/core-typings';
+import type { FindCursor } from 'mongodb';
+
 export interface ILDAPEEService {
 	sync(): Promise<void>;
 	syncAvatars(): Promise<void>;
 	syncLogout(): Promise<void>;
+	syncAbacAttributes(): Promise<void>;
+	syncUsersAbacAttributes(users: FindCursor<IUser>): Promise<void>;
 }
diff --git a/apps/meteor/ee/server/settings/abac.ts b/apps/meteor/ee/server/settings/abac.ts
new file mode 100644
index 00000000000..54b93912ddb
--- /dev/null
+++ b/apps/meteor/ee/server/settings/abac.ts
@@ -0,0 +1,35 @@
+import { settingsRegistry } from '../../../app/settings/server';
+
+export function addSettings(): Promise<void> {
+	return settingsRegistry.addGroup('General', async function () {
+		await this.with(
+			{
+				enterprise: true,
+				modules: ['abac'],
+			},
+			async function () {
+				await this.add('ABAC_Enabled', false, {
+					type: 'boolean',
+					public: true,
+					invalidValue: false,
+					section: 'ABAC',
+					i18nDescription: 'ABAC_Enabled_Description',
+				});
+				await this.add('ABAC_ShowAttributesInRooms', false, {
+					type: 'boolean',
+					public: true,
+					invalidValue: false,
+					section: 'ABAC',
+					enableQuery: { _id: 'ABAC_Enabled', value: true },
+				});
+				await this.add('Abac_Cache_Decision_Time_Seconds', 300, {
+					type: 'int',
+					public: true,
+					section: 'ABAC',
+					invalidValue: 0,
+					enableQuery: { _id: 'ABAC_Enabled', value: true },
+				});
+			},
+		);
+	});
+}
diff --git a/apps/meteor/ee/server/settings/ldap.ts b/apps/meteor/ee/server/settings/ldap.ts
index d026d913be9..e2417e7622a 100644
--- a/apps/meteor/ee/server/settings/ldap.ts
+++ b/apps/meteor/ee/server/settings/ldap.ts
@@ -282,6 +282,30 @@ export function addSettings(): Promise<void> {
 						invalidValue: '',
 					});
 				});
+
+				await this.section('LDAP_DataSync_ABAC', async function () {
+					await this.add('LDAP_Background_Sync_ABAC_Attributes', false, {
+						type: 'boolean',
+						enableQuery,
+						invalidValue: false,
+						modules: ['abac', 'ldap-enterprise'],
+					});
+
+					await this.add('LDAP_Background_Sync_ABAC_Attributes_Interval', '0 0 * * *', {
+						type: 'string',
+						enableQuery: [enableQuery, { _id: 'LDAP_Background_Sync_ABAC_Attributes', value: true }],
+						invalidValue: '0 0 * * *',
+						modules: ['abac', 'ldap-enterprise'],
+					});
+
+					await this.add('LDAP_ABAC_AttributeMap', '{}', {
+						type: 'code',
+						multiline: true,
+						enableQuery: [enableQuery, { _id: 'LDAP_Background_Sync_ABAC_Attributes', value: true }],
+						invalidValue: '{}',
+						modules: ['abac', 'ldap-enterprise'],
+					});
+				});
 			},
 		);
 	});
diff --git a/apps/meteor/ee/server/startup/services.ts b/apps/meteor/ee/server/startup/services.ts
index 1d49d9ce209..5e33f9e17c7 100644
--- a/apps/meteor/ee/server/startup/services.ts
+++ b/apps/meteor/ee/server/startup/services.ts
@@ -1,3 +1,4 @@
+import { AbacService } from '@rocket.chat/abac';
 import { api } from '@rocket.chat/core-services';
 
 import { isRunningMs } from '../../../server/lib/isRunningMs';
@@ -19,5 +20,6 @@ api.registerService(new VoipFreeSwitchService());
 
 // when not running micro services we want to start up the instance intercom
 if (!isRunningMs()) {
+	api.registerService(new AbacService());
 	api.registerService(new InstanceService());
 }
diff --git a/apps/meteor/lib/publishFields.ts b/apps/meteor/lib/publishFields.ts
index 999c4b7f0b1..3b4945b673a 100644
--- a/apps/meteor/lib/publishFields.ts
+++ b/apps/meteor/lib/publishFields.ts
@@ -127,4 +127,7 @@ export const roomFields = {
 	callTotalHoldTime: 1,
 	callWaitingTime: 1,
 	usersWaitingForE2EKeys: 1,
+
+	// ABAC fields
+	abacAttributes: 1,
 } as const;
diff --git a/apps/meteor/lib/rooms/adminFields.ts b/apps/meteor/lib/rooms/adminFields.ts
index 21353da84c5..2fb6f9c35f7 100644
--- a/apps/meteor/lib/rooms/adminFields.ts
+++ b/apps/meteor/lib/rooms/adminFields.ts
@@ -29,4 +29,5 @@ export const adminFields: Partial<Record<keyof IRoom, 1>> = {
 	uids: 1,
 	avatarETag: 1,
 	federated: 1,
+	abacAttributes: 1,
 } as const;
diff --git a/apps/meteor/package.json b/apps/meteor/package.json
index 0d435094b64..90415f059fc 100644
--- a/apps/meteor/package.json
+++ b/apps/meteor/package.json
@@ -84,6 +84,7 @@
 		"@parse/node-apn": "^6.3.0",
 		"@react-aria/toolbar": "^3.0.0-nightly.5042",
 		"@react-pdf/renderer": "^3.4.5",
+		"@rocket.chat/abac": "workspace:^",
 		"@rocket.chat/account-utils": "workspace:^",
 		"@rocket.chat/agenda": "workspace:^",
 		"@rocket.chat/api-client": "workspace:^",
diff --git a/apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts b/apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts
index c4791b7e80a..9dff1771cc8 100644
--- a/apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts
+++ b/apps/meteor/server/lib/dataExport/exportRoomMessagesToFile.ts
@@ -155,6 +155,9 @@ export const getMessageData = (
 		case 'livechat-started':
 			messageObject.msg = i18n.t('Chat_started');
 			break;
+		case 'abac-removed-user-from-room':
+			messageObject.msg = i18n.t('abac_removed_user_from_the_room');
+			break;
 	}
 
 	return messageObject;
diff --git a/apps/meteor/server/methods/addAllUserToRoom.ts b/apps/meteor/server/methods/addAllUserToRoom.ts
index 08c61373fcb..57f9ea3600b 100644
--- a/apps/meteor/server/methods/addAllUserToRoom.ts
+++ b/apps/meteor/server/methods/addAllUserToRoom.ts
@@ -6,6 +6,7 @@ import { check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
 import { hasPermissionAsync } from '../../app/authorization/server/functions/hasPermission';
+import { beforeAddUserToRoom } from '../../app/lib/server/lib/beforeAddUserToRoom';
 import { notifyOnSubscriptionChangedById } from '../../app/lib/server/lib/notifyListener';
 import { settings } from '../../app/settings/server';
 import { getDefaultSubscriptionPref } from '../../app/utils/lib/getDefaultSubscriptionPref';
@@ -50,6 +51,11 @@ export const addAllUserToRoomFn = async (userId: string, rid: IRoom['_id'], acti
 		});
 	}
 
+	await beforeAddUserToRoom(
+		users.map((u) => u.username!),
+		room,
+	);
+
 	const now = new Date();
 	for await (const user of users) {
 		const subscription = await Subscriptions.findOneByRoomIdAndUserId(rid, user._id);
diff --git a/apps/meteor/server/models.ts b/apps/meteor/server/models.ts
index e9e577a7473..343b1dce01c 100644
--- a/apps/meteor/server/models.ts
+++ b/apps/meteor/server/models.ts
@@ -81,6 +81,7 @@ import {
 	VoipRoomRaw,
 	WebdavAccountsRaw,
 	WorkspaceCredentialsRaw,
+	AbacAttributesRaw,
 } from '@rocket.chat/models';
 import type { Collection } from 'mongodb';
 
@@ -173,3 +174,4 @@ registerModel('IVideoConferenceModel', new VideoConferenceRaw(db));
 registerModel('IVoipRoomModel', new VoipRoomRaw(db, trashCollection));
 registerModel('IWebdavAccountsModel', new WebdavAccountsRaw(db));
 registerModel('IWorkspaceCredentialsModel', new WorkspaceCredentialsRaw(db));
+registerModel('IAbacAttributesModel', new AbacAttributesRaw(db));
diff --git a/apps/meteor/server/services/authorization/canAccessRoom.ts b/apps/meteor/server/services/authorization/canAccessRoom.ts
index 289b21a02c7..73263437b56 100644
--- a/apps/meteor/server/services/authorization/canAccessRoom.ts
+++ b/apps/meteor/server/services/authorization/canAccessRoom.ts
@@ -1,7 +1,7 @@
-import { Authorization } from '@rocket.chat/core-services';
+import { Authorization, License, Abac } from '@rocket.chat/core-services';
 import type { RoomAccessValidator } from '@rocket.chat/core-services';
+import { TEAM_TYPE, AbacAccessOperation, AbacObjectType } from '@rocket.chat/core-typings';
 import type { IUser, ITeam } from '@rocket.chat/core-typings';
-import { TEAM_TYPE } from '@rocket.chat/core-typings';
 import { Subscriptions, Rooms, Settings, TeamMember, Team } from '@rocket.chat/models';
 
 import { canAccessRoomLivechat } from './canAccessRoomLivechat';
@@ -57,15 +57,25 @@ const roomAccessValidators: RoomAccessValidator[] = [
 			return false;
 		}
 
-		if (!(await Subscriptions.countByRoomIdAndUserId(room._id, user._id))) {
-			return false;
-		}
-
-		if (await Authorization.hasPermission(user._id, 'view-joined-room')) {
-			return true;
+		const [canViewJoined, canViewT] = await Promise.all([
+			Authorization.hasPermission(user._id, 'view-joined-room'),
+			Authorization.hasPermission(user._id, `view-${room.t}-room`),
+		]);
+
+		// When there's no ABAC setting, license or values on the room, fallback to previous behavior
+		if (
+			!room?.abacAttributes?.length ||
+			!(await License.hasModule('abac')) ||
+			(!(await Settings.getValueById('ABAC_Enabled')) as boolean)
+		) {
+			if (!(await Subscriptions.countByRoomIdAndUserId(room._id, user._id))) {
+				return false;
+			}
+
+			return canViewJoined || canViewT;
 		}
 
-		return Authorization.hasPermission(user._id, `view-${room.t}-room`);
+		return (canViewJoined || canViewT) && Abac.canAccessObject(room, user, AbacAccessOperation.READ, AbacObjectType.ROOM);
 	},
 
 	async function _validateAccessToDiscussionsParentRoom(room, user): Promise<boolean> {
diff --git a/apps/meteor/server/services/authorization/service.ts b/apps/meteor/server/services/authorization/service.ts
index 68cdb9cd3f3..3c1858b1305 100644
--- a/apps/meteor/server/services/authorization/service.ts
+++ b/apps/meteor/server/services/authorization/service.ts
@@ -86,12 +86,13 @@ export class Authorization extends ServiceClass implements IAuthorization {
 	}
 
 	async canAccessRoomId(rid: IRoom['_id'], uid: IUser['_id']): Promise<boolean> {
-		const room = await Rooms.findOneById<Pick<IRoom, '_id' | 't' | 'teamId' | 'prid'>>(rid, {
+		const room = await Rooms.findOneById<Pick<IRoom, '_id' | 't' | 'teamId' | 'prid' | 'abacAttributes'>>(rid, {
 			projection: {
 				_id: 1,
 				t: 1,
 				teamId: 1,
 				prid: 1,
+				abacAttributes: 1,
 			},
 		});
 
diff --git a/apps/meteor/server/services/room/service.ts b/apps/meteor/server/services/room/service.ts
index b32abc80edb..481de2a38f2 100644
--- a/apps/meteor/server/services/room/service.ts
+++ b/apps/meteor/server/services/room/service.ts
@@ -1,7 +1,14 @@
 import { ServiceClassInternal, Authorization, Message, MeteorError } from '@rocket.chat/core-services';
 import type { ICreateRoomParams, IRoomService } from '@rocket.chat/core-services';
-import { isOmnichannelRoom, isRoomWithJoinCode } from '@rocket.chat/core-typings';
-import type { ISubscription, AtLeast, IRoom, IUser } from '@rocket.chat/core-typings';
+import {
+	type AtLeast,
+	type IRoom,
+	type IUser,
+	type MessageTypesValues,
+	type ISubscription,
+	isOmnichannelRoom,
+	isRoomWithJoinCode,
+} from '@rocket.chat/core-typings';
 import { Rooms, Subscriptions, Users } from '@rocket.chat/models';
 
 import { FederationActions } from './hooks/BeforeFederationActions';
@@ -82,7 +89,11 @@ export class RoomService extends ServiceClassInternal implements IRoomService {
 		return addUserToRoom(roomId, user, inviter, options);
 	}
 
-	async removeUserFromRoom(roomId: string, user: IUser, options?: { byUser: IUser }): Promise<void> {
+	async removeUserFromRoom(
+		roomId: string,
+		user: IUser,
+		options?: { byUser?: IUser; skipAppPreEvents?: boolean; customSystemMessage?: MessageTypesValues },
+	): Promise<void> {
 		return removeUserFromRoom(roomId, user, options);
 	}
 
diff --git a/apps/meteor/tests/end-to-end/api/abac.ts b/apps/meteor/tests/end-to-end/api/abac.ts
new file mode 100644
index 00000000000..4ca72332847
--- /dev/null
+++ b/apps/meteor/tests/end-to-end/api/abac.ts
@@ -0,0 +1,2455 @@
+import type { Credentials } from '@rocket.chat/api-client';
+import type { IAbacAttributeDefinition, IRoom, IUser } from '@rocket.chat/core-typings';
+import { expect } from 'chai';
+import { before, after, describe, it } from 'mocha';
+import { MongoClient } from 'mongodb';
+
+import { getCredentials, request, credentials, methodCall } from '../../data/api-data';
+import { sleep } from '../../data/livechat/utils';
+import { updatePermission, updateSetting } from '../../data/permissions.helper';
+import { createRoom, deleteRoom } from '../../data/rooms.helper';
+import { deleteTeam } from '../../data/teams.helper';
+import { password } from '../../data/user';
+import { createUser, deleteUser, login } from '../../data/users.helper';
+import { IS_EE, URL_MONGODB } from '../../e2e/config/constants';
+
+// NOTE: This manipulates the DB directly to add ABAC attributes to a user
+// The idea is to avoid having to go through LDAP to add info to the user
+let connection: MongoClient;
+const addAbacAttributesToUserDirectly = async (userId: string, abacAttributes: IAbacAttributeDefinition[]) => {
+	await connection.db().collection('users').updateOne(
+		{
+			// @ts-expect-error - collection types for _id
+			_id: userId,
+		},
+		{ $set: { abacAttributes } },
+	);
+};
+
+(IS_EE ? describe : describe.skip)('[ABAC] (Enterprise Only)', function () {
+	this.retries(0);
+
+	let testRoom: IRoom;
+	let unauthorizedUser: IUser;
+	let unauthorizedCredentials: Credentials;
+
+	const initialKey = `attr_${Date.now()}`;
+	const updatedKey = `${initialKey}_renamed`;
+	const anotherKey = `${initialKey}_another`;
+	let attributeId: string;
+	let paginationBase: string;
+	let page1AttributeIds: string[] = [];
+
+	before((done) => getCredentials(done));
+
+	before(async () => {
+		connection = await MongoClient.connect(URL_MONGODB);
+
+		await updatePermission('abac-management', ['admin']);
+		await updateSetting('ABAC_Enabled', true);
+
+		testRoom = (await createRoom({ type: 'p', name: `abac-test-${Date.now()}` })).body.group;
+
+		unauthorizedUser = await createUser();
+		unauthorizedCredentials = await login(unauthorizedUser.username, password);
+	});
+
+	after(async () => {
+		await deleteRoom({ type: 'p', roomId: testRoom._id });
+		await deleteUser(unauthorizedUser);
+		await updateSetting('ABAC_Enabled', false);
+
+		await connection.close();
+	});
+
+	const v1 = '/api/v1';
+
+	describe('Permission & Authentication', () => {
+		it('GET /api/v1/abac/attributes should return 401 when not authenticated', async () => {
+			await request.get(`${v1}/abac/attributes`).expect(401);
+		});
+
+		it('POST /api/v1/abac/attributes should return 403 for user without abac-management permission', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(unauthorizedCredentials)
+				.send({ key: 'nokey', values: ['v1'] })
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'User does not have the permissions required for this action [error-unauthorized]');
+				});
+		});
+	});
+
+	describe('Attribute Definition - Validations & CRUD', () => {
+		it('POST should fail with invalid key pattern (space)', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: 'invalid key with space', values: ['one'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('POST should fail with duplicate values', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: anotherKey, values: ['dup', 'dup'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('POST should fail with empty values array', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: `${anotherKey}_empty`, values: [] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('POST should create a valid attribute definition', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: initialKey, values: ['red', 'green', 'blue'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		it('POST should allow more than 10 values for an attribute definition', async () => {
+			const manyValues = ['v1', 'v2', 'v3', 'v4', 'v5', 'v6', 'v7', 'v8', 'v9', 'v10', 'v11', 'v12'];
+
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: `${anotherKey}_many_values`, values: manyValues })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ key: `${anotherKey}_many_values` })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('attributes').that.is.an('array');
+					const found = res.body.attributes.find((a: any) => a.key === `${anotherKey}_many_values`);
+					expect(found).to.exist;
+					expect(found).to.have.property('values').that.deep.equals(manyValues);
+				});
+		});
+
+		it('POST should fail creating duplicate key', async () => {
+			await request.get(`${v1}/abac/attributes`).set(credentials).expect(200);
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: initialKey, values: ['another'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('GET should list attributes including the created one', async () => {
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ key: initialKey })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('attributes').that.is.an('array');
+					const found = res.body.attributes.find((a: any) => a.key === initialKey);
+					expect(found).to.exist;
+					expect(found).to.have.property('_id');
+					attributeId = found._id;
+				});
+		});
+
+		it('GET should paginate attributes (page 1)', async () => {
+			paginationBase = `pg_${Date.now()}`;
+			await Promise.all(
+				['a', 'b', 'c'].map((suffix) =>
+					request
+						.post(`${v1}/abac/attributes`)
+						.set(credentials)
+						.send({ key: `${paginationBase}_${suffix}`, values: ['one'] })
+						.expect(200),
+				),
+			);
+
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ count: 2, offset: 0 })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('offset', 0);
+					expect(res.body).to.have.property('count', 2);
+					expect(res.body).to.have.property('total').that.is.a('number').and.to.be.at.least(4);
+					expect(res.body).to.have.property('attributes').that.is.an('array').with.lengthOf(2);
+					page1AttributeIds = res.body.attributes.map((a: any) => a._id);
+				});
+		});
+
+		it('GET should paginate attributes (page 2)', async () => {
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ count: 2, offset: 2 })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('offset', 2);
+					expect(res.body).to.have.property('count').that.is.a('number');
+					expect(res.body.count).to.be.at.most(2);
+					expect(res.body).to.have.property('total').that.is.a('number').and.to.be.at.least(4);
+					expect(res.body).to.have.property('attributes').that.is.an('array');
+					const page2Ids = res.body.attributes.map((a: any) => a._id);
+					page2Ids.forEach((id: string) => {
+						expect(page1AttributeIds).to.not.include(id);
+					});
+				});
+		});
+
+		it('GET by id should retrieve attribute definition', async () => {
+			await request
+				.get(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('key', initialKey);
+					expect(res.body).to.have.property('values').that.is.an('array');
+				});
+		});
+
+		it('PUT should fail with empty body (needs key or values)', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.send({})
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('PUT should update values only', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.send({ values: ['cyan', 'magenta', 'yellow'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.values).to.deep.equal(['cyan', 'magenta', 'yellow']);
+				});
+		});
+
+		it('PUT should allow updating an attribute definition to have more than 10 values', async () => {
+			const manyValues = ['cyan', 'magenta', 'yellow', 'w4', 'w5', 'w6', 'w7', 'w8', 'w9', 'w10', 'w11', 'w12'];
+
+			await request
+				.put(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.send({ values: manyValues })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.values).to.deep.equal(manyValues);
+				});
+		});
+
+		it('PUT should update key only', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.send({ key: updatedKey })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('key', updatedKey);
+				});
+		});
+
+		it('PUT should update key only (key-updated)', async () => {
+			const testKey = `${initialKey}_update_test`;
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: testKey, values: ['val1', 'val2'] })
+				.expect(200);
+
+			const listRes = await request.get(`${v1}/abac/attributes`).query({ key: testKey }).set(credentials).expect(200);
+
+			const attr = listRes.body.attributes.find((a: any) => a.key === testKey);
+			expect(attr).to.exist;
+			const attrId = attr._id;
+
+			const newKey = `${initialKey}_update_test_renamed`;
+			await request
+				.put(`${v1}/abac/attributes/${attrId}`)
+				.set(credentials)
+				.send({ key: newKey })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${attrId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('key', newKey);
+				});
+		});
+	});
+
+	describe('Room Attribute Operations', () => {
+		it('GET is-in-use should initially be false (no room usage yet)', async () => {
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('inUse', false);
+				});
+		});
+
+		it('POST room attribute should fail with duplicate values', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`)
+				.set(credentials)
+				.send({ values: ['dup', 'dup'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('POST room attribute should add values and reflect inUse=true', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`)
+				.set(credentials)
+				.send({ values: ['cyan'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			// inUse endpoint should now be true
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.inUse).to.be.true;
+				});
+		});
+
+		it('should throw an error when trying to audit the messages of an abac managed room', async () => {
+			await request
+				.post(methodCall('auditGetMessages'))
+				.set(credentials)
+				.send({
+					message: JSON.stringify({
+						method: 'auditGetMessages',
+						params: [
+							{
+								type: '',
+								msg: 'test1234',
+								startDate: { $date: new Date() },
+								endDate: { $date: new Date() },
+								rid: testRoom._id,
+								users: [],
+							},
+						],
+						id: '14',
+						msg: 'method',
+					}),
+				})
+				.expect(200)
+				.expect((res) => {
+					const result = JSON.parse(res.body.message);
+					expect(result).to.have.property('error');
+					expect(result.error).to.have.property('error', `Room doesn't exist`);
+				});
+		});
+
+		it('PUT room attribute should replace values and keep inUse=true', async () => {
+			await request
+				.put(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`)
+				.set(credentials)
+				.send({ values: ['magenta', 'yellow'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			// inUse should remain true
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.inUse).to.be.true;
+				});
+		});
+
+		describe('DELETE room attribute key (dedicated room)', () => {
+			let dedicatedRoom: IRoom;
+
+			before(async () => {
+				dedicatedRoom = (await createRoom({ type: 'p', name: `abac-dedicated-${Date.now()}` })).body.group;
+			});
+
+			after(async () => {
+				await deleteRoom({ type: 'p', roomId: dedicatedRoom._id });
+			});
+
+			it('should succeed and remove only the specified key (key-removed)', async () => {
+				const key1 = `${initialKey}_room1`;
+				const key2 = `${initialKey}_room2`;
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: key1, values: ['value1'] })
+					.expect(200);
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: key2, values: ['value2'] })
+					.expect(200);
+
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [
+					{ key: key1, values: ['value1'] },
+					{ key: key2, values: ['value2'] },
+				]);
+
+				await request
+					.post(`${v1}/abac/rooms/${dedicatedRoom._id}/attributes`)
+					.set(credentials)
+					.send({ attributes: { [key1]: ['value1'], [key2]: ['value2'] } })
+					.expect(200);
+
+				await request
+					.delete(`${v1}/abac/rooms/${dedicatedRoom._id}/attributes/${key1}`)
+					.set(credentials)
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+					});
+
+				const roomRes = await request.get(`${v1}/rooms.info?roomId=${dedicatedRoom._id}`).set(credentials);
+				expect(roomRes.status).to.equal(200);
+				const abacAttrs = roomRes.body.room?.abacAttributes || [];
+				expect(abacAttrs).to.be.an('array').that.has.lengthOf(1);
+				expect(abacAttrs[0]).to.have.property('key', key2);
+			});
+		});
+
+		it('DELETE room attribute key should succeed and clear usage/inUse=false', async () => {
+			await request
+				.delete(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.inUse).to.be.false;
+				});
+		});
+
+		it('DELETE all room attributes should succeed even if ABAC disabled', async () => {
+			await updateSetting('ABAC_Enabled', false);
+
+			await request
+				.delete(`${v1}/abac/rooms/${testRoom._id}/attributes`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await updateSetting('ABAC_Enabled', true);
+		});
+	});
+
+	describe('Default and Team Default Room Restrictions', () => {
+		let privateDefaultRoomId: string;
+		let teamId: string;
+		let teamPrivateRoomId: string;
+		let teamDefaultRoomId: string;
+		const localAbacKey = `default_team_test_${Date.now()}`;
+		let mainRoomIdSaveSettings: string;
+		const teamName = `abac-team-${Date.now()}`;
+		const teamNameMainRoom = `abac-team-main-save-settings-${Date.now()}`;
+
+		before('create team main room for rooms.saveRoomSettings default restriction test', async () => {
+			const createTeamMain = await request
+				.post(`${v1}/teams.create`)
+				.set(credentials)
+				.send({ name: teamNameMainRoom, type: 1 })
+				.expect(200);
+
+			mainRoomIdSaveSettings = createTeamMain.body.team?.roomId;
+
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: mainRoomIdSaveSettings, default: true }).expect(200);
+		});
+
+		before('create local ABAC attribute definition for tests', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: localAbacKey, values: ['red', 'green'] })
+				.expect(200);
+		});
+
+		before('create private room and try to set it as default', async () => {
+			const res = await createRoom({
+				type: 'p',
+				name: `abac-default-room-${Date.now()}`,
+			});
+			privateDefaultRoomId = res.body.group._id;
+
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: privateDefaultRoomId, default: true }).expect(200);
+		});
+
+		before('create private team, private room inside it and set as team default', async () => {
+			const createTeamRes = await request.post(`${v1}/teams.create`).set(credentials).send({ name: teamName, type: 0 }).expect(200);
+			teamId = createTeamRes.body.team._id;
+
+			const roomRes = await createRoom({
+				type: 'p',
+				name: `abac-team-room-${Date.now()}`,
+				extraData: { teamId },
+			});
+			teamPrivateRoomId = roomRes.body.group._id;
+
+			const setDefaultRes = await request
+				.post(`${v1}/teams.updateRoom`)
+				.set(credentials)
+				.send({ teamId, roomId: teamPrivateRoomId, isDefault: true })
+				.expect(200);
+
+			if (setDefaultRes.body?.room?.teamDefault) {
+				teamDefaultRoomId = teamPrivateRoomId;
+			}
+		});
+
+		it('should fail adding ABAC attribute to private default room', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${privateDefaultRoomId}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['red'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+					expect(res.body.error).to.include('error-cannot-convert-default-room-to-abac');
+				});
+		});
+
+		it('should fail adding ABAC attribute to team default private room', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${teamDefaultRoomId}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['red'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+					expect(res.body.error).to.include('error-cannot-convert-default-room-to-abac');
+				});
+		});
+
+		it('should allow adding ABAC attribute after removing default flag from private room', async () => {
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: privateDefaultRoomId, default: false }).expect(200);
+
+			await request
+				.post(`${v1}/abac/rooms/${privateDefaultRoomId}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['red'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+				});
+		});
+
+		it('should allow adding ABAC attribute after removing team default flag', async () => {
+			await request
+				.post(`${v1}/teams.updateRoom`)
+				.set(credentials)
+				.send({ teamId, roomId: teamDefaultRoomId, isDefault: false })
+				.expect(200);
+
+			await request
+				.post(`${v1}/abac/rooms/${teamDefaultRoomId}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['green'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+				});
+		});
+
+		it('should enforce restriction on team main room when default using rooms.saveRoomSettings', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${mainRoomIdSaveSettings}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['red'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+					expect(res.body.error).to.include('error-cannot-convert-default-room-to-abac');
+				});
+
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: mainRoomIdSaveSettings, default: false }).expect(200);
+
+			await request
+				.post(`${v1}/abac/rooms/${mainRoomIdSaveSettings}/attributes/${localAbacKey}`)
+				.set(credentials)
+				.send({ values: ['red'] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+				});
+		});
+
+		it('DELETE attribute definition should remove the key (key-removed)', async () => {
+			const testKey = `${initialKey}_delete_test`;
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: testKey, values: ['del1', 'del2'] })
+				.expect(200);
+
+			const listRes = await request.get(`${v1}/abac/attributes`).query({ key: testKey }).set(credentials).expect(200);
+
+			const attr = listRes.body.attributes.find((a: any) => a.key === testKey);
+			expect(attr).to.exist;
+			const attrId = attr._id;
+
+			await request
+				.delete(`${v1}/abac/attributes/${attrId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+
+			await request
+				.get(`${v1}/abac/attributes/${attrId}`)
+				.set(credentials)
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('error', 'error-attribute-not-found');
+				});
+		});
+
+		after(async () => {
+			await deleteRoom({ type: 'p', roomId: privateDefaultRoomId });
+			await deleteTeam(credentials, teamName);
+			await deleteTeam(credentials, teamNameMainRoom);
+		});
+	});
+
+	describe('Usage & Deletion', () => {
+		it('POST add room usage for attribute (re-add after clearing) and expect delete while in use to fail', async () => {
+			await request
+				.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`)
+				.set(credentials)
+				.send({ values: ['cyan'] })
+				.expect(200);
+
+			// Attempt to delete attribute while in use should fail
+			await request
+				.delete(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error').that.includes('error-attribute-in-use');
+				});
+		});
+
+		it('GET is-in-use should reflect usage true before clearing, then false after removal', async () => {
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.inUse).to.be.true;
+				});
+
+			// Remove room attribute again
+			await request.delete(`${v1}/abac/rooms/${testRoom._id}/attributes/${updatedKey}`).set(credentials).expect(200);
+
+			await request
+				.get(`${v1}/abac/attributes/${updatedKey}/is-in-use`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.inUse).to.be.false;
+				});
+		});
+
+		it('DELETE attribute definition should now succeed (no room usage)', async () => {
+			await request
+				.delete(`${v1}/abac/attributes/${attributeId}`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+	});
+
+	describe('ABAC Managed Room Default Conversion Restrictions', () => {
+		const conversionAttrKey = `conversion_test_${Date.now()}`;
+		const teamName = `abac-conversion-team-${Date.now()}`;
+		let abacRoomId: string;
+		let teamIdForConversion: string;
+		let teamRoomId: string;
+
+		before('create attribute definition and ABAC-managed private room', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: conversionAttrKey, values: ['alpha', 'beta'] })
+				.expect(200);
+
+			const roomRes = await createRoom({
+				type: 'p',
+				name: `abac-conversion-room-${Date.now()}`,
+			});
+			abacRoomId = roomRes.body.group._id;
+
+			await request
+				.post(`${v1}/abac/rooms/${abacRoomId}/attributes/${conversionAttrKey}`)
+				.set(credentials)
+				.send({ values: ['alpha'] })
+				.expect(200);
+		});
+
+		before('create team, private room inside, add ABAC attribute', async () => {
+			// Public team
+			const teamRes = await request.post(`${v1}/teams.create`).set(credentials).send({ name: teamName, type: 0 }).expect(200);
+			teamIdForConversion = teamRes.body.team._id;
+
+			const teamRoomRes = await createRoom({
+				type: 'p',
+				name: `abac-team-conversion-room-${Date.now()}`,
+				extraData: { teamId: teamIdForConversion },
+			});
+			teamRoomId = teamRoomRes.body.group._id;
+
+			await request
+				.post(`${v1}/abac/rooms/${teamRoomId}/attributes/${conversionAttrKey}`)
+				.set(credentials)
+				.send({ values: ['beta'] })
+				.expect(200);
+		});
+
+		after(async () => {
+			await Promise.all([deleteTeam(credentials, teamName), deleteRoom({ type: 'p', roomId: abacRoomId })]);
+		});
+
+		it('should fail converting ABAC-managed private room into default room', async () => {
+			await request
+				.post(`${v1}/rooms.saveRoomSettings`)
+				.set(credentials)
+				.send({ rid: abacRoomId, default: true })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+					expect(res.body.error).to.include('Setting an ABAC managed room as default is not allowed [error-action-not-allowed]');
+				});
+		});
+
+		it('should fail converting ABAC-managed team room into team default room', async () => {
+			await request
+				.post(`${v1}/teams.updateRoom`)
+				.set(credentials)
+				.send({ teamId: teamIdForConversion, roomId: teamRoomId, isDefault: true })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+					expect(res.body.error).to.include('error-room-is-abac-managed');
+				});
+		});
+	});
+
+	describe('Extended Validations & Edge Cases', () => {
+		let secondAttributeId: string;
+		const firstKey = `${initialKey}_first`;
+		const secondKey = `${initialKey}_second`;
+		const bulkAttrPrefix = `bulk_${Date.now()}`;
+		const tempKeyForPattern = `Tmp${Date.now()}`;
+		const invalidCharKey = `bad*key`;
+		const invalidCharValue = `bad*value`;
+		const randomId = 'nonExistingId1234567890';
+
+		it('POST should create a second attribute definition for conflict tests', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: secondKey, values: ['alpha', 'beta', 'gamma'] })
+				.expect(200);
+
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ key: secondKey })
+				.expect(200)
+				.expect((res) => {
+					const found = res.body.attributes.find((a: any) => a.key === secondKey);
+					expect(found).to.exist;
+					secondAttributeId = found._id;
+				});
+		});
+
+		it('POST should create an attribute definition for conflicts', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: firstKey, values: ['alpha', 'beta', 'gamma'] })
+				.expect(200);
+
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ key: firstKey })
+				.expect(200)
+				.expect((res) => {
+					const found = res.body.attributes.find((a: any) => a.key === firstKey);
+					expect(found).to.exist;
+				});
+		});
+
+		it('PUT attribute should fail when renaming to an existing key (duplicate key)', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${secondAttributeId}`)
+				.set(credentials)
+				.send({ key: firstKey })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body.success).to.be.false;
+				});
+		});
+
+		it('PUT attribute should fail when values array has duplicates', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${secondAttributeId}`)
+				.set(credentials)
+				.send({ values: ['alpha', 'alpha'] })
+				.expect(400);
+		});
+
+		it('PUT attribute should fail when values array empty', async () => {
+			await request.put(`${v1}/abac/attributes/${secondAttributeId}`).set(credentials).send({ values: [] }).expect(400);
+		});
+
+		it('GET attribute by invalid/non-existing id should fail', async () => {
+			await request.get(`${v1}/abac/attributes/${randomId}`).set(credentials).expect(400);
+		});
+
+		it('DELETE attribute by invalid/non-existing id should fail', async () => {
+			await request.delete(`${v1}/abac/attributes/${randomId}`).set(credentials).expect(400);
+		});
+
+		it('PUT attribute by invalid/non-existing id should fail', async () => {
+			await request
+				.put(`${v1}/abac/attributes/${randomId}`)
+				.set(credentials)
+				.send({ key: `${tempKeyForPattern}_X` })
+				.expect(400);
+		});
+
+		it('POST attribute should fail with invalid key pattern (special char)', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: invalidCharKey, values: ['ok'] })
+				.expect(400);
+		});
+
+		it('POST attribute should fail with invalid value pattern (special char in value)', async () => {
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: `${tempKeyForPattern}_values`, values: [invalidCharValue] })
+				.expect(400);
+		});
+
+		it('POST attribute should succeed with exactly 10 values (boundary)', async () => {
+			const tenValues = Array.from({ length: 10 }, (_, i) => `b${i}`);
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: `${tempKeyForPattern}_maxvals`, values: tenValues })
+				.expect(200);
+		});
+
+		it('GET attributes with count=100 should succeed (boundary)', async () => {
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ count: 100 })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('count');
+				});
+		});
+
+		it('GET attributes should fail with negative offset', async () => {
+			await request.get(`${v1}/abac/attributes`).set(credentials).query({ offset: -1 }).expect(400);
+		});
+
+		it('GET attributes should fail with unexpected extra query parameter', async () => {
+			await request.get(`${v1}/abac/attributes`).set(credentials).query({ extraneous: 'param' }).expect(400);
+		});
+
+		it('GET attributes should fail with invalid value pattern in values filter', async () => {
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ values: [invalidCharValue] })
+				.expect(400);
+		});
+
+		it('GET attributes should filter by values when valid (expect subset or empty)', async () => {
+			await request
+				.get(`${v1}/abac/attributes`)
+				.set(credentials)
+				.query({ values: 'magenta' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+				});
+		});
+
+		describe('Room attribute bulk operations validations', () => {
+			it('POST bulk room attributes should fail when more than 10 distinct attribute keys provided', async () => {
+				const tooMany: Record<string, string[]> = {};
+				for (let i = 0; i < 11; i++) tooMany[`${bulkAttrPrefix}_${i}`] = ['v1'];
+				await request.post(`${v1}/abac/rooms/${testRoom._id}/attributes`).set(credentials).send({ attributes: tooMany }).expect(400);
+			});
+
+			it('POST bulk room attributes should fail when one attribute has >10 values', async () => {
+				const bigValues = Array.from({ length: 11 }, (_, i) => `v${i}`);
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes`)
+					.set(credentials)
+					.send({ attributes: { [`${bulkAttrPrefix}_k1`]: bigValues } })
+					.expect(400);
+			});
+
+			it('POST bulk room attributes should fail when using a value not in attribute definition', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes`)
+					.set(credentials)
+					.send({ attributes: { [secondKey]: ['alpha', 'delta'] } })
+					.expect(400);
+			});
+
+			it('POST bulk room attributes should succeed when providing valid subset for existing definitions', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes`)
+					.set(credentials)
+					.send({
+						attributes: {
+							[secondKey]: ['alpha', 'beta'],
+						},
+					})
+					.expect(200);
+			});
+		});
+
+		describe('Room attribute key/value validation edge cases', () => {
+			it('POST single room attribute should fail with >10 values', async () => {
+				const eleven = Array.from({ length: 11 }, (_, i) => `x${i}`);
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(credentials)
+					.send({ values: eleven })
+					.expect(400);
+			});
+
+			it('POST single room attribute should fail when value not allowed by definition', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(credentials)
+					.send({ values: ['alpha', 'zzz'] })
+					.expect(400);
+			});
+
+			it('PUT single room attribute should fail with value not in definition', async () => {
+				await request
+					.put(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(credentials)
+					.send({ values: ['gamma', 'invalid'] })
+					.expect(400);
+			});
+		});
+
+		describe('Room attribute limits (max 10 attribute keys)', () => {
+			const tempAttrKeys: string[] = [];
+			it('Reset room attributes before limit test and populate with 10 keys', async () => {
+				await request.delete(`${v1}/abac/rooms/${testRoom._id}/attributes`).set(credentials).expect(200);
+
+				const timestamp = Date.now();
+				const keys = Array.from({ length: 10 }, (_, i) => `limitk_${timestamp}_${i}`);
+				tempAttrKeys.push(...keys);
+				await Promise.all(
+					keys.map((k) =>
+						request
+							.post(`${v1}/abac/attributes`)
+							.set(credentials)
+							.send({ key: k, values: ['v1'] })
+							.expect(200)
+							.then(() =>
+								request
+									.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${k}`)
+									.set(credentials)
+									.send({ values: ['v1'] })
+									.expect(200),
+							),
+					),
+				);
+			});
+
+			it('Adding an 11th attribute key to room should fail', async () => {
+				const extraKey = `limitk_extra_${Date.now()}`;
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: extraKey, values: ['v1'] })
+					.expect(200);
+
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${extraKey}`)
+					.set(credentials)
+					.send({ values: ['v1'] })
+					.expect(400);
+			});
+		});
+
+		describe('Permission & Auth extended checks', () => {
+			it('POST /abac/rooms/:rid/attributes/:key should return 403 for unauthorized user', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(unauthorizedCredentials)
+					.send({ values: ['alpha'] })
+					.expect(403);
+			});
+
+			it('PUT /abac/rooms/:rid/attributes/:key should return 403 for unauthorized user', async () => {
+				await request
+					.put(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(unauthorizedCredentials)
+					.send({ values: ['alpha'] })
+					.expect(403);
+			});
+
+			it('DELETE /abac/rooms/:rid/attributes/:key should return 403 for unauthorized user', async () => {
+				await request.delete(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`).set(unauthorizedCredentials).expect(403);
+			});
+
+			it('GET /abac/attributes/:key/is-in-use should return 403 for unauthorized user', async () => {
+				await request.get(`${v1}/abac/attributes/${secondKey}/is-in-use`).set(unauthorizedCredentials).expect(403);
+			});
+		});
+
+		describe('ABAC Disabled behavior for protected endpoints', () => {
+			before(async () => {
+				await updateSetting('ABAC_Enabled', false);
+			});
+
+			it('POST /abac/attributes should fail with error-abac-not-enabled', async () => {
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: `disabled_${Date.now()}`, values: ['one'] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.error).to.include('error-abac-not-enabled');
+					});
+			});
+
+			it('PUT /abac/attributes/:_id should fail while disabled', async () => {
+				await request
+					.put(`${v1}/abac/attributes/${secondAttributeId}`)
+					.set(credentials)
+					.send({ values: ['alpha'] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.error).to.include('error-abac-not-enabled');
+					});
+			});
+
+			it('POST /abac/rooms/:rid/attributes/:key should fail while disabled', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(credentials)
+					.send({ values: ['alpha'] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.error).to.include('error-abac-not-enabled');
+					});
+			});
+
+			it('PUT /abac/rooms/:rid/attributes/:key should fail while disabled', async () => {
+				await request
+					.put(`${v1}/abac/rooms/${testRoom._id}/attributes/${secondKey}`)
+					.set(credentials)
+					.send({ values: ['alpha'] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.error).to.include('error-abac-not-enabled');
+					});
+			});
+
+			it('POST /abac/rooms/:rid/attributes (bulk replace) should fail while disabled', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${testRoom._id}/attributes`)
+					.set(credentials)
+					.send({ attributes: { [secondKey]: ['alpha'] } })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.error).to.include('error-abac-not-enabled');
+					});
+			});
+
+			after(async () => {
+				await updateSetting('ABAC_Enabled', true);
+			});
+		});
+
+		describe('ABAC Room Type Conversion', () => {
+			const attrKey = `type_conversion_${Date.now()}`;
+
+			let roomNoAttr: string;
+			let roomWithAttr: string;
+			let roomWithAttrAbacDisabled: string;
+
+			before(async () => {
+				await updateSetting('ABAC_Enabled', true);
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: attrKey, values: ['val1', 'val2'] })
+					.expect(200);
+
+				roomNoAttr = (await createRoom({ type: 'p', name: `abac-type-room-no-attr-${Date.now()}` })).body.group._id;
+
+				roomWithAttr = (await createRoom({ type: 'p', name: `abac-type-room-with-attr-${Date.now()}` })).body.group._id;
+				await request
+					.post(`${v1}/abac/rooms/${roomWithAttr}/attributes/${attrKey}`)
+					.set(credentials)
+					.send({ values: ['val1'] })
+					.expect(200);
+
+				roomWithAttrAbacDisabled = (await createRoom({ type: 'p', name: `abac-type-room-with-attr-disabled-${Date.now()}` })).body.group
+					._id;
+				await request
+					.post(`${v1}/abac/rooms/${roomWithAttrAbacDisabled}/attributes/${attrKey}`)
+					.set(credentials)
+					.send({ values: ['val2'] })
+					.expect(200);
+			});
+
+			after(async () => {
+				await updateSetting('ABAC_Enabled', false);
+				await Promise.all([
+					deleteRoom({ type: 'c', roomId: roomNoAttr }),
+					deleteRoom({ type: 'p', roomId: roomWithAttr }),
+					deleteRoom({ type: 'c', roomId: roomWithAttrAbacDisabled }),
+				]);
+			});
+
+			it('should convert private room without ABAC attributes to public', async () => {
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: roomNoAttr, roomType: 'c' })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body.success).to.be.true;
+					});
+			});
+
+			it('should fail converting ABAC managed private room to public', async () => {
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: roomWithAttr, roomType: 'c' })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.success).to.be.false;
+						expect(res.body.error).to.include('Changing an ABAC managed private room to public is not allowed');
+					});
+			});
+
+			it('should allow converting ABAC managed private room to public when ABAC disabled', async () => {
+				await updateSetting('ABAC_Enabled', false);
+
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: roomWithAttrAbacDisabled, roomType: 'c' })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body.success).to.be.true;
+					});
+			});
+		});
+
+		describe('ABAC Team Type Conversion', () => {
+			const attrKeyTeam = `team_type_conversion_${Date.now()}`;
+			const teamNameWithAttr = `abac-team-with-attr-${Date.now()}`;
+			const teamNameWithAttrAbacDisabled = `abac-team-with-attr-disabled-${Date.now()}`;
+
+			let teamNameNoAttr: string;
+			let mainRoomIdNoAttr: string;
+			let mainRoomIdWithAttr: string;
+			let mainRoomIdWithAttrAbacDisabled: string;
+
+			before(async () => {
+				await updateSetting('ABAC_Enabled', true);
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: attrKeyTeam, values: ['alpha', 'beta'] })
+					.expect(200);
+
+				teamNameNoAttr = `abac-team-no-attr-${Date.now()}`;
+				const teamNoAttrRes = await request.post(`${v1}/teams.create`).set(credentials).send({ name: teamNameNoAttr, type: 1 }).expect(200);
+				mainRoomIdNoAttr = teamNoAttrRes.body.team.roomId;
+
+				const teamWithAttrRes = await request
+					.post(`${v1}/teams.create`)
+					.set(credentials)
+					.send({ name: teamNameWithAttr, type: 1 })
+					.expect(200);
+				mainRoomIdWithAttr = teamWithAttrRes.body.team.roomId;
+				await request
+					.post(`${v1}/abac/rooms/${mainRoomIdWithAttr}/attributes/${attrKeyTeam}`)
+					.set(credentials)
+					.send({ values: ['alpha'] })
+					.expect(200);
+
+				const teamWithAttrDisRes = await request
+					.post(`${v1}/teams.create`)
+					.set(credentials)
+					.send({ name: teamNameWithAttrAbacDisabled, type: 1 })
+					.expect(200);
+				mainRoomIdWithAttrAbacDisabled = teamWithAttrDisRes.body.team.roomId;
+				await request
+					.post(`${v1}/abac/rooms/${mainRoomIdWithAttrAbacDisabled}/attributes/${attrKeyTeam}`)
+					.set(credentials)
+					.send({ values: ['beta'] })
+					.expect(200);
+			});
+
+			after(async () => {
+				await updateSetting('ABAC_Enabled', false);
+				await Promise.all([
+					deleteTeam(credentials, teamNameNoAttr),
+					deleteTeam(credentials, teamNameWithAttr),
+					deleteTeam(credentials, teamNameWithAttrAbacDisabled),
+				]);
+			});
+
+			it('should convert private team (main room) without ABAC attributes to public', async () => {
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: mainRoomIdNoAttr, roomType: 'c' })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body.success).to.be.true;
+					});
+			});
+
+			it('should fail converting private team (main room) with ABAC attributes to public', async () => {
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: mainRoomIdWithAttr, roomType: 'c' })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body.success).to.be.false;
+						// Ideally this should say "Changing an ABAC managed private team to public is not allowed" but the room check is done before the team check
+						// And it fails there
+						expect(res.body.error).to.include('Changing an ABAC managed private room to public is not allowed');
+					});
+			});
+
+			it('should allow converting private team (main room) with ABAC attributes to public when ABAC disabled', async () => {
+				await updateSetting('ABAC_Enabled', false);
+
+				await request
+					.post(`${v1}/rooms.saveRoomSettings`)
+					.set(credentials)
+					.send({ rid: mainRoomIdWithAttrAbacDisabled, roomType: 'c' })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body.success).to.be.true;
+					});
+			});
+		});
+
+		describe('Invite links & ABAC management', () => {
+			const inviteAttrKey = `invite_attr_${Date.now()}`;
+			const validateAttrKey = `invite_val_attr_${Date.now()}`;
+			let managedRoomId: string;
+			let plainRoomId: string;
+			let plainRoomInviteToken: string;
+			const createdInviteIds: string[] = [];
+
+			before(async () => {
+				await updatePermission('create-invite-links', ['admin']);
+				await updateSetting('ABAC_Enabled', true);
+			});
+
+			it('should create an invite link for a private room without ABAC attributes when ABAC is enabled', async () => {
+				const plainRoom = (await createRoom({ type: 'p', name: `invite-plain-${Date.now()}` })).body.group;
+				plainRoomId = plainRoom._id;
+
+				await request
+					.post(`${v1}/findOrCreateInvite`)
+					.set(credentials)
+					.send({ rid: plainRoomId, days: 1, maxUses: 0 })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('rid', plainRoomId);
+						expect(res.body).to.have.property('days', 1);
+						expect(res.body).to.have.property('maxUses', 0);
+						plainRoomInviteToken = res.body._id;
+						createdInviteIds.push(plainRoomInviteToken);
+					});
+			});
+
+			it('validateInviteToken should return valid=true for token from non-ABAC managed room', async () => {
+				await request
+					.post(`${v1}/validateInviteToken`)
+					.send({ token: plainRoomInviteToken })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('valid', true);
+					});
+			});
+
+			it('validateInviteToken should return valid=false for random invalid token', async () => {
+				await request
+					.post(`${v1}/validateInviteToken`)
+					.send({ token: 'invalid123' })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('valid', false);
+					});
+			});
+
+			it('validateInviteToken should return valid=false after room becomes ABAC managed', async () => {
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: validateAttrKey, values: ['one'] })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+					});
+
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: validateAttrKey, values: ['one'] }]);
+
+				await request
+					.post(`${v1}/abac/rooms/${plainRoomId}/attributes/${validateAttrKey}`)
+					.set(credentials)
+					.send({ values: ['one'] })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+					});
+
+				await request
+					.post(`${v1}/validateInviteToken`)
+					.send({ token: plainRoomInviteToken })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('valid', false);
+					});
+			});
+
+			it('validateInviteToken should return valid=true again after disabling ABAC', async () => {
+				await updateSetting('ABAC_Enabled', false);
+
+				await request
+					.post(`${v1}/validateInviteToken`)
+					.send({ token: plainRoomInviteToken })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('valid', true);
+					});
+
+				await updateSetting('ABAC_Enabled', true);
+			});
+
+			it('should fail creating an invite link for an ABAC managed room while ABAC is enabled', async () => {
+				const managedRoom = (await createRoom({ type: 'p', name: `invite-managed-${Date.now()}` })).body.group;
+				managedRoomId = managedRoom._id;
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: inviteAttrKey, values: ['one'] })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+					});
+
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: inviteAttrKey, values: ['one'] }]);
+
+				await request
+					.post(`${v1}/abac/rooms/${managedRoomId}/attributes/${inviteAttrKey}`)
+					.set(credentials)
+					.send({ values: ['one'] })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+					});
+
+				await request
+					.post(`${v1}/findOrCreateInvite`)
+					.set(credentials)
+					.send({ rid: managedRoomId, days: 1, maxUses: 0 })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-invalid-room');
+						expect(res.body).to.have.property('error').that.includes('Room is ABAC managed');
+					});
+			});
+
+			it('should allow creating an invite link for previously ABAC managed room after disabling ABAC', async () => {
+				await updateSetting('ABAC_Enabled', false);
+
+				await request
+					.post(`${v1}/findOrCreateInvite`)
+					.set(credentials)
+					.send({ rid: managedRoomId, days: 1, maxUses: 0 })
+					.expect(200)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', true);
+						expect(res.body).to.have.property('rid', managedRoomId);
+						createdInviteIds.push(res.body._id);
+					});
+			});
+
+			after(async () => {
+				await Promise.all(createdInviteIds.map((id) => request.delete(`${v1}/removeInvite/${id}`).set(credentials)));
+
+				await deleteRoom({ type: 'p', roomId: plainRoomId });
+				await deleteRoom({ type: 'p', roomId: managedRoomId });
+			});
+		});
+	});
+
+	describe('Room access (invite, addition)', () => {
+		let roomWithoutAttr: IRoom;
+		let roomWithAttr: IRoom;
+		const accessAttrKey = `access_attr_${Date.now()}`;
+
+		before(async () => {
+			await updateSetting('ABAC_Enabled', true);
+
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: accessAttrKey, values: ['v1'] })
+				.expect(200);
+
+			// We have to add them directly cause otherwise the abac engine would kick the user from the room after the attribute is added
+			await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: accessAttrKey, values: ['v1'] }]);
+
+			// Create two private rooms: one will stay without attributes, the other will get the attribute
+			roomWithoutAttr = (await createRoom({ type: 'p', name: `abac-access-noattr-${Date.now()}` })).body.group;
+			roomWithAttr = (await createRoom({ type: 'p', name: `abac-access-withattr-${Date.now()}` })).body.group;
+
+			// Assign the attribute to the second room
+			await request
+				.post(`${v1}/abac/rooms/${roomWithAttr._id}/attributes/${accessAttrKey}`)
+				.set(credentials)
+				.send({ values: ['v1'] })
+				.expect(200);
+		});
+
+		after(async () => {
+			await deleteRoom({ type: 'p', roomId: roomWithoutAttr._id });
+			await deleteRoom({ type: 'p', roomId: roomWithAttr._id });
+		});
+
+		it('INVITE: user without attributes invited to room without attributes succeeds', async () => {
+			await request
+				.post(`${v1}/groups.invite`)
+				.set(credentials)
+				.send({ roomId: roomWithoutAttr._id, usernames: [unauthorizedUser.username] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		it('INVITE: user without attributes invited to room with attributes should fail', async () => {
+			await request
+				.post(`${v1}/groups.invite`)
+				.set(credentials)
+				.send({ roomId: roomWithAttr._id, usernames: [unauthorizedUser.username] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('errorType', 'error-only-compliant-users-can-be-added-to-abac-rooms');
+				});
+		});
+
+		it('INVITE: after room loses attributes user without attributes can be invited', async () => {
+			await request.delete(`${v1}/abac/rooms/${roomWithAttr._id}/attributes/${accessAttrKey}`).set(credentials).expect(200);
+
+			await request
+				.post(`${v1}/groups.invite`)
+				.set(credentials)
+				.send({ roomId: roomWithAttr._id, usernames: [unauthorizedUser.username] })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		describe('ABAC disabled with ABAC-managed room', () => {
+			let enabledAccessAttrKey: string;
+			let enabledUser: IUser;
+			let managedRoom: IRoom;
+
+			before(async () => {
+				enabledAccessAttrKey = `${accessAttrKey}_disabled_case`;
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: enabledAccessAttrKey, values: ['v1'] })
+					.expect(200);
+
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: enabledAccessAttrKey, values: ['v1'] }]);
+
+				managedRoom = (await createRoom({ type: 'p', name: `abac-access-disabled-${Date.now()}` })).body.group;
+
+				await request
+					.post(`${v1}/abac/rooms/${managedRoom._id}/attributes/${enabledAccessAttrKey}`)
+					.set(credentials)
+					.send({ values: ['v1'] })
+					.expect(200);
+
+				const username = `abac-enabled-user-${Date.now()}`;
+				const createUserRes = await request
+					.post(`${v1}/users.create`)
+					.set(credentials)
+					.send({
+						email: `${username}@example.com`,
+						name: username,
+						username,
+						password: 'pass@123',
+					})
+					.expect(200);
+
+				enabledUser = createUserRes.body.user;
+				await addAbacAttributesToUserDirectly(enabledUser._id, [{ key: enabledAccessAttrKey, values: ['v1'] }]);
+
+				await updateSetting('ABAC_Enabled', false);
+			});
+
+			after(async () => {
+				await updateSetting('ABAC_Enabled', true);
+
+				await deleteRoom({ type: 'p', roomId: managedRoom._id });
+				await deleteUser(enabledUser);
+			});
+
+			it('INVITE: should fail adding user to ABAC-managed private room when ABAC is disabled', async () => {
+				await request
+					.post(`${v1}/groups.invite`)
+					.set(credentials)
+					.send({ roomId: managedRoom._id, usernames: [enabledUser.username] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-room-is-abac-managed');
+					});
+			});
+
+			it('INVITE: should still fail after user loses attributes when ABAC is disabled', async () => {
+				await addAbacAttributesToUserDirectly(enabledUser._id, [{ key: enabledAccessAttrKey, values: [] }]);
+
+				await request
+					.post(`${v1}/groups.invite`)
+					.set(credentials)
+					.send({ roomId: managedRoom._id, usernames: [enabledUser.username] })
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.property('success', false);
+						expect(res.body).to.have.property('errorType', 'error-room-is-abac-managed');
+					});
+			});
+		});
+	});
+
+	describe('Room access (after subscribed)', () => {
+		let cacheRoom: IRoom;
+		const cacheAttrKey = `access_cache_attr_${Date.now()}`;
+		let cacheUser: IUser;
+		let cacheUserCreds: Credentials;
+		const ttlSeconds = 5;
+
+		before(async function () {
+			this.timeout(10000);
+
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: cacheAttrKey, values: ['on'] })
+				.expect(200);
+
+			cacheRoom = (await createRoom({ type: 'p', name: `abac-cache-room-${Date.now()}` })).body.group;
+
+			cacheUser = await createUser();
+			cacheUserCreds = await login(cacheUser.username, password);
+			await addAbacAttributesToUserDirectly(cacheUser._id, [{ key: cacheAttrKey, values: ['on'] }]);
+			await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: cacheAttrKey, values: ['on'] }]);
+
+			await request
+				.post(`${v1}/abac/rooms/${cacheRoom._id}/attributes/${cacheAttrKey}`)
+				.set(credentials)
+				.send({ values: ['on'] })
+				.expect(200);
+
+			await request
+				.post(`${v1}/groups.invite`)
+				.set(credentials)
+				.send({ roomId: cacheRoom._id, usernames: [cacheUser.username] })
+				.expect(200);
+
+			await updateSetting('Abac_Cache_Decision_Time_Seconds', ttlSeconds);
+
+			await request
+				.post(`${v1}/chat.sendMessage`)
+				.set(credentials)
+				.send({ message: { rid: cacheRoom._id, msg: 'Seed message for cache access test' } })
+				.expect(200);
+		});
+
+		after(async () => {
+			await deleteRoom({ type: 'p', roomId: cacheRoom._id });
+			await deleteUser(cacheUser);
+			await updateSetting('Abac_Cache_Decision_Time_Seconds', 300);
+		});
+
+		it('ACCESS: user can retrieve messages after subscription (initial compliant)', async () => {
+			await request
+				.get(`/api/v1/groups.history`)
+				.set(cacheUserCreds)
+				.query({ roomId: cacheRoom._id })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('messages').that.is.an('array');
+				});
+		});
+
+		it('ACCESS: user retains access within cache after losing attributes', async () => {
+			await addAbacAttributesToUserDirectly(cacheUser._id, []);
+
+			await request
+				.get(`/api/v1/groups.history`)
+				.set(cacheUserCreds)
+				.query({ roomId: cacheRoom._id })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		it('ACCESS: user loses access after cache expiry', async () => {
+			await updateSetting('Abac_Cache_Decision_Time_Seconds', 0);
+
+			await request
+				.get(`${v1}/groups.history`)
+				.set(cacheUserCreds)
+				.query({ roomId: cacheRoom._id })
+				.expect(403)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('ACCESS: user is removed from the room when the access check fails', async () => {
+			const roomInfoRes = await request
+				.get(`${v1}/rooms.membersOrderedByRole`)
+				.set(credentials)
+				.query({ roomId: cacheRoom._id })
+				.expect(200);
+			const { members } = roomInfoRes.body;
+
+			expect(members.find((m: IUser) => m.username === cacheUser.username)).to.be.undefined;
+		});
+
+		it('ACCESS: user can be re invited to the room and access history', async () => {
+			await addAbacAttributesToUserDirectly(cacheUser._id, [{ key: cacheAttrKey, values: ['on'] }]);
+			await request
+				.post(`${v1}/groups.invite`)
+				.set(credentials)
+				.send({ roomId: cacheRoom._id, usernames: [cacheUser.username] })
+				.expect(200);
+
+			await request
+				.get(`/api/v1/groups.history`)
+				.set(cacheUserCreds)
+				.query({ roomId: cacheRoom._id })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		it('ACCESS: keeps access once room attributes are removed', async () => {
+			await request.delete(`${v1}/abac/rooms/${cacheRoom._id}/attributes/${cacheAttrKey}`).set(credentials).expect(200);
+
+			await request
+				.get(`${v1}/groups.history`)
+				.set(cacheUserCreds)
+				.query({ roomId: cacheRoom._id })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+	});
+
+	describe('list abac rooms', () => {
+		const listAttrKey1 = `list_attr_1_${Date.now()}`;
+		const listAttrKey2 = `list_attr_2_${Date.now()}`;
+		const listRoomName1 = `abac-list-room-1-${Date.now()}`;
+		const listRoomName2 = `abac-list-room-2-${Date.now()}`;
+		const listRoomNoAttrName = `abac-list-room-noattr-${Date.now()}`;
+
+		let listRoomId1: string;
+		let listRoomId2: string;
+		let listRoomNoAttrId: string;
+
+		before('ensure ABAC enabled and create attribute definitions & rooms', async () => {
+			await updateSetting('ABAC_Enabled', true);
+
+			// Create attribute definitions
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: listAttrKey1, values: ['alpha', 'beta'] })
+				.expect(200);
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: listAttrKey2, values: ['x', 'y'] })
+				.expect(200);
+
+			// Create private rooms
+			listRoomId1 = (await createRoom({ type: 'p', name: listRoomName1 })).body.group._id;
+			listRoomId2 = (await createRoom({ type: 'p', name: listRoomName2 })).body.group._id;
+			listRoomNoAttrId = (await createRoom({ type: 'p', name: listRoomNoAttrName })).body.group._id;
+
+			// Assign attributes to first two rooms
+			await request
+				.post(`${v1}/abac/rooms/${listRoomId1}/attributes/${listAttrKey1}`)
+				.set(credentials)
+				.send({ values: ['alpha'] })
+				.expect(200);
+			await request
+				.post(`${v1}/abac/rooms/${listRoomId2}/attributes/${listAttrKey2}`)
+				.set(credentials)
+				.send({ values: ['x'] })
+				.expect(200);
+		});
+
+		after(async () => {
+			await Promise.all([
+				deleteRoom({ type: 'p', roomId: listRoomId1 }),
+				deleteRoom({ type: 'p', roomId: listRoomId2 }),
+				deleteRoom({ type: 'p', roomId: listRoomNoAttrId }),
+			]);
+		});
+
+		it('should list only private rooms with ABAC attributes (baseline)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body).to.have.property('rooms').that.is.an('array');
+					const ids = res.body.rooms.map((r: any) => r._id);
+					expect(ids).to.include(listRoomId1);
+					expect(ids).to.include(listRoomId2);
+					expect(ids).to.not.include(listRoomNoAttrId);
+				});
+		});
+
+		it('should NOT list a newly created private room without attributes', async () => {
+			const tempNoAttrRoomId = (await createRoom({ type: 'p', name: `abac-list-temp-noattr-${Date.now()}` })).body.group._id;
+			const res = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const ids = res.body.rooms.map((r: any) => r._id);
+			expect(ids).to.not.include(tempNoAttrRoomId);
+			await deleteRoom({ type: 'p', roomId: tempNoAttrRoomId });
+		});
+
+		it('should NOT list a public room (cannot be ABAC managed)', async () => {
+			const publicRoomId = (await createRoom({ type: 'c', name: `abac-list-public-${Date.now()}` })).body.channel._id;
+			const res = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const ids = res.body.rooms.map((r: any) => r._id);
+			expect(ids).to.not.include(publicRoomId);
+			await deleteRoom({ type: 'c', roomId: publicRoomId });
+		});
+
+		it('should NOT list a team private room without attributes', async () => {
+			// Create a private team and a private room inside it (not main room)
+			const teamRes = await request
+				.post(`${v1}/teams.create`)
+				.set(credentials)
+				.send({ name: `abac-list-team-noattr-${Date.now()}`, type: 0 })
+				.expect(200);
+			const teamIdLocal = teamRes.body.team._id;
+			const teamRoomRes = await createRoom({ type: 'p', name: `abac-list-team-room-${Date.now()}`, extraData: { teamId: teamIdLocal } });
+			const teamPrivateRoomId = teamRoomRes.body.group._id;
+			const res = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const ids = res.body.rooms.map((r: any) => r._id);
+			expect(ids).to.not.include(teamPrivateRoomId);
+			await deleteRoom({ type: 'p', roomId: teamPrivateRoomId });
+			await deleteTeam(credentials, teamRes.body.team.name);
+		});
+
+		it('should stop listing a room after its ABAC attributes are removed', async () => {
+			// Ensure room 1 currently listed
+			const resBefore = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const idsBefore = resBefore.body.rooms.map((r: any) => r._id);
+			expect(idsBefore).to.include(listRoomId1);
+
+			// Remove its only attribute key (listAttrKey1) - value was 'alpha'
+			await request.delete(`${v1}/abac/rooms/${listRoomId1}/attributes/${listAttrKey1}`).set(credentials).expect(200);
+
+			const resAfter = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const idsAfter = resAfter.body.rooms.map((r: any) => r._id);
+			expect(idsAfter).to.not.include(listRoomId1);
+
+			// Re-add attribute so other tests relying on it remain stable
+			await request
+				.post(`${v1}/abac/rooms/${listRoomId1}/attributes/${listAttrKey1}`)
+				.set(credentials)
+				.send({ values: ['alpha'] })
+				.expect(200);
+		});
+
+		it('should NOT list a default private room even if attempt to add attribute fails', async () => {
+			const defaultRoomId = (await createRoom({ type: 'p', name: `abac-list-default-${Date.now()}` })).body.group._id;
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: defaultRoomId, default: true }).expect(200);
+			const defKey = `list_def_attr_${Date.now()}`;
+			await request
+				.post(`${v1}/abac/attributes`)
+				.set(credentials)
+				.send({ key: defKey, values: ['one'] })
+				.expect(200);
+			await request
+				.post(`${v1}/abac/rooms/${defaultRoomId}/attributes/${defKey}`)
+				.set(credentials)
+				.send({ values: ['one'] })
+				.expect(400);
+			const res = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+			const ids = res.body.rooms.map((r: any) => r._id);
+			expect(ids).to.not.include(defaultRoomId);
+			await request.post(`${v1}/rooms.saveRoomSettings`).set(credentials).send({ rid: defaultRoomId, default: false }).expect(200);
+			await deleteRoom({ type: 'p', roomId: defaultRoomId });
+		});
+
+		it('should filter by room name (filterType=roomName)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ filter: 'abac-list-room-1', filterType: 'roomName' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					const ids = res.body.rooms.map((r: any) => r._id);
+					expect(ids).to.include(listRoomId1);
+					expect(ids).to.not.include(listRoomId2);
+				});
+		});
+
+		it('should filter by attribute key (filterType=attribute)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ filter: listAttrKey2, filterType: 'attribute' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					const ids = res.body.rooms.map((r: any) => r._id);
+					expect(ids).to.include(listRoomId2);
+					expect(ids).to.not.include(listRoomId1);
+				});
+		});
+
+		it('should filter by attribute value (filterType=value)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ filter: 'alpha', filterType: 'value' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					const ids = res.body.rooms.map((r: any) => r._id);
+					expect(ids).to.include(listRoomId1);
+					expect(ids).to.not.include(listRoomId2);
+				});
+		});
+
+		it('should match across name, key and values when filterType=all (default)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ filter: 'x', filterType: 'all' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					const ids = res.body.rooms.map((r: any) => r._id);
+					expect(ids).to.include(listRoomId2);
+					expect(ids).to.not.include(listRoomId1);
+				});
+		});
+
+		it('should paginate results (count=1 offset=0)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ count: 1, offset: 0 })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					expect(res.body).to.have.property('offset', 0);
+					expect(res.body).to.have.property('count', 1);
+					expect(res.body.rooms).to.have.lengthOf(1);
+				});
+		});
+
+		it('should paginate results (count=1 offset=1)', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ count: 1, offset: 1 })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					expect(res.body).to.have.property('offset', 1);
+					expect(res.body).to.have.property('count').that.is.at.most(1);
+					expect(res.body.rooms).to.have.length.at.most(1);
+				});
+		});
+
+		it('should return empty list when filter does not match anything', async () => {
+			await request
+				.get(`${v1}/abac/rooms`)
+				.set(credentials)
+				.query({ filter: 'nonexistent-filter-xyz', filterType: 'roomName' })
+				.expect(200)
+				.expect((res) => {
+					expect(res.body.success).to.be.true;
+					expect(res.body.rooms).to.be.an('array').with.lengthOf(0);
+				});
+		});
+
+		it('should reject unauthorized user (403)', async () => {
+			await request.get(`${v1}/abac/rooms`).set(unauthorizedCredentials).expect(403);
+		});
+
+		describe('ABAC managed private team main rooms listing', () => {
+			const teamListAttrKey = `team_list_attr_${Date.now()}`;
+			const teamListName = `abac-list-team-${Date.now()}`;
+			let teamListMainRoomId: string;
+
+			before('create private team (no attributes yet) and attribute definition', async () => {
+				const teamRes = await request.post(`${v1}/teams.create`).set(credentials).send({ name: teamListName, type: 1 }).expect(200);
+
+				teamListMainRoomId = teamRes.body.team.roomId;
+
+				await request
+					.post(`${v1}/abac/attributes`)
+					.set(credentials)
+					.send({ key: teamListAttrKey, values: ['red', 'blue'] })
+					.expect(200);
+			});
+
+			it('baseline: team main private room without attributes should NOT appear in /abac/rooms list', async () => {
+				await request
+					.get(`${v1}/abac/rooms`)
+					.set(credentials)
+					.expect(200)
+					.expect((res) => {
+						const ids = res.body.rooms.map((r: any) => r._id);
+						expect(ids).to.not.include(teamListMainRoomId);
+					});
+			});
+
+			it('after adding ABAC attribute to team main room it SHOULD appear in /abac/rooms list', async () => {
+				await request
+					.post(`${v1}/abac/rooms/${teamListMainRoomId}/attributes/${teamListAttrKey}`)
+					.set(credentials)
+					.send({ values: ['red'] })
+					.expect(200);
+
+				await request
+					.get(`${v1}/abac/rooms`)
+					.set(credentials)
+					.expect(200)
+					.expect((res) => {
+						const ids = res.body.rooms.map((r: any) => r._id);
+						expect(ids).to.include(teamListMainRoomId);
+					});
+			});
+
+			it('filterType=attribute should return team main room when filtering by its attribute key', async () => {
+				await request
+					.get(`${v1}/abac/rooms`)
+					.set(credentials)
+					.query({ filter: teamListAttrKey, filterType: 'attribute' })
+					.expect(200)
+					.expect((res) => {
+						const ids = res.body.rooms.map((r: any) => r._id);
+						expect(ids).to.include(teamListMainRoomId);
+					});
+			});
+
+			it('filterType=value should return team main room when filtering by an assigned attribute value', async () => {
+				await request
+					.get(`${v1}/abac/rooms`)
+					.set(credentials)
+					.query({ filter: 'red', filterType: 'value' })
+					.expect(200)
+					.expect((res) => {
+						const ids = res.body.rooms.map((r: any) => r._id);
+						expect(ids).to.include(teamListMainRoomId);
+					});
+			});
+
+			it('filterType=value should NOT return team main room when filtering by a non-existent value', async () => {
+				await request
+					.get(`${v1}/abac/rooms`)
+					.set(credentials)
+					.query({ filter: 'nonexistent-team-value', filterType: 'value' })
+					.expect(200)
+					.expect((res) => {
+						const ids = res.body.rooms.map((r: any) => r._id);
+						expect(ids).to.not.include(teamListMainRoomId);
+					});
+			});
+
+			it('pagination should include team main room on a page where it falls (count=1 offset varies)', async () => {
+				// Get full list to determine index
+				const fullRes = await request.get(`${v1}/abac/rooms`).set(credentials).expect(200);
+				const allIds: string[] = fullRes.body.rooms.map((r: any) => r._id);
+				const index = allIds.indexOf(teamListMainRoomId);
+				expect(index).to.not.equal(-1);
+
+				// Request the page containing the team main room
+				const pageRes = await request.get(`${v1}/abac/rooms`).set(credentials).query({ count: 1, offset: index }).expect(200);
+				expect(pageRes.body.rooms.map((r: any) => r._id)).to.include(teamListMainRoomId);
+			});
+
+			after(async () => {
+				await deleteTeam(credentials, teamListName);
+			});
+		});
+	});
+
+	describe('LDAP integration', () => {
+		before(async () => {
+			await Promise.all([
+				updateSetting('LDAP_Enable', true),
+				updateSetting('ABAC_Enabled', true),
+				updateSetting('LDAP_Background_Sync', true),
+				updateSetting('LDAP_Background_Sync_Import_New_Users', true),
+				updateSetting('LDAP_Host', 'openldap'),
+				updateSetting('LDAP_Port', 1389),
+				updateSetting('LDAP_Authentication', true),
+				updateSetting('LDAP_Authentication_UserDN', 'cn=admin,dc=space,dc=air'),
+				updateSetting('LDAP_Authentication_Password', 'adminpassword'),
+				updateSetting('LDAP_BaseDN', 'ou=users,dc=space,dc=air'),
+				updateSetting('LDAP_AD_User_Search_Field', 'uid'),
+				updateSetting('LDAP_AD_Username_Field', 'uid'),
+				updateSetting('LDAP_Background_Sync_ABAC_Attributes', true),
+				updateSetting('LDAP_Background_Sync_ABAC_Attributes_Interval', '0 0 * * *'),
+				updateSetting(
+					'LDAP_ABAC_AttributeMap',
+					JSON.stringify({
+						departmentNumber: 'department',
+						telephoneNumber: 'phone',
+					}),
+				),
+			]);
+		});
+
+		before(async function () {
+			this.timeout(10000);
+			// Wait for background sync to run once before tests start
+			await request.post(`${v1}/ldap.syncNow`).set(credentials);
+			await sleep(5000);
+
+			// Force abac attribute sync for user john.young, that way we test it too :p
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({ emails: ['john.young@space.air'] });
+
+			await sleep(2000);
+		});
+
+		it('should sync LDAP user john.young with mapped ABAC attributes', async () => {
+			const res = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'john.young' }).expect(200);
+
+			expect(res.body).to.have.property('success', true);
+			expect(res.body).to.have.property('user');
+			const user = res.body.user as IUser;
+
+			expect(user).to.have.property('abacAttributes');
+			expect(user.abacAttributes).to.be.an('array');
+
+			const departmentAttr = user?.abacAttributes?.find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+
+			expect(departmentAttr).to.exist;
+			expect(departmentAttr?.values || []).to.be.an('array').that.is.not.empty;
+		});
+
+		it('should sync ABAC attributes for SOME users via /abac/users/sync', async () => {
+			// Users already imported from LDAP, but without ABAC attributes.
+			// We now sync only SOME users, identified by their emails.
+			const resAlan = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'alan.bean' }).expect(200);
+			const resBuzz = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'buzz.aldrin' }).expect(200);
+
+			const alanBefore = resAlan.body.user as IUser;
+			const buzzBefore = resBuzz.body.user as IUser;
+
+			// Ensure they start without ABAC attributes (or with an empty array)
+			expect(alanBefore).to.have.property('username', 'alan.bean');
+			const alanBeforeAttrs = alanBefore.abacAttributes || [];
+			expect(alanBeforeAttrs).to.be.an('array').that.has.lengthOf(0);
+
+			expect(buzzBefore).to.have.property('username', 'buzz.aldrin');
+			const buzzBeforeAttrs = buzzBefore.abacAttributes || [];
+			expect(buzzBeforeAttrs).to.be.an('array').that.has.lengthOf(0);
+
+			// Sync SOME users by email
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					emails: ['alan.bean@space.air', 'buzz.aldrin@space.air'],
+				})
+				.expect(200);
+
+			const resAlanAfter = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'alan.bean' }).expect(200);
+			const resBuzzAfter = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'buzz.aldrin' }).expect(200);
+
+			const alanAfter = resAlanAfter.body.user as IUser;
+			const buzzAfter = resBuzzAfter.body.user as IUser;
+
+			const alanAfterAttrs = alanAfter.abacAttributes || [];
+			const buzzAfterAttrs = buzzAfter.abacAttributes || [];
+
+			expect(alanAfterAttrs).to.be.an('array').that.is.not.empty;
+			expect(buzzAfterAttrs).to.be.an('array').that.is.not.empty;
+
+			const alanDept = alanAfterAttrs.find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+			const buzzDept = buzzAfterAttrs.find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+
+			expect(alanDept).to.exist;
+			expect(alanDept?.values || []).to.be.an('array').that.is.not.empty;
+
+			expect(buzzDept).to.exist;
+			expect(buzzDept?.values || []).to.be.an('array').that.is.not.empty;
+		});
+
+		it('should support /abac/users/sync with usernames as param', async () => {
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					usernames: ['david.scott', 'gene.cernan'],
+				})
+				.expect(200);
+
+			const usersToCheck = ['david.scott', 'gene.cernan'];
+
+			const results = await Promise.all(
+				usersToCheck.map(async (username) => {
+					const res = await request.get(`${v1}/users.info`).set(credentials).query({ username }).expect(200);
+					return res.body.user as IUser;
+				}),
+			);
+
+			for (const user of results) {
+				const attrs = user.abacAttributes || [];
+				expect(attrs).to.be.an('array').that.is.not.empty;
+
+				const dept = attrs.find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+				expect(dept).to.exist;
+				expect(dept?.values || []).to.be.an('array').that.is.not.empty;
+			}
+		});
+
+		// Hard limits for the endpoint - max 100 identifiers per type, 400 total per request
+		it('should fail /abac/users/sync when more than 100 usernames are provided', async () => {
+			const usernames = Array.from({ length: 101 }, (_, i) => `user_${i}@example.com`);
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					usernames,
+				})
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('should fail /abac/users/sync when more than 100 ids are provided', async () => {
+			const ids = Array.from({ length: 101 }, (_, i) => `id_${i}`);
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					ids,
+				})
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('should fail /abac/users/sync when more than 100 emails are provided', async () => {
+			const emails = Array.from({ length: 101 }, (_, i) => `user_${i}@example.com`);
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					emails,
+				})
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('should fail /abac/users/sync when more than 100 ldapIds are provided', async () => {
+			const ldapIds = Array.from({ length: 101 }, (_, i) => `ldap_${i}`);
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					ldapIds,
+				})
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+				});
+		});
+
+		it('should succeed /abac/users/sync when exactly 100 usernames are provided (boundary)', async () => {
+			const usernames = Array.from({ length: 100 }, (_, i) => `boundary_user_${i}`);
+			await request
+				.post(`${v1}/abac/users/sync`)
+				.set(credentials)
+				.send({
+					usernames,
+				})
+				.expect(200)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', true);
+				});
+		});
+
+		describe('LDAP ABAC room membership sync', () => {
+			let roomIdWithAbac: string;
+
+			before(async () => {
+				// Ensure the ABAC attribute definition for department exists
+				const attrsRes = await request.get(`${v1}/abac/attributes`).set(credentials).expect(200);
+				const attrs = attrsRes.body.attributes as IAbacAttributeDefinition[];
+				const existingDept = attrs.find((attr) => attr.key === 'department');
+
+				if (!existingDept) {
+					await request
+						.post(`${v1}/abac/attributes`)
+						.set(credentials)
+						.send({
+							key: 'department',
+							values: ['lifeSupport', 'lifeSupport2', 'navControl'],
+						})
+						.expect(200);
+				}
+
+				// Create a private room and add LDAP users that will later lose ABAC compliance
+				const roomRes = await createRoom({
+					type: 'p',
+					name: `ldapAbacRoom-${Date.now()}`,
+				});
+
+				roomIdWithAbac = roomRes.body.group._id;
+
+				const davidUser = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'david.scott' }).expect(200);
+				const sergeiUser = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'sergei.krikalev' }).expect(200);
+
+				await addAbacAttributesToUserDirectly(davidUser.body.user._id, [{ key: 'department', values: ['navControl'] }]);
+				await addAbacAttributesToUserDirectly(sergeiUser.body.user._id, [{ key: 'department', values: ['navControl'] }]);
+				await addAbacAttributesToUserDirectly(credentials['X-User-Id'], [{ key: 'department', values: ['navControl'] }]);
+
+				await request
+					.post(`${v1}/abac/rooms/${roomIdWithAbac}/attributes/department`)
+					.set(credentials)
+					.send({
+						values: ['navControl'],
+					})
+					.expect(200);
+
+				// Invite two LDAP users that will initially match the room attributes
+				await request
+					.post(`${v1}/groups.invite`)
+					.set(credentials)
+					.send({
+						roomId: roomIdWithAbac,
+						usernames: ['david.scott', 'sergei.krikalev'],
+					});
+			});
+
+			after(async () => {
+				await deleteRoom({ type: 'p', roomId: roomIdWithAbac });
+			});
+
+			it('should remove users from room after LDAP sync changes their ABAC attributes', async () => {
+				const initialDept = 'navControl';
+
+				const davidInitialAttrs = [{ key: 'department', values: [initialDept] }];
+				const sergeiInitialAttrs = [{ key: 'department', values: [initialDept] }];
+
+				expect(davidInitialAttrs[0].values).to.include(initialDept);
+				expect(sergeiInitialAttrs[0].values).to.include(initialDept);
+
+				await request
+					.post(`${v1}/abac/users/sync`)
+					.set(credentials)
+					.send({
+						usernames: ['david.scott', 'sergei.krikalev'],
+					})
+					.expect(200);
+
+				const afterMembersRes = await request.get(`${v1}/groups.members`).set(credentials).query({ roomId: roomIdWithAbac }).expect(200);
+
+				const afterMembers = afterMembersRes.body.members as IUser[];
+				const afterUsernames = afterMembers.map((u) => u.username);
+
+				expect(afterUsernames).to.not.include('david.scott');
+				expect(afterUsernames).to.not.include('sergei.krikalev');
+
+				const userInfoDavidAfter = await request.get(`${v1}/users.info`).set(credentials).query({ username: 'david.scott' }).expect(200);
+				const userInfoSergeiAfter = await request
+					.get(`${v1}/users.info`)
+					.set(credentials)
+					.query({ username: 'sergei.krikalev' })
+					.expect(200);
+
+				const davidAfter = userInfoDavidAfter.body.user as IUser;
+				const sergeiAfter = userInfoSergeiAfter.body.user as IUser;
+
+				const davidDeptAfter = (davidAfter.abacAttributes || []).find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+				const sergeiDeptAfter = (sergeiAfter.abacAttributes || []).find((attr: IAbacAttributeDefinition) => attr.key === 'department');
+
+				expect(davidDeptAfter?.values || []).to.not.deep.equal(davidInitialAttrs[0].values);
+				expect(sergeiDeptAfter?.values || []).to.not.deep.equal(sergeiInitialAttrs[0].values);
+			});
+		});
+
+		after(async () => {
+			await Promise.all([
+				updateSetting('LDAP_Enable', false),
+				updateSetting('ABAC_Enabled', false),
+				updateSetting('LDAP_Background_Sync', false),
+				updateSetting('LDAP_Background_Sync_Import_New_Users', false),
+				updateSetting('LDAP_Host', ''),
+				updateSetting('LDAP_Authentication', false),
+				updateSetting('LDAP_Authentication_UserDN', ''),
+				updateSetting('LDAP_Authentication_Password', ''),
+				updateSetting('LDAP_BaseDN', ''),
+				updateSetting('LDAP_AD_User_Search_Field', ''),
+				updateSetting('LDAP_AD_Username_Field', ''),
+				updateSetting('LDAP_Background_Sync_ABAC_Attributes', false),
+				updateSetting('LDAP_Background_Sync_ABAC_Attributes_Interval', ''),
+				updateSetting('LDAP_ABAC_AttributeMap', ''),
+			]);
+		});
+	});
+});
diff --git a/apps/meteor/tests/end-to-end/api/rooms.ts b/apps/meteor/tests/end-to-end/api/rooms.ts
index 2e9b97b9f67..f7382be0086 100644
--- a/apps/meteor/tests/end-to-end/api/rooms.ts
+++ b/apps/meteor/tests/end-to-end/api/rooms.ts
@@ -2516,6 +2516,110 @@ describe('[Rooms]', () => {
 		});
 	});
 
+	describe('/rooms.adminRooms.privateRooms', () => {
+		let publicChannel: IRoom;
+		let privateGroup: IRoom;
+		let publicTeam: ITeam;
+		let privateTeam: ITeam;
+
+		before(async () => {
+			await updatePermission('view-room-administration', ['admin']);
+
+			publicChannel = (await createRoom({ type: 'c', name: `public-channel-${Date.now()}` })).body.channel;
+			privateGroup = (await createRoom({ type: 'p', name: `private-group-${Date.now()}` })).body.group;
+
+			publicTeam = await createTeam(credentials, `public-team-${Date.now()}`, TEAM_TYPE.PUBLIC);
+			privateTeam = await createTeam(credentials, `private-team-${Date.now()}`, TEAM_TYPE.PRIVATE);
+		});
+
+		after(async () => {
+			await Promise.all([
+				deleteRoom({ type: 'c', roomId: publicChannel._id }),
+				deleteRoom({ type: 'p', roomId: privateGroup._id }),
+				deleteTeam(credentials, publicTeam.name),
+				deleteTeam(credentials, privateTeam.name),
+			]);
+		});
+
+		it('should return only the private room when filtering by its name', async () => {
+			const res = await request
+				.get(api('rooms.adminRooms.privateRooms'))
+				.set(credentials)
+				.query({
+					filter: privateGroup.name,
+				})
+				.expect(200);
+
+			expect(res.body).to.have.property('success', true);
+			expect(res.body).to.have.property('rooms').and.to.be.an('array');
+
+			const rooms = res.body.rooms as IRoom[];
+			expect(rooms).to.have.lengthOf(1);
+			expect(rooms[0].name).to.equal(privateGroup.name);
+			expect(rooms[0].t).to.equal('p');
+		});
+
+		it('should return only the private team main when filtering by its name', async () => {
+			const res = await request
+				.get(api('rooms.adminRooms.privateRooms'))
+				.set(credentials)
+				.query({
+					filter: privateTeam.name,
+				})
+				.expect(200);
+
+			expect(res.body).to.have.property('success', true);
+			expect(res.body).to.have.property('rooms').and.to.be.an('array');
+
+			const rooms = res.body.rooms as IRoom[];
+			expect(rooms).to.have.lengthOf(1);
+			expect(rooms[0].name).to.equal(privateTeam.name);
+			expect(rooms[0].t).to.equal('p');
+		});
+
+		it('should not return public rooms or public team mains even when filtering by their names', async () => {
+			const resPublicChannel = await request
+				.get(api('rooms.adminRooms.privateRooms'))
+				.set(credentials)
+				.query({
+					filter: publicChannel.name,
+				})
+				.expect(200);
+
+			expect(resPublicChannel.body).to.have.property('success', true);
+			expect(resPublicChannel.body).to.have.property('rooms').and.to.be.an('array');
+			expect(resPublicChannel.body.rooms).to.have.lengthOf(0);
+
+			const resPublicTeam = await request
+				.get(api('rooms.adminRooms.privateRooms'))
+				.set(credentials)
+				.query({
+					filter: publicTeam.name,
+				})
+				.expect(200);
+
+			expect(resPublicTeam.body).to.have.property('success', true);
+			expect(resPublicTeam.body).to.have.property('rooms').and.to.be.an('array');
+			expect(resPublicTeam.body.rooms).to.have.lengthOf(0);
+		});
+
+		describe('permissions', () => {
+			before(async () => {
+				await updatePermission('view-room-administration', []);
+			});
+
+			after(async () => {
+				await updatePermission('view-room-administration', ['admin']);
+			});
+
+			it('should return an error for users without view-room-administration permission', async () => {
+				const res = await request.get(api('rooms.adminRooms.privateRooms')).set(credentials).expect(403);
+
+				expect(res.body).to.have.property('success', false);
+			});
+		});
+	});
+
 	describe('update group dms name', () => {
 		let testUser: TestUser<IUser>;
 		let roomId: IRoom['_id'];
diff --git a/apps/meteor/tests/mocks/data.ts b/apps/meteor/tests/mocks/data.ts
index 1dde2432ca3..ecdca6b206a 100644
--- a/apps/meteor/tests/mocks/data.ts
+++ b/apps/meteor/tests/mocks/data.ts
@@ -233,6 +233,7 @@ export const createFakeLicenseInfo = (partial: Partial<Omit<LicenseInfo, 'licens
 		'custom-roles',
 		'accessibility-certification',
 		'outbound-messaging',
+		'abac',
 	]),
 	externalModules: [],
 	preventedActions: {
diff --git a/development/ldap/02-data.ldif b/development/ldap/02-data.ldif
new file mode 100644
index 00000000000..bb5f7f5ee59
--- /dev/null
+++ b/development/ldap/02-data.ldif
@@ -0,0 +1,204 @@
+version: 1
+
+dn: dc=space,dc=air
+objectClass: dcObject
+objectClass: organization
+objectClass: top
+dc: space
+o: spaceair
+
+dn: ou=users,dc=space,dc=air
+objectClass: organizationalUnit
+objectClass: top
+ou: users
+
+dn: ou=others,dc=space,dc=air
+objectClass: organizationalUnit
+objectClass: top
+ou: others
+
+dn: cn=astronauts,dc=space,dc=air
+objectClass: groupOfNames
+objectClass: top
+cn: astronauts
+member: uid=alan.bean,ou=users,dc=space,dc=air
+member: uid=buzz.aldrin,ou=users,dc=space,dc=air
+member: uid=david.scott,ou=users,dc=space,dc=air
+member: uid=gene.cernan,ou=users,dc=space,dc=air
+member: uid=john.young,ou=users,dc=space,dc=air
+
+dn: cn=cosmonauts,dc=space,dc=air
+objectClass: groupOfNames
+objectClass: top
+cn: cosmonauts
+member: uid=sergei.krikalev,ou=users,dc=space,dc=air
+member: uid=yuri.romanenko,ou=users,dc=space,dc=air
+
+dn: uid=alan.bean,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Alan Bean
+sn: Alan
+mail: alan.bean@space.air
+uid: alan.bean
+destinationIndicator: Canada
+employeeType: fulltime
+departmentNumber: navControl
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=john.young,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: John Young
+sn: John
+mail: john.young@space.air
+uid: john.young
+destinationIndicator: Brazil
+employeeType: parttime
+departmentNumber: flightOps
+departmentNumber: flightOps2
+telephoneNumber: +1-555-0102
+telephoneNumber: +1-555-0103
+telephoneNumber: +1-555-0104
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=buzz.aldrin,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Buzz Aldrin
+sn: Buzz
+mail: buzz.aldrin@space.air
+uid: buzz.aldrin
+destinationIndicator: Japan
+employeeType: contractor
+departmentNumber: propulsion
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=david.scott,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: David Scott
+sn: David
+mail: david.scott@space.air
+uid: david.scott
+destinationIndicator: Germany
+employeeType: intern
+departmentNumber: lifeSupport
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=gene.cernan,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Gene Cernan
+sn: Gene
+mail: gene.cernan@space.air
+uid: gene.cernan
+destinationIndicator: Kenya
+employeeType: consultant
+departmentNumber: geoScience
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=james.irwin,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: James Irwin
+sn: James
+mail: james.irwin@space.air
+uid: james.irwin
+destinationIndicator: Norway
+employeeType: seasonal
+departmentNumber: dataSystems
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+
+
+
+
+
+
+
+dn: uid=neil.armstrong,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Neil Armstrong
+sn: Neil
+mail: neil.armstrong@space.air
+uid: neil.armstrong
+destinationIndicator: Finland
+employeeType: parttime
+departmentNumber: flightOps2
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=yuri.romanenko,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Yuri Romanenko
+sn: Yuri
+mail: yuri.romanenko@space.air
+uid: yuri.romanenko
+destinationIndicator: Mexico
+employeeType: contractor
+departmentNumber: propulsion2
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=sergei.krikalev,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Sergei Krikalev
+sn: Sergei
+mail: sergei.krikalev@space.air
+uid: sergei.krikalev
+destinationIndicator: Italy
+employeeType: intern
+departmentNumber: lifeSupport2
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
+
+
+dn: uid=userwithnoemail,ou=users,dc=space,dc=air
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: User With No Email
+sn: NoEmail
+uid: userwithnoemail
+destinationIndicator: Portugal
+employeeType: consultant
+departmentNumber: geoScience2
+userPassword:: e1NIQTI1Nn1sMzlna05QRUU1U29aaGhyRHo1VmVqVGpXMVJ6MHNNOTdjSGpsN
+ 1RaVHZJPQ==
diff --git a/docker-compose-ci.yml b/docker-compose-ci.yml
index e5b4eabea87..e69ad1047a9 100644
--- a/docker-compose-ci.yml
+++ b/docker-compose-ci.yml
@@ -210,7 +210,7 @@ services:
       bash -c
         "mongod --replSet $$MONGODB_REPLICA_SET_NAME --bind_ip_all &
           sleep 2;
-          until mongosh --eval \"db.adminCommand('ping')\"; do 
+          until mongosh --eval \"db.adminCommand('ping')\"; do
             echo '=====> Waiting for Mongo...';
             sleep 1;
           done;
@@ -231,3 +231,19 @@ services:
       - 3000:80
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+
+  openldap:
+    image: bitnamilegacy/openldap:latest
+    volumes:
+      - ./development/ldap:/opt/bitnami/openldap/data/
+    environment:
+      - LDAP_ADMIN_USERNAME=admin
+      - LDAP_ADMIN_PASSWORD=adminpassword
+      - LDAP_ROOT=dc=space,dc=air
+      - LDAP_ADMIN_DN=cn=admin,dc=space,dc=air
+      - LDAP_CUSTOM_LDIF_DIR=/opt/bitnami/openldap/data
+      - LDAP_LOGLEVEL=-1
+      - BITNAMI_DEBUG=false
+    ports:
+      - 1389:1389
+      - 1636:1636
diff --git a/ee/apps/authorization-service/Dockerfile b/ee/apps/authorization-service/Dockerfile
index 90afd4fcee6..362ee4717ee 100644
--- a/ee/apps/authorization-service/Dockerfile
+++ b/ee/apps/authorization-service/Dockerfile
@@ -69,6 +69,9 @@ COPY ./packages/ui-kit/dist packages/ui-kit/dist
 COPY ./packages/http-router/package.json packages/http-router/package.json
 COPY ./packages/http-router/dist packages/http-router/dist
 
+COPY ./ee/packages/abac/package.json ee/packages/abac/package.json
+COPY ./ee/packages/abac/dist ee/packages/abac/dist
+
 COPY ./ee/apps/${SERVICE}/dist .
 
 COPY ./package.json .
diff --git a/ee/apps/authorization-service/package.json b/ee/apps/authorization-service/package.json
index 0841caeeb73..97cc876f360 100644
--- a/ee/apps/authorization-service/package.json
+++ b/ee/apps/authorization-service/package.json
@@ -19,6 +19,7 @@
 		"typecheck": "tsc --noEmit --skipLibCheck -p tsconfig.json"
 	},
 	"dependencies": {
+		"@rocket.chat/abac": "workspace:^",
 		"@rocket.chat/core-services": "workspace:^",
 		"@rocket.chat/core-typings": "workspace:^",
 		"@rocket.chat/emitter": "~0.31.25",
diff --git a/ee/apps/authorization-service/src/service.ts b/ee/apps/authorization-service/src/service.ts
index e09d87de6d2..f3b45f0c2a5 100755
--- a/ee/apps/authorization-service/src/service.ts
+++ b/ee/apps/authorization-service/src/service.ts
@@ -1,3 +1,4 @@
+import { AbacService } from '@rocket.chat/abac';
 import { api, getConnection, getTrashCollection } from '@rocket.chat/core-services';
 import { registerServiceModels } from '@rocket.chat/models';
 import { startBroker } from '@rocket.chat/network-broker';
@@ -20,6 +21,11 @@ const PORT = process.env.PORT || 3034;
 
 	api.registerService(new Authorization());
 
+	if (!process.env.USE_EXTERNAL_ABAC_SERVICE) {
+		// Same API as authz service but own core-services proxy
+		api.registerService(new AbacService());
+	}
+
 	await api.start();
 
 	polka()
diff --git a/ee/packages/abac/.eslintrc.json b/ee/packages/abac/.eslintrc.json
new file mode 100644
index 00000000000..6744bc05443
--- /dev/null
+++ b/ee/packages/abac/.eslintrc.json
@@ -0,0 +1,4 @@
+{
+  "extends": ["@rocket.chat/eslint-config"],
+  "ignorePatterns": ["**/dist"]
+}
diff --git a/ee/packages/abac/jest.config.ts b/ee/packages/abac/jest.config.ts
new file mode 100644
index 00000000000..46e41b9ab17
--- /dev/null
+++ b/ee/packages/abac/jest.config.ts
@@ -0,0 +1,7 @@
+import server from '@rocket.chat/jest-presets/server';
+import type { Config } from 'jest';
+
+export default {
+	preset: server.preset,
+	testMatch: ['<rootDir>/src/**/*.spec.(ts|js|mjs)'],
+} satisfies Config;
diff --git a/ee/packages/abac/package.json b/ee/packages/abac/package.json
new file mode 100644
index 00000000000..9c6ea60fab5
--- /dev/null
+++ b/ee/packages/abac/package.json
@@ -0,0 +1,42 @@
+{
+	"name": "@rocket.chat/abac",
+	"version": "0.0.1",
+	"private": true,
+	"description": "Rocket.Chat - Attribute Based Access Control (ABAC) support utilities",
+	"main": "./dist/index.js",
+	"typings": "./dist/index.d.ts",
+	"files": [
+		"/dist"
+	],
+	"scripts": {
+		"build": "tsc",
+		"dev": "tsc --watch --preserveWatchOutput",
+		"lint": "eslint --ext .js,.jsx,.ts,.tsx src",
+		"lint:fix": "eslint --ext .js,.jsx,.ts,.tsx src --fix",
+		"test": "jest",
+		"testunit": "jest",
+		"typecheck": "tsc --noEmit --skipLibCheck"
+	},
+	"volta": {
+		"extends": "../../../package.json"
+	},
+	"dependencies": {
+		"@rocket.chat/core-services": "workspace:^",
+		"@rocket.chat/core-typings": "workspace:^",
+		"@rocket.chat/logger": "workspace:^",
+		"@rocket.chat/models": "workspace:^",
+		"mem": "^8.1.1",
+		"mongodb": "6.10.0",
+		"p-limit": "3.1.0"
+	},
+	"devDependencies": {
+		"@rocket.chat/eslint-config": "workspace:^",
+		"@rocket.chat/tsconfig": "workspace:*",
+		"@types/jest": "~30.0.0",
+		"@types/node": "~22.16.1",
+		"eslint": "~8.45.0",
+		"jest": "~30.0.5",
+		"mongodb-memory-server": "^10.1.4",
+		"typescript": "~5.9.2"
+	}
+}
diff --git a/ee/packages/abac/src/audit.ts b/ee/packages/abac/src/audit.ts
new file mode 100644
index 00000000000..83977a9af0d
--- /dev/null
+++ b/ee/packages/abac/src/audit.ts
@@ -0,0 +1,148 @@
+import type { AbacActor } from '@rocket.chat/core-services';
+import type {
+	ExtractDataToParams,
+	IAbacAttributeDefinition,
+	IAuditServerActor,
+	IServerEvents,
+	AbacAuditServerEventKey,
+	AbacAttributeDefinitionChangeType,
+	AbacAuditReason,
+	MinimalRoom,
+	MinimalUser,
+	AbacActionPerformed,
+} from '@rocket.chat/core-typings';
+import { ServerEvents } from '@rocket.chat/models';
+
+type EventParamsMap = {
+	[K in AbacAuditServerEventKey]: ExtractDataToParams<IServerEvents[K]>;
+};
+
+type EventPayload<K extends AbacAuditServerEventKey> = EventParamsMap[K];
+
+export type AbacAuditEventName = AbacAuditServerEventKey;
+
+export type AbacAuditEventPayload<K extends AbacAuditEventName = AbacAuditEventName> = EventPayload<K>;
+
+async function audit<K extends AbacAuditServerEventKey>(event: K, payload: EventPayload<K>, actor: IAuditServerActor): Promise<void> {
+	return ServerEvents.createAuditServerEvent(event, payload, actor);
+}
+
+export const Audit = {
+	attributeCreated: async (attribute: IAbacAttributeDefinition, actor: AbacActor) => {
+		return audit(
+			'abac.attribute.changed',
+			{
+				attributeKey: attribute.key,
+				reason: 'api',
+				change: 'created',
+				current: attribute,
+			} as EventPayload<'abac.attribute.changed'>,
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	attributeUpdated: async (current: IAbacAttributeDefinition, diff: IAbacAttributeDefinition, actor: AbacActor) => {
+		return audit(
+			'abac.attribute.changed',
+			{
+				attributeKey: current.key,
+				reason: 'api',
+				change: 'updated',
+				current,
+				diff,
+			},
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	attributeDeleted: async (attribute: IAbacAttributeDefinition, actor: AbacActor) => {
+		return audit(
+			'abac.attribute.changed',
+			{
+				attributeKey: attribute.key,
+				reason: 'api',
+				change: 'deleted',
+				current: null,
+				diff: attribute,
+			},
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	objectAttributeChanged: async (
+		minimalRoom: MinimalRoom,
+		previous: IAbacAttributeDefinition[],
+		current: IAbacAttributeDefinition[],
+		change: AbacAttributeDefinitionChangeType,
+		actor: AbacActor,
+	) => {
+		return audit(
+			'abac.object.attribute.changed',
+			{
+				room: minimalRoom,
+				reason: 'api',
+				change,
+				previous,
+				current,
+			},
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	objectAttributeRemoved: async (
+		minimalRoom: MinimalRoom,
+		previous: IAbacAttributeDefinition[],
+		current: IAbacAttributeDefinition[],
+		change: AbacAttributeDefinitionChangeType,
+		actor: AbacActor,
+	) => {
+		return audit(
+			'abac.object.attribute.changed',
+			{
+				room: minimalRoom,
+				reason: 'api',
+				change,
+				previous,
+				current,
+			},
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	objectAttributesRemoved: async (minimalRoom: MinimalRoom, previous: IAbacAttributeDefinition[], actor: AbacActor) => {
+		return audit(
+			'abac.object.attributes.removed',
+			{
+				room: minimalRoom,
+				reason: 'api',
+				change: 'all-deleted',
+				previous,
+				current: null,
+			},
+			{ type: 'user', _id: actor._id, username: actor.username!, ip: '0.0.0.0', useragent: '' },
+		);
+	},
+	actionPerformed: async (
+		subject: MinimalUser,
+		object: MinimalRoom,
+		reason: AbacAuditReason = 'room-attributes-change',
+		actionPerformed: AbacActionPerformed = 'revoked-object-access',
+	) => {
+		return audit(
+			'abac.action.performed',
+			{
+				action: actionPerformed,
+				reason,
+				subject,
+				object,
+			},
+			{ type: 'system' },
+		);
+	},
+	subjectAttributeChanged: async (diff: IAbacAttributeDefinition[], subject: MinimalUser) => {
+		return audit(
+			'abac.subject.attribute.changed',
+			{
+				subject,
+				reason: 'ldap-sync',
+				diff,
+			},
+			{ type: 'system' },
+		);
+	},
+};
diff --git a/ee/packages/abac/src/can-access-object.spec.ts b/ee/packages/abac/src/can-access-object.spec.ts
new file mode 100644
index 00000000000..94a7bec0ecc
--- /dev/null
+++ b/ee/packages/abac/src/can-access-object.spec.ts
@@ -0,0 +1,264 @@
+import { AbacAccessOperation, AbacObjectType } from '@rocket.chat/core-typings';
+
+import { AbacService } from './index';
+
+const mockSettingsGetValueById = jest.fn();
+const mockSubscriptionsFindOneByRoomIdAndUserId = jest.fn();
+const mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId = jest.fn();
+const mockUsersFindOne = jest.fn();
+const mockUsersFindOneById = jest.fn();
+const mockRoomRemoveUserFromRoom = jest.fn().mockResolvedValue(undefined);
+
+jest.mock('@rocket.chat/models', () => ({
+	Settings: {
+		getValueById: (...args: any[]) => mockSettingsGetValueById(...args),
+	},
+	Subscriptions: {
+		findOneByRoomIdAndUserId: (...args: any[]) => mockSubscriptionsFindOneByRoomIdAndUserId(...args),
+		setAbacLastTimeCheckedByUserIdAndRoomId: (...args: any[]) => mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId(...args),
+	},
+	Users: {
+		findOne: (...args: any[]) => mockUsersFindOne(...args),
+		findOneById: (...args: any[]) => mockUsersFindOneById(...args),
+	},
+	ServerEvents: {
+		createAuditServerEvent: jest.fn(),
+	},
+}));
+
+jest.mock('@rocket.chat/core-services', () => ({
+	ServiceClass: class {},
+	Room: {
+		removeUserFromRoom: (...args: any[]) => mockRoomRemoveUserFromRoom(...args),
+	},
+}));
+
+describe('AbacService.canAccessObject (unit)', () => {
+	let service: AbacService;
+
+	const baseRoom = {
+		_id: 'RID',
+		t: 'p',
+		abacAttributes: [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'region', values: ['emea'] },
+		],
+	};
+
+	const baseUser = {
+		_id: 'UID',
+		username: 'user1',
+	};
+
+	beforeEach(() => {
+		service = new AbacService();
+		jest.clearAllMocks();
+		// Default behaviors
+		mockSettingsGetValueById.mockResolvedValue(300); // 5 minute cache
+	});
+
+	describe('parameter validation & early returns', () => {
+		it('throws error-abac-unsupported-object-type when objectType is not ROOM', async () => {
+			await expect(service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, 'not-room' as any)).rejects.toThrow(
+				'error-abac-unsupported-object-type',
+			);
+
+			expect(mockSubscriptionsFindOneByRoomIdAndUserId).not.toHaveBeenCalled();
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+		});
+
+		it('throws error-abac-unsupported-operation when action is not READ', async () => {
+			await expect(
+				service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.WRITE, AbacObjectType.ROOM),
+			).rejects.toThrow('error-abac-unsupported-operation');
+
+			expect(mockSubscriptionsFindOneByRoomIdAndUserId).not.toHaveBeenCalled();
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+		});
+
+		it('returns false when user is missing _id', async () => {
+			const result = await service.canAccessObject(baseRoom as any, {} as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(false);
+			expect(mockSubscriptionsFindOneByRoomIdAndUserId).not.toHaveBeenCalled();
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+		});
+
+		it('returns false when room has no abacAttributes array', async () => {
+			const room = { ...baseRoom, abacAttributes: [] };
+			const result = await service.canAccessObject(room as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(false);
+			expect(mockSubscriptionsFindOneByRoomIdAndUserId).not.toHaveBeenCalled();
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('subscription presence & compliance evaluation', () => {
+		it('returns false when user has no subscription to room', async () => {
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue(null);
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(false);
+			expect(mockSubscriptionsFindOneByRoomIdAndUserId).toHaveBeenCalledWith(baseRoom._id, baseUser._id, {
+				projection: { abacLastTimeChecked: 1 },
+			});
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+		});
+
+		it('returns false for non-compliant subscription and removes user from room when full user exists', async () => {
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({
+				_id: 'SUB',
+				abacLastTimeChecked: undefined,
+			});
+			mockUsersFindOne.mockResolvedValue(null); // non-compliant
+			mockUsersFindOneById.mockResolvedValue({ _id: baseUser._id, username: baseUser.username }); // full user for removal
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(false);
+
+			// Compliance evaluation query assertions
+			expect(mockUsersFindOne).toHaveBeenCalledTimes(1);
+			const [query, options] = mockUsersFindOne.mock.calls[0];
+			expect(query._id).toBe(baseUser._id);
+			expect(Array.isArray(query.$and)).toBe(true);
+			expect(query.$and).toHaveLength(baseRoom.abacAttributes.length);
+			query.$and.forEach((cond: any, idx: number) => {
+				expect(cond.abacAttributes.$elemMatch.key).toBe(baseRoom.abacAttributes[idx].key);
+				expect(cond.abacAttributes.$elemMatch.values.$all).toEqual(baseRoom.abacAttributes[idx].values);
+			});
+			expect(options).toEqual({ projection: { _id: 1 } });
+
+			// Removal path assertions
+			expect(mockUsersFindOneById).toHaveBeenCalledWith(baseUser._id);
+			expect(mockRoomRemoveUserFromRoom).toHaveBeenCalledWith(
+				baseRoom._id,
+				{ _id: baseUser._id, username: baseUser.username },
+				{
+					skipAppPreEvents: true,
+					customSystemMessage: 'abac-removed-user-from-room',
+				},
+			);
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).not.toHaveBeenCalled();
+		});
+
+		it('returns true and updates subscription timestamp when compliant', async () => {
+			const fakeSub = { _id: 'SUB' };
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue(fakeSub);
+			mockUsersFindOne.mockResolvedValue({ _id: baseUser._id });
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(true);
+
+			expect(mockUsersFindOne).toHaveBeenCalledTimes(1);
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).toHaveBeenCalledWith(baseUser._id, baseRoom._id, expect.any(Date));
+		});
+	});
+
+	describe('decision cache behavior', () => {
+		it('uses cached decision (returns true) when within cache TTL and subscription exists', async () => {
+			const ttlSeconds = 120;
+			mockSettingsGetValueById.mockResolvedValue(ttlSeconds);
+
+			const within = new Date(Date.now() - (ttlSeconds * 1000 - 500)); // 500ms before expiry
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({
+				_id: 'SUB',
+				abacLastTimeChecked: within,
+			});
+
+			const internalLogger = (service as any).logger;
+			const loggerDebug = jest.spyOn(internalLogger, 'debug').mockImplementation(() => undefined);
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+
+			expect(result).toBe(true);
+			expect(mockUsersFindOne).not.toHaveBeenCalled();
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).not.toHaveBeenCalled();
+			expect(loggerDebug).toHaveBeenCalledWith({
+				msg: 'Using cached ABAC decision',
+				userId: baseUser._id,
+				roomId: baseRoom._id,
+			});
+		});
+
+		it('re-evaluates when cache expired (timestamp older than TTL)', async () => {
+			const ttlSeconds = 60;
+			mockSettingsGetValueById.mockResolvedValue(ttlSeconds);
+
+			const expired = new Date(Date.now() - (ttlSeconds * 1000 + 1000));
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({
+				_id: 'SUB',
+				abacLastTimeChecked: expired,
+			});
+			mockUsersFindOne.mockResolvedValue({ _id: baseUser._id });
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+
+			expect(result).toBe(true);
+			expect(mockUsersFindOne).toHaveBeenCalled();
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).toHaveBeenCalled();
+		});
+
+		it('always evaluates when cache TTL is 0 (disabled)', async () => {
+			mockSettingsGetValueById.mockResolvedValue(0);
+			const recent = new Date(); // would be valid if TTL > 0
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({
+				_id: 'SUB',
+				abacLastTimeChecked: recent,
+			});
+			mockUsersFindOne.mockResolvedValue({ _id: baseUser._id });
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+
+			expect(result).toBe(true);
+			expect(mockUsersFindOne).toHaveBeenCalledTimes(1);
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).toHaveBeenCalledTimes(1);
+		});
+
+		it('returns false (non-compliant) after cache expiry without updating lastTime', async () => {
+			mockSettingsGetValueById.mockResolvedValue(10); // 10s TTL
+			const expired = new Date(Date.now() - 15_000);
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({
+				_id: 'SUB',
+				abacLastTimeChecked: expired,
+			});
+			mockUsersFindOne.mockResolvedValue(null); // not compliant
+			mockUsersFindOneById.mockResolvedValue(null); // user not found path (no removal)
+
+			const result = await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+			expect(result).toBe(false);
+			expect(mockUsersFindOne).toHaveBeenCalled();
+			expect(mockUsersFindOneById).toHaveBeenCalledWith(baseUser._id);
+			expect(mockRoomRemoveUserFromRoom).not.toHaveBeenCalled();
+			expect(mockSubscriptionsSetAbacLastTimeCheckedByUserIdAndRoomId).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('query shape robustness', () => {
+		it('builds $and conditions proportional to number of room attributes', async () => {
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({ _id: 'SUB' });
+			mockUsersFindOne.mockResolvedValue({ _id: baseUser._id });
+
+			await service.canAccessObject(baseRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+
+			const [query] = mockUsersFindOne.mock.calls[0];
+			expect(Array.isArray(query.$and)).toBe(true);
+			expect(query.$and).toHaveLength(baseRoom.abacAttributes.length);
+			expect(baseRoom.abacAttributes[0]).toEqual({ key: 'dept', values: ['eng', 'sales'] });
+		});
+
+		it('handles single attribute room correctly', async () => {
+			const singleAttrRoom = {
+				...baseRoom,
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+			};
+			mockSubscriptionsFindOneByRoomIdAndUserId.mockResolvedValue({ _id: 'SUB' });
+			mockUsersFindOne.mockResolvedValue({ _id: baseUser._id });
+
+			await service.canAccessObject(singleAttrRoom as any, baseUser as any, AbacAccessOperation.READ, AbacObjectType.ROOM);
+
+			const [query] = mockUsersFindOne.mock.calls[0];
+			expect(query.$and).toHaveLength(1);
+			expect(query.$and[0].abacAttributes.$elemMatch.key).toBe('dept');
+			expect(query.$and[0].abacAttributes.$elemMatch.values.$all).toEqual(['eng']);
+		});
+	});
+});
diff --git a/ee/packages/abac/src/errors.ts b/ee/packages/abac/src/errors.ts
new file mode 100644
index 00000000000..0b7072c39b6
--- /dev/null
+++ b/ee/packages/abac/src/errors.ts
@@ -0,0 +1,93 @@
+export enum AbacErrorCode {
+	InvalidAttributeValues = 'error-invalid-attribute-values',
+	InvalidAttributeKey = 'error-invalid-attribute-key',
+	AttributeNotFound = 'error-attribute-not-found',
+	AttributeInUse = 'error-attribute-in-use',
+	DuplicateAttributeKey = 'error-duplicate-attribute-key',
+	AttributeDefinitionNotFound = 'error-attribute-definition-not-found',
+	RoomNotFound = 'error-room-not-found',
+	CannotConvertDefaultRoomToAbac = 'error-cannot-convert-default-room-to-abac',
+	AbacUnsupportedObjectType = 'error-abac-unsupported-object-type',
+	AbacUnsupportedOperation = 'error-abac-unsupported-operation',
+	OnlyCompliantCanBeAddedToRoom = 'error-only-compliant-users-can-be-added-to-abac-rooms',
+}
+
+export class AbacError extends Error {
+	public readonly code: AbacErrorCode;
+
+	public readonly details?: unknown;
+
+	constructor(code: AbacErrorCode, details?: unknown) {
+		super(code);
+		this.code = code;
+		this.details = details;
+
+		Object.setPrototypeOf(this, new.target.prototype);
+	}
+}
+
+export class AbacInvalidAttributeValuesError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.InvalidAttributeValues, details);
+	}
+}
+
+export class AbacInvalidAttributeKeyError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.InvalidAttributeKey, details);
+	}
+}
+
+export class AbacAttributeNotFoundError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.AttributeNotFound, details);
+	}
+}
+
+export class AbacAttributeInUseError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.AttributeInUse, details);
+	}
+}
+
+export class AbacDuplicateAttributeKeyError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.DuplicateAttributeKey, details);
+	}
+}
+
+export class AbacAttributeDefinitionNotFoundError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.AttributeDefinitionNotFound, details);
+	}
+}
+
+export class AbacRoomNotFoundError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.RoomNotFound, details);
+	}
+}
+
+export class AbacCannotConvertDefaultRoomToAbacError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.CannotConvertDefaultRoomToAbac, details);
+	}
+}
+
+export class AbacUnsupportedObjectTypeError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.AbacUnsupportedObjectType, details);
+	}
+}
+
+export class AbacUnsupportedOperationError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.AbacUnsupportedOperation, details);
+	}
+}
+
+export class OnlyCompliantCanBeAddedToRoomError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.OnlyCompliantCanBeAddedToRoom, details);
+	}
+}
diff --git a/ee/packages/abac/src/helper.spec.ts b/ee/packages/abac/src/helper.spec.ts
new file mode 100644
index 00000000000..54d0718da27
--- /dev/null
+++ b/ee/packages/abac/src/helper.spec.ts
@@ -0,0 +1,478 @@
+import {
+	validateAndNormalizeAttributes,
+	MAX_ABAC_ATTRIBUTE_KEYS,
+	MAX_ABAC_ATTRIBUTE_VALUES,
+	diffAttributeSets,
+	buildRoomNonCompliantConditionsFromSubject,
+	extractAttribute,
+	ensureAttributeDefinitionsExist,
+	buildNonCompliantConditions,
+} from './helper';
+
+const attributesFindMock = jest.fn();
+jest.mock('@rocket.chat/models', () => {
+	return {
+		AbacAttributes: {
+			find: jest.fn().mockReturnValue({
+				toArray: () => attributesFindMock(),
+			}),
+		},
+	};
+});
+
+describe('validateAndNormalizeAttributes', () => {
+	it('normalizes keys and merges duplicate values from multiple entries', () => {
+		const result = validateAndNormalizeAttributes({
+			' dept ': [' sales ', 'marketing', 'sales', '', 'marketing '],
+			'role': [' admin ', 'user', 'user '],
+			'dept': ['engineering'],
+		});
+
+		expect(result).toEqual([
+			{ key: 'dept', values: ['sales', 'marketing', 'engineering'] },
+			{ key: 'role', values: ['admin', 'user'] },
+		]);
+	});
+
+	it('throws when a key has no remaining sanitized values', () => {
+		expect(() =>
+			validateAndNormalizeAttributes({
+				role: ['   ', '\n', '\t'],
+			}),
+		).toThrow('error-invalid-attribute-values');
+	});
+
+	it('throws when a key exceeds the maximum number of unique values', () => {
+		const values = Array.from({ length: MAX_ABAC_ATTRIBUTE_VALUES + 1 }, (_, i) => `value-${i}`);
+		expect(() =>
+			validateAndNormalizeAttributes({
+				role: values,
+			}),
+		).toThrow('error-invalid-attribute-values');
+	});
+
+	it('throws when attempting to add a new key beyond MAX_ABAC_ATTRIBUTE_KEYS', () => {
+		const baseEntries = Object.fromEntries(Array.from({ length: MAX_ABAC_ATTRIBUTE_KEYS }, (_, i) => [`key-${i}`, ['value']]));
+
+		expect(() =>
+			validateAndNormalizeAttributes({
+				...baseEntries,
+				'extra-key': ['value'],
+			}),
+		).toThrow('error-invalid-attribute-values');
+	});
+
+	it('throws when total unique attribute keys exceeds limit (post-aggregation check)', () => {
+		const attributes = Object.fromEntries(Array.from({ length: MAX_ABAC_ATTRIBUTE_KEYS + 1 }, (_, i) => [`key-${i}`, ['value']]));
+
+		expect(() => validateAndNormalizeAttributes(attributes)).toThrow('error-invalid-attribute-values');
+	});
+
+	it('throws when a key exceeds the maximum number of unique values (bucket size limit)', () => {
+		const values = Array.from({ length: MAX_ABAC_ATTRIBUTE_VALUES + 1 }, (_, i) => `value-${i}`);
+
+		expect(() =>
+			validateAndNormalizeAttributes({
+				role: values,
+			}),
+		).toThrow('error-invalid-attribute-values');
+	});
+
+	it('throws when a key has only invalid/empty values after sanitization', () => {
+		expect(() =>
+			validateAndNormalizeAttributes({
+				role: ['   ', '\n', '\t'],
+			}),
+		).toThrow('error-invalid-attribute-values');
+	});
+});
+
+describe('ensureAttributeDefinitionsExist', () => {
+	afterEach(() => {
+		attributesFindMock.mockReset();
+	});
+
+	it('does nothing when normalized is empty', async () => {
+		await ensureAttributeDefinitionsExist([]);
+	});
+
+	it('throws when some attribute definitions are missing (size mismatch)', async () => {
+		const normalized = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		attributesFindMock.mockResolvedValue([{ key: 'dept', values: ['eng', 'sales'] }]);
+
+		await expect(ensureAttributeDefinitionsExist(normalized)).rejects.toThrow('error-attribute-definition-not-found');
+	});
+
+	it('throws when a normalized value is not in the allowed definition values', async () => {
+		const normalized = [{ key: 'dept', values: ['eng', 'support'] }];
+
+		attributesFindMock.mockResolvedValue([{ key: 'dept', values: ['eng', 'sales'] }]);
+
+		await expect(ensureAttributeDefinitionsExist(normalized)).rejects.toThrow('error-invalid-attribute-values');
+	});
+});
+
+describe('diffAttributeSets', () => {
+	it('returns false/false when both sets are empty', () => {
+		const result = diffAttributeSets([], []);
+
+		expect(result).toEqual({ added: false, removed: false });
+	});
+
+	it('detects only additions when moving from empty to non-empty', () => {
+		const current: { key: string; values: string[] }[] = [];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: false });
+	});
+
+	it('detects only removals when moving from non-empty to empty', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+		const next: { key: string; values: string[] }[] = [];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: false, removed: true });
+	});
+
+	it('returns false/false when sets are identical (same keys and values)', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'role', values: ['admin'] },
+		];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: false, removed: false });
+	});
+
+	it('ignores value ordering and still treats sets as identical', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'role', values: ['admin', 'user'] },
+		];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'role', values: ['user', 'admin'] },
+			{ key: 'dept', values: ['sales', 'eng'] },
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: false, removed: false });
+	});
+
+	it('detects added values for an existing key', () => {
+		const current: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng'] }];
+		const next: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng', 'sales'] }];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: false });
+	});
+
+	it('detects removed values for an existing key', () => {
+		const current: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng', 'sales'] }];
+		const next: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng'] }];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: false, removed: true });
+	});
+
+	it('detects added and removed values on the same key', () => {
+		const current: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng', 'sales'] }];
+		const next: { key: string; values: string[] }[] = [{ key: 'dept', values: ['support'] }];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: true });
+	});
+
+	it('detects newly added keys as additions', () => {
+		const current: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng'] }];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: false });
+	});
+
+	it('detects removed keys as removals', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+		const next: { key: string; values: string[] }[] = [{ key: 'dept', values: ['eng'] }];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: false, removed: true });
+	});
+
+	it('detects both added and removed keys across sets', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'region', values: ['us'] },
+		];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: true });
+	});
+
+	it('handles mixed changes: new key, removed key, added and removed values', () => {
+		const current: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'region', values: ['us', 'eu'] },
+		];
+		const next: { key: string; values: string[] }[] = [
+			{ key: 'dept', values: ['eng', 'support'] }, // sales removed, support added
+			{ key: 'role', values: ['admin'] }, // new key
+		];
+
+		const result = diffAttributeSets(current, next);
+
+		expect(result).toEqual({ added: true, removed: true });
+	});
+});
+
+describe('buildNonCompliantConditions', () => {
+	type AttributeDef = { key: string; values: string[] };
+
+	it('returns empty array for empty attributes list', () => {
+		const result = buildNonCompliantConditions([]);
+		expect(result).toEqual([]);
+	});
+
+	it('maps single attribute to $not $elemMatch query', () => {
+		const attrs: AttributeDef[] = [{ key: 'dept', values: ['eng', 'sales'] }];
+		const result = buildNonCompliantConditions(attrs);
+
+		expect(result).toEqual([
+			{
+				abacAttributes: {
+					$not: {
+						$elemMatch: {
+							key: 'dept',
+							values: { $all: ['eng', 'sales'] },
+						},
+					},
+				},
+			},
+		]);
+	});
+
+	it('maps multiple attributes preserving order', () => {
+		const attrs: AttributeDef[] = [
+			{ key: 'dept', values: ['eng'] },
+			{ key: 'role', values: ['admin', 'user'] },
+		];
+
+		const result = buildNonCompliantConditions(attrs);
+
+		expect(result).toEqual([
+			{
+				abacAttributes: {
+					$not: {
+						$elemMatch: {
+							key: 'dept',
+							values: { $all: ['eng'] },
+						},
+					},
+				},
+			},
+			{
+				abacAttributes: {
+					$not: {
+						$elemMatch: {
+							key: 'role',
+							values: { $all: ['admin', 'user'] },
+						},
+					},
+				},
+			},
+		]);
+	});
+});
+
+describe('buildRoomNonCompliantConditionsFromSubject', () => {
+	it('returns a single condition matching rooms with keys not in the subject set when subject has one key', () => {
+		const subject = [{ key: 'dept', values: ['eng'] }];
+
+		const result = buildRoomNonCompliantConditionsFromSubject(subject);
+
+		expect(result).toEqual([
+			{
+				abacAttributes: {
+					$elemMatch: {
+						key: { $nin: ['dept'] },
+					},
+				},
+			},
+			{
+				abacAttributes: {
+					$elemMatch: {
+						key: 'dept',
+						values: { $elemMatch: { $nin: ['eng'] } },
+					},
+				},
+			},
+		]);
+	});
+
+	it('builds key-$nin condition using all subject keys and per-key $nin for each attribute', () => {
+		const subject = [
+			{ key: 'dept', values: ['eng', 'sales'] },
+			{ key: 'role', values: ['admin'] },
+		];
+
+		const result = buildRoomNonCompliantConditionsFromSubject(subject);
+
+		expect(result[0]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: { $nin: ['dept', 'role'] },
+				},
+			},
+		});
+
+		expect(result[1]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: 'dept',
+					values: { $elemMatch: { $nin: ['eng', 'sales'] } },
+				},
+			},
+		});
+
+		expect(result[2]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: 'role',
+					values: { $elemMatch: { $nin: ['admin'] } },
+				},
+			},
+		});
+	});
+
+	it('returns only the key-$nin condition when subject has no values for keys (empty arrays)', () => {
+		const subject = [
+			{ key: 'dept', values: [] },
+			{ key: 'role', values: [] },
+		];
+
+		const result = buildRoomNonCompliantConditionsFromSubject(subject);
+
+		expect(result[0]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: { $nin: ['dept', 'role'] },
+				},
+			},
+		});
+
+		expect(result[1]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: 'dept',
+					values: { $elemMatch: { $nin: [] } },
+				},
+			},
+		});
+
+		expect(result[2]).toEqual({
+			abacAttributes: {
+				$elemMatch: {
+					key: 'role',
+					values: { $elemMatch: { $nin: [] } },
+				},
+			},
+		});
+	});
+});
+
+describe('extractAttribute', () => {
+	it('returns undefined when ldapKey or abacKey is missing', () => {
+		const ldapUser = { memberOf: ['CN=Eng,OU=Groups'] } as any;
+
+		expect(extractAttribute(ldapUser, '', 'dept')).toBeUndefined();
+		expect(extractAttribute(ldapUser, 'memberOf', '')).toBeUndefined();
+	});
+
+	it('returns undefined when ldapUser does not have the provided key', () => {
+		const ldapUser = { other: ['value'] } as any;
+
+		expect(extractAttribute(ldapUser, 'memberOf', 'dept')).toBeUndefined();
+	});
+
+	it('extracts and normalizes a single string value', () => {
+		const ldapUser = { department: '  Engineering  ' } as any;
+
+		const result = extractAttribute(ldapUser, 'department', 'dept');
+
+		expect(result).toEqual({
+			key: 'dept',
+			values: ['Engineering'],
+		});
+	});
+
+	it('extracts from an array, trimming and deduplicating values', () => {
+		const ldapUser = {
+			memberOf: ['  Eng  ', 'Sales', 'Eng', '  ', '\tSales\t'],
+		} as any;
+
+		const result = extractAttribute(ldapUser, 'memberOf', 'dept');
+
+		// Order is preserved by insertion into the Set in implementation: ['Eng', 'Sales']
+		expect(result).toEqual({
+			key: 'dept',
+			values: ['Eng', 'Sales'],
+		});
+	});
+
+	it('ignores non-string values and empty/whitespace-only strings', () => {
+		const ldapUser = {
+			memberOf: ['  ', 123, null, '  Eng  ', undefined, {}, '\n'],
+		} as any;
+
+		const result = extractAttribute(ldapUser, 'memberOf', 'dept');
+
+		expect(result).toEqual({
+			key: 'dept',
+			values: ['Eng'],
+		});
+	});
+
+	it('returns undefined when all values are filtered out', () => {
+		const ldapUser = {
+			memberOf: ['  ', '\n', '\t'],
+		} as any;
+
+		const result = extractAttribute(ldapUser, 'memberOf', 'dept');
+
+		expect(result).toBeUndefined();
+	});
+});
diff --git a/ee/packages/abac/src/helper.ts b/ee/packages/abac/src/helper.ts
new file mode 100644
index 00000000000..5522b09b996
--- /dev/null
+++ b/ee/packages/abac/src/helper.ts
@@ -0,0 +1,324 @@
+import type { ILDAPEntry, IAbacAttributeDefinition, IRoom } from '@rocket.chat/core-typings';
+import { AbacAttributes, Rooms } from '@rocket.chat/models';
+import mem from 'mem';
+
+import {
+	AbacAttributeDefinitionNotFoundError,
+	AbacCannotConvertDefaultRoomToAbacError,
+	AbacInvalidAttributeKeyError,
+	AbacInvalidAttributeValuesError,
+	AbacRoomNotFoundError,
+} from './errors';
+
+export const MAX_ABAC_ATTRIBUTE_KEYS = 10;
+export const MAX_ABAC_ATTRIBUTE_VALUES = 10;
+
+export const extractAttribute = (ldapUser: ILDAPEntry, ldapKey: string, abacKey: string): IAbacAttributeDefinition | undefined => {
+	if (!ldapKey || !abacKey) {
+		return;
+	}
+	const raw = ldapUser?.[ldapKey];
+	if (!raw) {
+		return;
+	}
+	const valuesSet = new Set<string>();
+	const addIfValid = (value: unknown) => {
+		if (typeof value !== 'string') {
+			return;
+		}
+		const trimmed = value.trim();
+		if (!trimmed.length) {
+			return;
+		}
+		valuesSet.add(trimmed);
+	};
+
+	if (Array.isArray(raw)) {
+		for (const v of raw) {
+			addIfValid(v);
+		}
+	} else {
+		addIfValid(raw);
+	}
+	if (!valuesSet.size) {
+		return;
+	}
+	return { key: abacKey, values: Array.from(valuesSet) };
+};
+
+export function diffAttributes(a: IAbacAttributeDefinition[] = [], b: IAbacAttributeDefinition[] = []): IAbacAttributeDefinition[] {
+	if (!a?.length && b?.length) {
+		return b;
+	}
+
+	if (!b?.length) {
+		return [];
+	}
+
+	const mapA = new Map(a.map((item) => [item.key, new Set(item.values)]));
+	const mapB = new Map(b.map((item) => [item.key, new Set(item.values)]));
+
+	const diff: IAbacAttributeDefinition[] = [];
+
+	// Check keys in A
+	for (const [key, valuesA] of mapA) {
+		const valuesB = mapB.get(key);
+
+		if (!valuesB) {
+			// key removed
+			diff.push({ key, values: [...valuesA] });
+			continue;
+		}
+
+		const setA = valuesA;
+		const setB = valuesB;
+
+		const changed = [...setA].some((v) => !setB.has(v)) || [...setB].some((v) => !setA.has(v));
+
+		if (changed) {
+			diff.push({ key, values: [...setB] });
+		}
+	}
+
+	// Check keys added in B
+	for (const [key, valuesB] of mapB) {
+		if (!mapA.has(key)) {
+			diff.push({ key, values: [...valuesB] });
+		}
+	}
+
+	return diff;
+}
+
+export function validateAndNormalizeAttributes(attributes: Record<string, string[]>): IAbacAttributeDefinition[] {
+	const keyPattern = /^[A-Za-z0-9_-]+$/;
+	const normalized: IAbacAttributeDefinition[] = [];
+
+	const entries = Object.entries(attributes);
+
+	const aggregated = new Map<string, Set<string>>();
+
+	for (const [rawKey, values] of entries) {
+		const key = rawKey.trim();
+
+		if (!key.length || !keyPattern.test(key)) {
+			throw new AbacInvalidAttributeKeyError();
+		}
+
+		const bucket = aggregated.get(key) ?? new Set<string>();
+		if (!aggregated.has(key)) {
+			if (aggregated.size >= MAX_ABAC_ATTRIBUTE_KEYS) {
+				throw new AbacInvalidAttributeValuesError();
+			}
+			aggregated.set(key, bucket);
+		}
+
+		for (const value of values) {
+			if (typeof value !== 'string') {
+				continue;
+			}
+			const trimmed = value.trim();
+			if (!trimmed.length) {
+				continue;
+			}
+			if (bucket.size >= MAX_ABAC_ATTRIBUTE_VALUES && !bucket.has(trimmed)) {
+				throw new AbacInvalidAttributeValuesError();
+			}
+			bucket.add(trimmed);
+		}
+	}
+
+	if (aggregated.size > MAX_ABAC_ATTRIBUTE_KEYS) {
+		throw new AbacInvalidAttributeValuesError();
+	}
+
+	for (const [key, valueSet] of aggregated.entries()) {
+		if (!valueSet.size) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+		normalized.push({ key, values: Array.from(valueSet) });
+	}
+
+	return normalized;
+}
+
+const getAttributeDefinitionsFromDb = async (keys: string[]) =>
+	AbacAttributes.find({ key: { $in: keys } }, { projection: { key: 1, values: 1 } }).toArray();
+
+const getAttributeDefinitionsCached = mem(getAttributeDefinitionsFromDb, {
+	maxAge: 30_000,
+	cacheKey: JSON.stringify,
+});
+
+export async function ensureAttributeDefinitionsExist(normalized: IAbacAttributeDefinition[]): Promise<void> {
+	if (!normalized.length) {
+		return;
+	}
+
+	const uniqueKeys = [...new Set(normalized.map((a) => a.key))];
+	const attributeDefinitions = await getAttributeDefinitionsCached(uniqueKeys);
+
+	const definitionValuesMap = new Map<string, Set<string>>(attributeDefinitions.map((def) => [def.key, new Set(def.values)]));
+	if (definitionValuesMap.size !== uniqueKeys.length) {
+		throw new AbacAttributeDefinitionNotFoundError();
+	}
+
+	for (const a of normalized) {
+		const allowed = definitionValuesMap.get(a.key);
+		if (!allowed) {
+			throw new AbacAttributeDefinitionNotFoundError();
+		}
+		for (const v of a.values) {
+			if (!allowed.has(v)) {
+				throw new AbacInvalidAttributeValuesError();
+			}
+		}
+	}
+}
+
+export function buildNonCompliantConditions(newAttributes: IAbacAttributeDefinition[]) {
+	return newAttributes.map(({ key, values }) => ({
+		abacAttributes: {
+			$not: {
+				$elemMatch: {
+					key,
+					values: { $all: values },
+				},
+			},
+		},
+	}));
+}
+
+export function buildCompliantConditions(attributes: IAbacAttributeDefinition[]) {
+	return attributes.map(({ key, values }) => ({
+		abacAttributes: {
+			$elemMatch: {
+				key,
+				values: { $all: values },
+			},
+		},
+	}));
+}
+
+export function buildRoomNonCompliantConditionsFromSubject(subjectAttributes: IAbacAttributeDefinition[]) {
+	const map = new Map(subjectAttributes.map((a) => [a.key, new Set(a.values)]));
+	const userKeys = Array.from(map.keys());
+	const conditions = [];
+	conditions.push({
+		abacAttributes: {
+			$elemMatch: {
+				key: { $nin: userKeys },
+			},
+		},
+	});
+	for (const [key, valuesSet] of map.entries()) {
+		const valuesArr = Array.from(valuesSet);
+		conditions.push({
+			abacAttributes: {
+				$elemMatch: {
+					key,
+					values: { $elemMatch: { $nin: valuesArr } },
+				},
+			},
+		});
+	}
+	return conditions;
+}
+
+export async function getAbacRoom(
+	rid: string,
+): Promise<Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default' | 'name'>> {
+	const room = await Rooms.findOneByIdAndType<
+		Pick<IRoom, '_id' | 'abacAttributes' | 't' | 'teamMain' | 'teamDefault' | 'default' | 'name'>
+	>(rid, 'p', {
+		projection: { abacAttributes: 1, t: 1, teamMain: 1, teamDefault: 1, default: 1, name: 1 },
+	});
+	if (!room) {
+		throw new AbacRoomNotFoundError();
+	}
+	if (room.default || room.teamDefault) {
+		throw new AbacCannotConvertDefaultRoomToAbacError();
+	}
+
+	return room;
+}
+
+export function diffAttributeSets(
+	current: IAbacAttributeDefinition[] = [],
+	next: IAbacAttributeDefinition[] = [],
+): { added: boolean; removed: boolean } {
+	const currentMap = new Map<string, Set<string>>(current.map((attr) => [attr.key, new Set(attr.values)]));
+	const nextMap = new Map<string, Set<string>>(next.map((attr) => [attr.key, new Set(attr.values)]));
+
+	let added = false;
+	let removed = false;
+
+	// Check removals and per-key value changes
+	for (const [key, currentValues] of currentMap) {
+		const nextValues = nextMap.get(key);
+
+		if (!nextValues) {
+			// Key was completely removed
+			removed = true;
+		} else {
+			// Check removed values
+			for (const v of currentValues) {
+				if (!nextValues.has(v)) {
+					removed = true;
+					break;
+				}
+			}
+		}
+
+		if (removed) {
+			break;
+		}
+	}
+
+	// Check additions (new keys or new values on existing keys)
+	if (!removed) {
+		for (const [key, nextValues] of nextMap) {
+			const currentValues = currentMap.get(key);
+
+			if (!currentValues) {
+				// New key added
+				added = true;
+				break;
+			}
+
+			for (const v of nextValues) {
+				if (!currentValues.has(v)) {
+					added = true;
+					break;
+				}
+			}
+
+			if (added) {
+				break;
+			}
+		}
+	} else {
+		// Even if we've already seen removals, we might still want to know if additions happened too
+		for (const [key, nextValues] of nextMap) {
+			const currentValues = currentMap.get(key);
+
+			if (!currentValues) {
+				added = true;
+				break;
+			}
+
+			for (const v of nextValues) {
+				if (!currentValues.has(v)) {
+					added = true;
+					break;
+				}
+			}
+
+			if (added) {
+				break;
+			}
+		}
+	}
+
+	return { added, removed };
+}
diff --git a/ee/packages/abac/src/index.ts b/ee/packages/abac/src/index.ts
new file mode 100644
index 00000000000..1c19944a225
--- /dev/null
+++ b/ee/packages/abac/src/index.ts
@@ -0,0 +1,667 @@
+import { Room, ServiceClass } from '@rocket.chat/core-services';
+import type { AbacActor, IAbacService } from '@rocket.chat/core-services';
+import { AbacAccessOperation, AbacObjectType } from '@rocket.chat/core-typings';
+import type {
+	IAbacAttribute,
+	IAbacAttributeDefinition,
+	IRoom,
+	AtLeast,
+	IUser,
+	ILDAPEntry,
+	ISubscription,
+	AbacAuditReason,
+} from '@rocket.chat/core-typings';
+import { Logger } from '@rocket.chat/logger';
+import { Rooms, AbacAttributes, Users, Subscriptions, Settings } from '@rocket.chat/models';
+import { escapeRegExp } from '@rocket.chat/string-helpers';
+import type { Document, FindCursor, UpdateFilter } from 'mongodb';
+import pLimit from 'p-limit';
+
+import { Audit } from './audit';
+import {
+	AbacAttributeInUseError,
+	AbacAttributeNotFoundError,
+	AbacDuplicateAttributeKeyError,
+	AbacInvalidAttributeValuesError,
+	AbacUnsupportedObjectTypeError,
+	AbacUnsupportedOperationError,
+	OnlyCompliantCanBeAddedToRoomError,
+} from './errors';
+import {
+	getAbacRoom,
+	diffAttributes,
+	extractAttribute,
+	diffAttributeSets,
+	buildCompliantConditions,
+	buildNonCompliantConditions,
+	validateAndNormalizeAttributes,
+	ensureAttributeDefinitionsExist,
+	buildRoomNonCompliantConditionsFromSubject,
+	MAX_ABAC_ATTRIBUTE_KEYS,
+} from './helper';
+
+// Limit concurrent user removals to avoid overloading the server with too many operations at once
+const limit = pLimit(20);
+
+export class AbacService extends ServiceClass implements IAbacService {
+	protected name = 'abac';
+
+	protected logger: Logger;
+
+	constructor() {
+		super();
+		this.logger = new Logger('AbacService');
+	}
+
+	async addSubjectAttributes(user: IUser, ldapUser: ILDAPEntry, map: Record<string, string>): Promise<void> {
+		if (!user?._id) {
+			return;
+		}
+
+		const entries = Object.entries(map || {});
+
+		const mergedMap = new Map<string, Set<string>>();
+		for (const [ldapKey, abacKey] of entries) {
+			const attr = extractAttribute(ldapUser, ldapKey, abacKey);
+			if (!attr) {
+				continue;
+			}
+			const existing = mergedMap.get(attr.key);
+			if (!existing) {
+				mergedMap.set(attr.key, new Set(attr.values));
+				continue;
+			}
+			for (const v of attr.values) {
+				existing.add(v);
+			}
+		}
+		const finalAttributes = Array.from(mergedMap.entries()).map<IAbacAttributeDefinition>(([key, valuesSet]) => ({
+			key,
+			values: Array.from(valuesSet),
+		}));
+
+		if (!finalAttributes.length) {
+			if (Array.isArray(user.abacAttributes) && user.abacAttributes.length) {
+				const finalUser = await Users.unsetAbacAttributesById(user._id);
+				await this.onSubjectAttributesChanged(finalUser!, []);
+				void Audit.subjectAttributeChanged([], { _id: user._id, username: user.username });
+			}
+			return;
+		}
+
+		const finalUser = await Users.setAbacAttributesById(user._id, finalAttributes);
+
+		if (diffAttributeSets(user?.abacAttributes || [], finalAttributes).removed) {
+			await this.onSubjectAttributesChanged(finalUser!, finalAttributes);
+		}
+
+		const diff = diffAttributes(user?.abacAttributes, finalAttributes);
+		if (diff.length) {
+			void Audit.subjectAttributeChanged(diff, { _id: user._id, username: user.username });
+		}
+	}
+
+	async addAbacAttribute(attribute: IAbacAttributeDefinition, actor: AbacActor): Promise<void> {
+		if (!attribute.values.length) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+
+		try {
+			await AbacAttributes.insertOne(attribute);
+			void Audit.attributeCreated(attribute, actor);
+		} catch (e) {
+			if (e instanceof Error && e.message.includes('E11000')) {
+				throw new AbacDuplicateAttributeKeyError();
+			}
+			throw e;
+		}
+	}
+
+	async listAbacAttributes(filters?: { key?: string; values?: string; offset?: number; count?: number }): Promise<{
+		attributes: IAbacAttribute[];
+		offset: number;
+		count: number;
+		total: number;
+	}> {
+		const query: Document[] = [];
+		if (filters?.key) {
+			query.push({ key: new RegExp(escapeRegExp(filters.key), 'i') });
+		}
+		if (filters?.values?.length) {
+			query.push({ values: new RegExp(escapeRegExp(filters.values), 'i') });
+		}
+
+		const offset = filters?.offset ?? 0;
+		const limit = filters?.count ?? 25;
+
+		const { cursor, totalCount } = AbacAttributes.findPaginated(
+			{ ...(query.length && { $or: query }) },
+			{
+				projection: { key: 1, values: 1 },
+				skip: offset,
+				limit,
+			},
+		);
+
+		const attributes = await cursor.toArray();
+
+		return {
+			attributes,
+			offset,
+			count: attributes.length,
+			total: await totalCount,
+		};
+	}
+
+	async listAbacRooms(filters?: {
+		offset?: number;
+		count?: number;
+		filter?: string;
+		filterType?: 'all' | 'roomName' | 'attribute' | 'value';
+	}): Promise<{
+		rooms: IRoom[];
+		offset: number;
+		count: number;
+		total: number;
+	}> {
+		const offset = filters?.offset ?? 0;
+		const limit = filters?.count ?? 25;
+
+		const baseQuery: Document = {
+			t: 'p',
+			abacAttributes: { $exists: true, $ne: [] },
+		};
+
+		const { filter, filterType } = filters || {};
+
+		if (filter?.trim().length) {
+			const regex = new RegExp(escapeRegExp(filter.trim()), 'i');
+
+			let condition: Document;
+
+			switch (filterType) {
+				case 'roomName':
+					condition = { $or: [{ name: regex }, { fname: regex }] };
+					break;
+				case 'attribute':
+					condition = { 'abacAttributes.key': regex };
+					break;
+				case 'value':
+					condition = { 'abacAttributes.values': regex };
+					break;
+				case 'all':
+				default:
+					condition = {
+						$or: [{ name: regex }, { fname: regex }, { 'abacAttributes.key': regex }, { 'abacAttributes.values': regex }],
+					};
+					break;
+			}
+
+			Object.assign(baseQuery, condition);
+		}
+
+		const { cursor, totalCount } = Rooms.findPaginated(baseQuery, {
+			skip: offset,
+			limit,
+			sort: { name: 1 },
+		});
+
+		const rooms = await cursor.toArray();
+
+		return {
+			rooms,
+			offset,
+			count: rooms.length,
+			total: await totalCount,
+		};
+	}
+
+	async updateAbacAttributeById(_id: string, update: { key?: string; values?: string[] }, actor: AbacActor): Promise<void> {
+		if (!update.key && !update.values) {
+			return;
+		}
+
+		const existing = await AbacAttributes.findOneById(_id, { projection: { key: 1, values: 1 } });
+		if (!existing) {
+			throw new AbacAttributeNotFoundError();
+		}
+
+		if (update.values && !update.values.length) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+
+		const newKey = update.key ?? existing.key;
+		const newValues = update.values ?? existing.values;
+
+		const removedValues = existing.values.filter((v) => !newValues.includes(v));
+		const keyChanged = newKey !== existing.key;
+
+		const valuesToCheck = keyChanged ? existing.values : removedValues;
+
+		if (keyChanged || valuesToCheck.length) {
+			const inUse = await Rooms.isAbacAttributeInUse(existing.key, valuesToCheck.length ? valuesToCheck : existing.values);
+			if (inUse) {
+				throw new AbacAttributeInUseError();
+			}
+		}
+
+		const modifier: UpdateFilter<IAbacAttribute> = {};
+		if (update.key) {
+			modifier.key = update.key;
+		}
+		if (update.values) {
+			modifier.values = update.values;
+		}
+
+		if (!Object.keys(modifier).length) {
+			return;
+		}
+
+		try {
+			await AbacAttributes.updateOne({ _id }, { $set: modifier });
+			void Audit.attributeUpdated(existing, modifier as IAbacAttributeDefinition, actor);
+		} catch (e) {
+			if (e instanceof Error && e.message.includes('E11000')) {
+				throw new AbacDuplicateAttributeKeyError();
+			}
+			throw e;
+		}
+	}
+
+	async deleteAbacAttributeById(_id: string, actor: AbacActor): Promise<void> {
+		const existing = await AbacAttributes.findOneById(_id, { projection: { key: 1, values: 1 } });
+		if (!existing) {
+			throw new AbacAttributeNotFoundError();
+		}
+
+		const inUse = await Rooms.isAbacAttributeInUse(existing.key, existing.values);
+		if (inUse) {
+			throw new AbacAttributeInUseError();
+		}
+
+		await AbacAttributes.removeById(_id);
+		void Audit.attributeDeleted(existing, actor);
+	}
+
+	async getAbacAttributeById(_id: string, _actor: AbacActor | undefined): Promise<{ key: string; values: string[] }> {
+		const attribute = await AbacAttributes.findOneById(_id, { projection: { key: 1, values: 1 } });
+		if (!attribute) {
+			throw new AbacAttributeNotFoundError();
+		}
+
+		return {
+			key: attribute.key,
+			values: attribute.values || [],
+		};
+	}
+
+	async isAbacAttributeInUseByKey(key: string): Promise<boolean> {
+		const attribute = await AbacAttributes.findOneByKey(key, { projection: { values: 1 } });
+		if (!attribute) {
+			return false;
+		}
+		return Rooms.isAbacAttributeInUse(key, attribute.values || []);
+	}
+
+	async setRoomAbacAttributes(rid: string, attributes: Record<string, string[]>, actor: AbacActor): Promise<void> {
+		const room = await getAbacRoom(rid);
+
+		if (!Object.keys(attributes).length && room.abacAttributes?.length) {
+			await Rooms.unsetAbacAttributesById(rid);
+			void Audit.objectAttributesRemoved({ _id: room._id, name: room.name }, room.abacAttributes, actor);
+			return;
+		}
+
+		const normalized = validateAndNormalizeAttributes(attributes);
+
+		await ensureAttributeDefinitionsExist(normalized);
+
+		const updated = await Rooms.setAbacAttributesById(rid, normalized);
+		void Audit.objectAttributeChanged({ _id: room._id, name: room.name }, room.abacAttributes || [], normalized, 'updated', actor);
+
+		const previous: IAbacAttributeDefinition[] = room.abacAttributes || [];
+		if (diffAttributeSets(previous, normalized).added) {
+			await this.onRoomAttributesChanged(room, (updated?.abacAttributes as IAbacAttributeDefinition[] | undefined) ?? normalized);
+		}
+	}
+
+	async updateRoomAbacAttributeValues(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		const room = await getAbacRoom(rid);
+
+		const previous: IAbacAttributeDefinition[] = room.abacAttributes || [];
+
+		const existingIndex = previous.findIndex((a) => a.key === key);
+		const isNewKey = existingIndex === -1;
+		if (isNewKey && previous.length >= MAX_ABAC_ATTRIBUTE_KEYS) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+
+		await ensureAttributeDefinitionsExist([{ key, values }]);
+
+		if (isNewKey) {
+			await Rooms.updateSingleAbacAttributeValuesById(rid, key, values);
+			void Audit.objectAttributeChanged(
+				{ _id: room._id, name: room.name },
+				room.abacAttributes || [],
+				[{ key, values }],
+				'key-added',
+				actor,
+			);
+			const next = [...previous, { key, values }];
+
+			await this.onRoomAttributesChanged(room, next);
+			return;
+		}
+
+		const prevValues = previous[existingIndex].values;
+
+		if (prevValues.length === values.length && prevValues.every((v, i) => v === values[i])) {
+			return;
+		}
+
+		await Rooms.updateAbacAttributeValuesArrayFilteredById(rid, key, values);
+		void Audit.objectAttributeChanged(
+			{ _id: room._id, name: room.name },
+			room.abacAttributes || [],
+			[{ key, values }],
+			'key-updated',
+			actor,
+		);
+
+		if (diffAttributeSets([previous[existingIndex]], [{ key, values }]).added) {
+			const next = previous.map((a, i) => (i === existingIndex ? { key, values } : a));
+			await this.onRoomAttributesChanged(room, next);
+		}
+	}
+
+	async removeRoomAbacAttribute(rid: string, key: string, actor: AbacActor): Promise<void> {
+		const room = await getAbacRoom(rid);
+
+		const previous: IAbacAttributeDefinition[] = room.abacAttributes || [];
+		const exists = previous.some((a) => a.key === key);
+		if (!exists) {
+			return;
+		}
+
+		// if is the last attribute, just remove all
+		if (previous.length === 1) {
+			await Rooms.unsetAbacAttributesById(rid);
+			void Audit.objectAttributesRemoved({ _id: room._id }, previous, actor);
+
+			return;
+		}
+
+		await Rooms.removeAbacAttributeByRoomIdAndKey(rid, key);
+		void Audit.objectAttributeRemoved(
+			{ _id: room._id, name: room.name },
+			previous,
+			previous.filter((a) => a.key !== key),
+			'key-removed',
+			actor,
+		);
+	}
+
+	async addRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		await ensureAttributeDefinitionsExist([{ key, values }]);
+
+		const room = await getAbacRoom(rid);
+
+		const previous: IAbacAttributeDefinition[] = room.abacAttributes || [];
+		if (previous.some((a) => a.key === key)) {
+			throw new AbacDuplicateAttributeKeyError();
+		}
+
+		if (previous.length >= MAX_ABAC_ATTRIBUTE_KEYS) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+
+		const updated = await Rooms.insertAbacAttributeIfNotExistsById(rid, key, values);
+		const next = updated?.abacAttributes || [...previous, { key, values }];
+
+		void Audit.objectAttributeChanged({ _id: room._id, name: room.name }, previous, next, 'key-added', actor);
+
+		await this.onRoomAttributesChanged(room, next);
+	}
+
+	async replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		await ensureAttributeDefinitionsExist([{ key, values }]);
+
+		const room = await getAbacRoom(rid);
+
+		const exists = room?.abacAttributes?.find((a) => a.key === key);
+
+		if (exists) {
+			const updated = await Rooms.updateAbacAttributeValuesArrayFilteredById(rid, key, values);
+
+			void Audit.objectAttributeChanged(
+				{ _id: room._id, name: room.name },
+				room.abacAttributes || [],
+				updated?.abacAttributes || [],
+				'key-updated',
+				actor,
+			);
+			if (diffAttributeSets([exists], [{ key, values }]).added) {
+				await this.onRoomAttributesChanged(room, updated?.abacAttributes || []);
+			}
+
+			return;
+		}
+
+		if (room?.abacAttributes?.length === MAX_ABAC_ATTRIBUTE_KEYS) {
+			throw new AbacInvalidAttributeValuesError();
+		}
+
+		const updated = await Rooms.insertAbacAttributeIfNotExistsById(rid, key, values);
+		void Audit.objectAttributeChanged(
+			{ _id: room._id, name: room.name },
+			room.abacAttributes || [],
+			updated?.abacAttributes || [],
+			'key-added',
+			actor,
+		);
+
+		await this.onRoomAttributesChanged(room, updated?.abacAttributes || []);
+	}
+
+	async checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise<void> {
+		if (!usernames.length || !attributes.length) {
+			return;
+		}
+
+		const nonCompliantUsersFromList = await Users.find(
+			{
+				username: { $in: usernames },
+				$or: buildNonCompliantConditions(attributes),
+			},
+			{ projection: { username: 1 } },
+		)
+			.map((u) => u.username as string)
+			.toArray();
+
+		const nonCompliantSet = new Set<string>(nonCompliantUsersFromList);
+
+		if (nonCompliantSet.size) {
+			throw new OnlyCompliantCanBeAddedToRoomError();
+		}
+
+		usernames.forEach((username) => {
+			// TODO: Add room name
+			void Audit.actionPerformed({ username }, { _id: object._id, name: object.name }, 'system', 'granted-object-access');
+		});
+	}
+
+	private shouldUseCache(decisionCacheTimeout: number, userSub: ISubscription) {
+		// Cases:
+		// 1) Never checked before -> check now
+		// 2) Checked before, but cache expired -> check now
+		// 3) Checked before, and cache valid -> use cached decision (subsciprtion exists)
+		// 4) Cache disabled (0) -> always check
+		return (
+			decisionCacheTimeout > 0 &&
+			userSub.abacLastTimeChecked &&
+			Date.now() - userSub.abacLastTimeChecked.getTime() < decisionCacheTimeout * 1000
+		);
+	}
+
+	async canAccessObject(
+		room: Pick<IRoom, '_id' | 't' | 'teamId' | 'prid' | 'abacAttributes'>,
+		user: Pick<IUser, '_id'>,
+		action: AbacAccessOperation,
+		objectType: AbacObjectType,
+	) {
+		// We may need this flex for phase 2, but for now only ROOM/READ is supported
+		if (objectType !== AbacObjectType.ROOM) {
+			throw new AbacUnsupportedObjectTypeError();
+		}
+
+		if (action !== AbacAccessOperation.READ) {
+			throw new AbacUnsupportedOperationError();
+		}
+
+		if (!user?._id || !room?.abacAttributes?.length) {
+			return false;
+		}
+
+		const decisionCacheTimeout = (await Settings.getValueById('Abac_Cache_Decision_Time_Seconds')) as number;
+		const userSub = await Subscriptions.findOneByRoomIdAndUserId(room._id, user._id, { projection: { abacLastTimeChecked: 1 } });
+		if (!userSub) {
+			return false;
+		}
+
+		if (this.shouldUseCache(decisionCacheTimeout, userSub)) {
+			this.logger.debug({ msg: 'Using cached ABAC decision', userId: user._id, roomId: room._id });
+			return !!userSub;
+		}
+
+		const isUserCompliant = await Users.findOne(
+			{
+				_id: user._id,
+				$and: buildCompliantConditions(room.abacAttributes),
+			},
+			{ projection: { _id: 1 } },
+		);
+
+		if (!isUserCompliant) {
+			const fullUser = await Users.findOneById(user._id);
+			if (!fullUser) {
+				return false;
+			}
+
+			// When a user is not compliant, remove them from the room automatically
+			await this.removeUserFromRoom(room, fullUser, 'realtime-policy-eval');
+
+			return false;
+		}
+
+		// Set last time the decision was made
+		await Subscriptions.setAbacLastTimeCheckedByUserIdAndRoomId(user._id, room._id, new Date());
+		return true;
+	}
+
+	protected async onRoomAttributesChanged(
+		room: AtLeast<IRoom, '_id' | 't' | 'teamMain' | 'abacAttributes'>,
+		newAttributes: IAbacAttributeDefinition[],
+	): Promise<void> {
+		const rid = room._id;
+		if (!newAttributes?.length) {
+			// When a room has no ABAC attributes, it becomes a normal private group and no user removal is necessary
+			this.logger.warn({
+				msg: 'Room ABAC attributes removed. Room is not abac managed anymore',
+				rid,
+			});
+
+			return;
+		}
+
+		try {
+			const query = {
+				__rooms: rid,
+				$or: buildNonCompliantConditions(newAttributes),
+			};
+
+			const cursor = Users.find(query, { projection: { __rooms: 0 } });
+
+			const usersToRemove: string[] = [];
+			const userRemovalPromises = [];
+			for await (const doc of cursor) {
+				usersToRemove.push(doc._id);
+				userRemovalPromises.push(limit(() => this.removeUserFromRoom(room, doc, 'room-attributes-change')));
+			}
+
+			if (!usersToRemove.length) {
+				return;
+			}
+
+			await Promise.all(userRemovalPromises);
+		} catch (err) {
+			this.logger.error({
+				msg: 'Failed to re-evaluate room subscriptions after ABAC attributes changed',
+				rid,
+				err,
+			});
+		}
+	}
+
+	private async removeUserFromRoom(room: AtLeast<IRoom, '_id'>, user: IUser, reason: AbacAuditReason): Promise<void> {
+		return Room.removeUserFromRoom(room._id, user, {
+			skipAppPreEvents: true,
+			customSystemMessage: 'abac-removed-user-from-room' as const,
+		})
+			.then(() => void Audit.actionPerformed({ _id: user._id, username: user.username }, { _id: room._id, name: room.name }, reason))
+			.catch((err) => {
+				this.logger.error({
+					msg: 'Failed to remove user from ABAC room',
+					rid: room._id,
+					err,
+					reason,
+				});
+			});
+	}
+
+	private async removeUserFromRoomList(roomList: FindCursor<IRoom>, user: IUser, reason: AbacAuditReason): Promise<void> {
+		const removalPromises: Promise<void>[] = [];
+		for await (const room of roomList) {
+			removalPromises.push(limit(() => this.removeUserFromRoom(room, user, reason)));
+		}
+
+		await Promise.all(removalPromises);
+	}
+
+	protected async onSubjectAttributesChanged(user: IUser, _next: IAbacAttributeDefinition[]): Promise<void> {
+		if (!user?._id || !Array.isArray(user.__rooms) || !user.__rooms.length) {
+			return;
+		}
+		const roomIds = user.__rooms;
+
+		try {
+			// No attributes: no rooms :(
+			if (!_next.length) {
+				const cursor = Rooms.find(
+					{
+						_id: { $in: roomIds },
+						abacAttributes: { $exists: true, $ne: [] },
+					},
+					{ projection: { _id: 1 } },
+				);
+
+				return await this.removeUserFromRoomList(cursor, user, 'ldap-sync');
+			}
+
+			const query = {
+				_id: { $in: roomIds },
+				$or: buildRoomNonCompliantConditionsFromSubject(_next),
+			};
+
+			const cursor = Rooms.find(query, { projection: { _id: 1 } });
+
+			return await this.removeUserFromRoomList(cursor, user, 'ldap-sync');
+		} catch (err) {
+			this.logger.error({
+				msg: 'Failed to query and remove user from non-compliant ABAC rooms',
+				err,
+			});
+		}
+	}
+}
+
+export default AbacService;
diff --git a/ee/packages/abac/src/service.spec.ts b/ee/packages/abac/src/service.spec.ts
new file mode 100644
index 00000000000..831a1f53994
--- /dev/null
+++ b/ee/packages/abac/src/service.spec.ts
@@ -0,0 +1,1136 @@
+import { AbacService } from './index';
+
+const fakeActor = { _id: 'test-user', username: 'testuser', type: 'user' };
+
+const mockFindOneByIdAndType = jest.fn();
+const mockUpdateAbacConfigurationById = jest.fn();
+const mockAbacInsertOne = jest.fn();
+const mockAbacFindPaginated = jest.fn();
+const mockAbacFindOne = jest.fn();
+const mockAbacUpdateOne = jest.fn();
+const mockAbacDeleteOne = jest.fn();
+const mockRoomsIsAbacAttributeInUse = jest.fn();
+const mockSetAbacAttributesById = jest.fn();
+const mockAbacFind = jest.fn();
+const mockUpdateSingleAbacAttributeValuesById = jest.fn();
+const mockUpdateAbacAttributeValuesArrayFilteredById = jest.fn();
+const mockRemoveAbacAttributeByRoomIdAndKey = jest.fn();
+const mockInsertAbacAttributeIfNotExistsById = jest.fn();
+const mockUsersFind = jest.fn();
+const mockUsersUpdateOne = jest.fn();
+const mockUsersSetAbacAttributesById = jest.fn();
+const mockUsersUnsetAbacAttributesById = jest.fn();
+const mockAbacFindOneAndUpdate = jest.fn();
+const mockCreateAuditServerEvent = jest.fn();
+
+jest.mock('@rocket.chat/models', () => ({
+	Rooms: {
+		findOneByIdAndType: (...args: any[]) => mockFindOneByIdAndType(...args),
+		updateAbacConfigurationById: (...args: any[]) => mockUpdateAbacConfigurationById(...args),
+		isAbacAttributeInUse: (...args: any[]) => mockRoomsIsAbacAttributeInUse(...args),
+		setAbacAttributesById: (...args: any[]) => mockSetAbacAttributesById(...args),
+		updateSingleAbacAttributeValuesById: (...args: any[]) => mockUpdateSingleAbacAttributeValuesById(...args),
+		updateAbacAttributeValuesArrayFilteredById: (...args: any[]) => mockUpdateAbacAttributeValuesArrayFilteredById(...args),
+		removeAbacAttributeByRoomIdAndKey: (...args: any[]) => mockRemoveAbacAttributeByRoomIdAndKey(...args),
+		insertAbacAttributeIfNotExistsById: (...args: any[]) => mockInsertAbacAttributeIfNotExistsById(...args),
+	},
+	AbacAttributes: {
+		insertOne: (...args: any[]) => mockAbacInsertOne(...args),
+		findPaginated: (...args: any[]) => mockAbacFindPaginated(...args),
+		findOne: (...args: any[]) => mockAbacFindOne(...args),
+		findOneById: (...args: any[]) => mockAbacFindOne(...args), // map findOneById calls to same mock
+		findOneByKey: (...args: any[]) => mockAbacFindOne(...args), // map findOneByKey to same mock
+		updateOne: (...args: any[]) => mockAbacUpdateOne(...args),
+		findOneAndUpdate: (...args: any[]) => mockAbacFindOneAndUpdate(...args),
+		deleteOne: (...args: any[]) => mockAbacDeleteOne(...args),
+		removeById: (...args: any[]) => mockAbacDeleteOne(...args),
+		find: (...args: any[]) => mockAbacFind(...args),
+	},
+	Users: {
+		find: (...args: any[]) => mockUsersFind(...args),
+		setAbacAttributesById: (...args: any[]) => mockUsersSetAbacAttributesById(...args),
+		unsetAbacAttributesById: (...args: any[]) => mockUsersUnsetAbacAttributesById(...args),
+		findOneAndUpdate: (...args: any[]) => mockUsersUpdateOne(...args),
+		updateOne: (...args: any[]) => mockUsersUpdateOne(...args),
+	},
+	ServerEvents: {
+		createAuditServerEvent: (...args: any[]) => mockCreateAuditServerEvent(...args),
+	},
+}));
+
+// Partial mock for @rocket.chat/core-services: keep real MeteorError, override ServiceClass and Room
+jest.mock('@rocket.chat/core-services', () => {
+	const actual = jest.requireActual('@rocket.chat/core-services');
+	return {
+		...actual,
+		ServiceClass: class {},
+		Room: {
+			removeUserFromRoom: jest.fn(),
+		},
+	};
+});
+
+jest.mock('mem', () => {
+	return jest.fn((fn: any) => fn);
+});
+
+describe('AbacService (unit)', () => {
+	let service: AbacService;
+
+	beforeEach(() => {
+		service = new AbacService();
+		jest.clearAllMocks();
+	});
+
+	describe('addSubjectAttributes (merging behavior)', () => {
+		const getUpdatedAttributesFromCall = () => {
+			const last = mockUsersSetAbacAttributesById.mock.calls.at(-1);
+			return last?.[1] as any[] | undefined;
+		};
+
+		it('merges values from multiple LDAP keys mapping to the same ABAC key', async () => {
+			const user = { _id: 'u1' } as any;
+			const ldapUser = {
+				memberOf: ['eng', 'sales'],
+				department: ['sales', 'support'],
+			} as any;
+
+			const map = {
+				memberOf: 'dept',
+				department: 'dept',
+			};
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			expect(mockUsersSetAbacAttributesById).toHaveBeenCalledTimes(1);
+			const final = getUpdatedAttributesFromCall();
+			expect(final).toBeDefined();
+			expect(final).toHaveLength(1);
+			expect(final?.[0].key).toBe('dept');
+			expect(final?.[0].values).toEqual(['eng', 'sales', 'support']);
+		});
+
+		it('deduplicates values across different LDAP keys and within arrays', async () => {
+			const user = { _id: 'u2' } as any;
+			const ldapUser = {
+				group: ['alpha', 'beta', 'alpha'],
+				team: ['beta', 'gamma'],
+				role: 'gamma',
+			} as any;
+
+			const map = {
+				group: 'combined',
+				team: 'combined',
+				role: 'combined',
+			};
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			const final = getUpdatedAttributesFromCall();
+			expect(final?.[0].values).toEqual(['alpha', 'beta', 'gamma']);
+		});
+
+		it('unsets abacAttributes when no LDAP values are found and user previously had attributes', async () => {
+			const user = {
+				_id: 'u3',
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+			} as any;
+			const ldapUser = {
+				other: ['x'],
+			} as any;
+
+			const map = {
+				memberOf: 'dept',
+			};
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			// This call is noop cause user doesnt have a __rooms property
+			expect(mockUsersUnsetAbacAttributesById).toHaveBeenCalledTimes(1);
+		});
+
+		it('does nothing when no LDAP values are found and user had no previous attributes', async () => {
+			const user = { _id: 'u4' } as any;
+			const ldapUser = {} as any;
+			const map = { missing: 'dept' };
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			expect(mockUsersSetAbacAttributesById).not.toHaveBeenCalled();
+			expect(mockUsersUnsetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('calls onSubjectAttributesChanged when user loses an attribute value', async () => {
+			const user = {
+				_id: 'u5',
+				abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }],
+			} as any;
+			const ldapUser = {
+				memberOf: ['eng'],
+			} as any;
+			const map = { memberOf: 'dept' };
+
+			const spy = jest.spyOn<any, any>(service as any, 'onSubjectAttributesChanged');
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			expect(spy).toHaveBeenCalledTimes(1);
+			expect(spy.mock.calls[0][1]).toEqual([{ key: 'dept', values: ['eng'] }]);
+		});
+
+		it('does not call onSubjectAttributesChanged when only gaining new values', async () => {
+			const user = {
+				_id: 'u6',
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+			} as any;
+			const ldapUser = {
+				memberOf: ['eng', 'qa'],
+			} as any;
+			const map = { memberOf: 'dept' };
+
+			const spy = jest.spyOn<any, any>(service as any, 'onSubjectAttributesChanged');
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			expect(spy).not.toHaveBeenCalled();
+		});
+
+		it('calls onSubjectAttributesChanged when an entire attribute key is lost', async () => {
+			const user = {
+				_id: 'u7',
+				abacAttributes: [
+					{ key: 'dept', values: ['eng'] },
+					{ key: 'region', values: ['emea'] },
+				],
+			} as any;
+			const ldapUser = {
+				department: ['eng'],
+			} as any;
+			const map = { department: 'dept' };
+
+			const spy = jest.spyOn<any, any>(service as any, 'onSubjectAttributesChanged');
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			// This call is noop cause user doesnt have a __rooms property
+			expect(spy).toHaveBeenCalledTimes(1);
+			expect(spy.mock.calls[0][1]).toEqual([{ key: 'dept', values: ['eng'] }]);
+		});
+
+		it('supports mixing array and string LDAP values merging into one ABAC attribute', async () => {
+			const user = { _id: 'u8' } as any;
+			const ldapUser = {
+				deptCode: 'eng',
+				deptName: ['engineering', 'eng'],
+			} as any;
+			const map = { deptCode: 'dept', deptName: 'dept' };
+
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			const final = getUpdatedAttributesFromCall();
+			expect(final?.[0].key).toBe('dept');
+			expect(final?.[0].values).toEqual(['eng', 'engineering']);
+		});
+
+		it('ignores empty string values and unsets when all values invalid and user had attributes', async () => {
+			const user = { _id: 'u9', abacAttributes: [{ key: 'dept', values: ['eng'] }] } as any;
+			const ldapUser = {
+				memberOf: ['', '   ', null],
+				department: '',
+			} as any;
+			const map = { memberOf: 'dept', department: 'dept' };
+
+			const spy = jest.spyOn<any, any>(service as any, 'onSubjectAttributesChanged');
+			await service.addSubjectAttributes(user, ldapUser, map);
+
+			expect(mockUsersUnsetAbacAttributesById).toHaveBeenCalledTimes(1);
+			expect(spy).toHaveBeenCalledTimes(1);
+			expect(spy.mock.calls[0][1]).toEqual([]);
+		});
+	});
+
+	describe('addAbacAttribute', () => {
+		it('inserts attribute when valid', async () => {
+			const attribute = { key: 'Valid_Key-1', values: ['v1', 'v2'] };
+			await service.addAbacAttribute(attribute, fakeActor);
+			expect(mockAbacInsertOne).toHaveBeenCalledTimes(1);
+			expect(mockAbacInsertOne).toHaveBeenCalledWith(attribute);
+		});
+
+		it('accepts key with spaces (no key pattern validation in service)', async () => {
+			const attribute = { key: 'Invalid Key!', values: ['v1'] };
+			await service.addAbacAttribute(attribute as any, fakeActor);
+			expect(mockAbacInsertOne).toHaveBeenCalledWith(attribute);
+		});
+
+		it('throws error-invalid-attribute-values for empty values array', async () => {
+			const attribute = { key: 'ValidKey', values: [] as string[] };
+			await expect(service.addAbacAttribute(attribute, fakeActor)).rejects.toThrow('error-invalid-attribute-values');
+			expect(mockAbacInsertOne).not.toHaveBeenCalled();
+		});
+
+		it('throws error-duplicate-attribute-key when duplicate index error occurs', async () => {
+			const attribute = { key: 'DupKey', values: ['a'] };
+			mockAbacInsertOne.mockRejectedValueOnce(new Error('E11000 duplicate key error collection: abac_attributes'));
+			await expect(service.addAbacAttribute(attribute, fakeActor)).rejects.toThrow('error-duplicate-attribute-key');
+		});
+
+		it('propagates unexpected insert errors', async () => {
+			const attribute = { key: 'OtherKey', values: ['x'] };
+			mockAbacInsertOne.mockRejectedValueOnce(new Error('network-failure'));
+			await expect(service.addAbacAttribute(attribute, fakeActor)).rejects.toThrow('network-failure');
+		});
+	});
+
+	describe('listAbacAttributes', () => {
+		it('returns paginated attributes with defaults (no filters)', async () => {
+			const docs = [
+				{ _id: '1', key: 'k1', values: ['a', 'b'] },
+				{ _id: '2', key: 'k2', values: ['c'] },
+			];
+			mockAbacFindPaginated.mockReturnValueOnce({
+				cursor: { toArray: async () => docs },
+				totalCount: Promise.resolve(docs.length),
+			});
+
+			const result = await service.listAbacAttributes();
+			expect(mockAbacFindPaginated).toHaveBeenCalledWith({}, { projection: { key: 1, values: 1 }, skip: 0, limit: 25 });
+			expect(result).toEqual({
+				attributes: docs,
+				offset: 0,
+				count: docs.length,
+				total: docs.length,
+			});
+		});
+
+		it('filters by key only', async () => {
+			const docs = [{ _id: '3', key: 'FilterKey', values: ['x'] }];
+			mockAbacFindPaginated.mockReturnValueOnce({
+				cursor: { toArray: async () => docs },
+				totalCount: Promise.resolve(docs.length),
+			});
+
+			const result = await service.listAbacAttributes({ key: 'FilterKey' });
+			expect(mockAbacFindPaginated).toHaveBeenCalledWith(
+				{ $or: [{ key: /FilterKey/i }] },
+				{ projection: { key: 1, values: 1 }, skip: 0, limit: 25 },
+			);
+			expect(result).toEqual({
+				attributes: docs,
+				offset: 0,
+				count: docs.length,
+				total: docs.length,
+			});
+		});
+
+		it('filters by values only with custom pagination', async () => {
+			const docs = [
+				{ _id: '4', key: 'alpha', values: ['m', 'n'] },
+				{ _id: '5', key: 'beta', values: ['n', 'o'] },
+			];
+			mockAbacFindPaginated.mockReturnValueOnce({
+				cursor: { toArray: async () => docs },
+				totalCount: Promise.resolve(10),
+			});
+
+			const result = await service.listAbacAttributes({ values: 'n,z', offset: 5, count: 2 });
+			expect(mockAbacFindPaginated).toHaveBeenCalledWith(
+				{ $or: [{ values: /n,z/i }] },
+				{ projection: { key: 1, values: 1 }, skip: 5, limit: 2 },
+			);
+			expect(result).toEqual({
+				attributes: docs,
+				offset: 5,
+				count: docs.length,
+				total: 10,
+			});
+		});
+
+		it('filters by key and values', async () => {
+			const docs = [{ _id: '6', key: 'gamma', values: ['p', 'q'] }];
+			mockAbacFindPaginated.mockReturnValueOnce({
+				cursor: { toArray: async () => docs },
+				totalCount: Promise.resolve(docs.length),
+			});
+
+			const result = await service.listAbacAttributes({ key: 'gamma', values: 'q' });
+			expect(mockAbacFindPaginated).toHaveBeenCalledWith(
+				{ $or: [{ key: /gamma/i }, { values: /q/i }] },
+				{ projection: { key: 1, values: 1 }, skip: 0, limit: 25 },
+			);
+			expect(result).toEqual({
+				attributes: docs,
+				offset: 0,
+				count: docs.length,
+				total: docs.length,
+			});
+		});
+
+		it('returns empty when no documents match', async () => {
+			mockAbacFindPaginated.mockReturnValueOnce({
+				cursor: { toArray: async () => [] },
+				totalCount: Promise.resolve(0),
+			});
+
+			const result = await service.listAbacAttributes({ key: 'nope', values: 'none' });
+			expect(result).toEqual({
+				attributes: [],
+				offset: 0,
+				count: 0,
+				total: 0,
+			});
+		});
+	});
+
+	describe('updateAbacAttributeById', () => {
+		beforeEach(() => {
+			mockAbacFindOne.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+		});
+
+		it('returns early (no-op) when neither key nor values provided', async () => {
+			await service.updateAbacAttributeById('id1', {} as any, fakeActor);
+			expect(mockAbacFindOne).not.toHaveBeenCalled();
+			expect(mockAbacUpdateOne).not.toHaveBeenCalled();
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+		});
+
+		it('throws error-attribute-not-found when attribute does not exist', async () => {
+			mockAbacFindOne.mockResolvedValueOnce(null);
+			await expect(service.updateAbacAttributeById('idMissing', { key: 'newKey' }, fakeActor)).rejects.toThrow('error-attribute-not-found');
+			expect(mockAbacFindOne).toHaveBeenCalledWith('idMissing', { projection: { key: 1, values: 1 } });
+		});
+
+		it('updates key even if format contains spaces (no validation in service)', async () => {
+			mockAbacFindOne
+				.mockResolvedValueOnce({ _id: 'id2', key: 'OldKey', values: ['a'] }) // findOneById
+				.mockResolvedValueOnce(null); // duplicate key check
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			mockAbacUpdateOne.mockResolvedValueOnce({ modifiedCount: 1 });
+			await service.updateAbacAttributeById('id2', { key: 'Invalid Key!' }, fakeActor);
+			expect(mockAbacUpdateOne).toHaveBeenCalledWith({ _id: 'id2' }, { $set: { key: 'Invalid Key!' } });
+		});
+
+		it('throws error-invalid-attribute-values for empty values array', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id3', key: 'Key3', values: ['x'] });
+			await expect(service.updateAbacAttributeById('id3', { values: [] }, fakeActor)).rejects.toThrow('error-invalid-attribute-values');
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+			expect(mockAbacFindOneAndUpdate).not.toHaveBeenCalled();
+		});
+
+		it('throws error-attribute-in-use when key changes and old definition is in use', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockAbacFindOne
+				.mockResolvedValueOnce({ _id: 'id4', key: 'Old', values: ['v1', 'v2'] }) // findOneById
+				.mockResolvedValueOnce(null); // duplicate key check
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(true);
+			await expect(service.updateAbacAttributeById('id4', { key: 'New' }, fakeActor)).rejects.toThrow('error-attribute-in-use');
+			expect(mockRoomsIsAbacAttributeInUse).toHaveBeenCalledWith('Old', ['v1', 'v2']);
+			expect(mockAbacFindOneAndUpdate).not.toHaveBeenCalled();
+		});
+
+		it('updates key when changed and not in use', async () => {
+			mockAbacFindOne
+				.mockResolvedValueOnce({ _id: 'id5', key: 'Old', values: ['a'] }) // findOneById
+				.mockResolvedValueOnce(null); // duplicate key check
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			mockAbacUpdateOne.mockResolvedValueOnce({ modifiedCount: 1 });
+			await service.updateAbacAttributeById('id5', { key: 'NewKey' }, fakeActor);
+			expect(mockAbacUpdateOne).toHaveBeenCalledWith({ _id: 'id5' }, { $set: { key: 'NewKey' } });
+		});
+
+		it('throws error-attribute-in-use when removing a value that is in use', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id6', key: 'Attr', values: ['a', 'b', 'c'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(true); // removed value in use
+			await expect(service.updateAbacAttributeById('id6', { values: ['a', 'c'] }, fakeActor)).rejects.toThrow('error-attribute-in-use');
+			expect(mockRoomsIsAbacAttributeInUse).toHaveBeenCalledWith('Attr', ['b']);
+			expect(mockAbacFindOneAndUpdate).not.toHaveBeenCalled();
+		});
+
+		it('updates values when removing some that are not in use', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id7', key: 'Attr', values: ['a', 'b', 'c'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false); // removal safe
+			mockAbacUpdateOne.mockResolvedValueOnce({ modifiedCount: 1 });
+			await service.updateAbacAttributeById('id7', { values: ['a', 'c'] }, fakeActor);
+			expect(mockAbacUpdateOne).toHaveBeenCalledWith({ _id: 'id7' }, { $set: { values: ['a', 'c'] } });
+		});
+
+		it('updates values when only adding (no removal) without in-use check', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id8', key: 'Attr', values: ['a'] });
+			mockAbacUpdateOne.mockResolvedValueOnce({ modifiedCount: 1 });
+			await service.updateAbacAttributeById('id8', { values: ['a', 'b'] }, fakeActor);
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+			expect(mockAbacUpdateOne).toHaveBeenCalledWith({ _id: 'id8' }, { $set: { values: ['a', 'b'] } });
+		});
+
+		it('throws error-duplicate-attribute-key on duplicate key error', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockAbacFindOne
+				.mockResolvedValueOnce({ _id: 'id9', key: 'Old', values: ['v'] }) // findOneById
+				.mockResolvedValueOnce(null); // duplicate key check
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			mockAbacUpdateOne.mockRejectedValueOnce(new Error('E11000 duplicate key error collection'));
+			await expect(service.updateAbacAttributeById('id9', { key: 'NewKey' }, fakeActor)).rejects.toThrow('error-duplicate-attribute-key');
+		});
+
+		it('propagates unexpected update errors', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacUpdateOne.mockReset();
+			mockAbacFindOne
+				.mockResolvedValueOnce({ _id: 'id10', key: 'Old', values: ['v'] }) // findOneById
+				.mockResolvedValueOnce(null); // duplicate key check
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			mockAbacUpdateOne.mockRejectedValueOnce(new Error('write-failed'));
+			await expect(service.updateAbacAttributeById('id10', { key: 'Another' }, fakeActor)).rejects.toThrow('write-failed');
+		});
+	});
+	describe('deleteAbacAttributeById', () => {
+		beforeEach(() => {
+			mockAbacFindOne.mockReset();
+			mockAbacDeleteOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+		});
+
+		it('throws error-attribute-not-found when attribute does not exist', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacDeleteOne.mockReset();
+			mockAbacFindOne.mockResolvedValueOnce(null);
+			await expect(service.deleteAbacAttributeById('missing', fakeActor)).rejects.toThrow('error-attribute-not-found');
+		});
+
+		it('throws error-attribute-in-use when attribute is referenced by a room', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacDeleteOne.mockReset();
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id11', key: 'KeyInUse', values: ['a', 'b'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(true);
+			await expect(service.deleteAbacAttributeById('id11', fakeActor)).rejects.toThrow('error-attribute-in-use');
+			expect(mockAbacDeleteOne).not.toHaveBeenCalled();
+		});
+
+		it('deletes attribute when not in use', async () => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			mockAbacDeleteOne.mockReset();
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id12', key: 'FreeKey', values: ['x'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			mockAbacDeleteOne.mockResolvedValueOnce({ deletedCount: 1 });
+			await service.deleteAbacAttributeById('id12', fakeActor);
+			expect(mockAbacDeleteOne).toHaveBeenCalledWith('id12');
+		});
+	});
+	describe('getAbacAttributeById', () => {
+		beforeEach(() => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+		});
+		it('throws error-attribute-not-found when attribute does not exist', async () => {
+			mockAbacFindOne.mockResolvedValueOnce(null);
+			await expect(service.getAbacAttributeById('missingAttr', undefined)).rejects.toThrow('error-attribute-not-found');
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+		});
+
+		it('returns attribute without usage map', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id13', key: 'Attr', values: ['a', 'b', 'c'] });
+
+			const result = await service.getAbacAttributeById('id13', undefined);
+			expect(mockAbacFindOne).toHaveBeenCalledWith('id13', { projection: { key: 1, values: 1 } });
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+
+			expect(result).toEqual({
+				key: 'Attr',
+				values: ['a', 'b', 'c'],
+			});
+		});
+	});
+
+	describe('setRoomAbacAttributes', () => {
+		// Using top-level mocks (mockSetAbacAttributesById, mockAbacFind) defined in jest.mock factory above
+
+		beforeEach(() => {
+			mockSetAbacAttributesById.mockReset();
+			mockAbacFind.mockReset();
+			mockFindOneByIdAndType.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+			// Provide a default empty cursor so AbacAttributes.find always returns an object with toArray
+			mockAbacFind.mockReturnValue({ toArray: async () => [] });
+			// Prevent the protected hook from throwing
+			(service as any).onRoomAttributesChanged = jest.fn().mockResolvedValue(undefined);
+		});
+
+		it('throws error-room-not-found when room does not exist', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce(null);
+			await expect(service.setRoomAbacAttributes('missing', { dept: ['eng'] }, fakeActor)).rejects.toThrow('error-room-not-found');
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is default', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], default: true });
+			await expect(service.setRoomAbacAttributes('r1', { dept: ['eng'] }, fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is teamDefault', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], teamDefault: true });
+			await expect(service.setRoomAbacAttributes('r1', { dept: ['eng'] }, fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-invalid-attribute-key for invalid key format', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			await expect(service.setRoomAbacAttributes('r1', { 'bad key': ['v'] } as any, fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-key',
+			);
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-invalid-attribute-values for empty value array', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			await expect(service.setRoomAbacAttributes('r1', { dept: [] as any }, fakeActor)).rejects.toThrow('error-invalid-attribute-values');
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-attribute-definition-not-found when definition for key missing', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			// Return empty list so size mismatch triggers not-found
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [] });
+			await expect(service.setRoomAbacAttributes('r1', { dept: ['eng'] }, fakeActor)).rejects.toThrow(
+				'error-attribute-definition-not-found',
+			);
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-invalid-attribute-values when a provided value not in definition', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			mockAbacFind.mockReturnValueOnce({
+				toArray: async () => [{ key: 'dept', values: ['eng'] }], // 'sales' not allowed
+			});
+			await expect(service.setRoomAbacAttributes('r1', { dept: ['eng', 'sales'] }, fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+			expect(mockSetAbacAttributesById).not.toHaveBeenCalled();
+		});
+
+		it('does not call onroomattributechanged when the change is a duplicated attribute value', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] });
+			mockAbacFind.mockReturnValueOnce({
+				toArray: async () => [{ key: 'dept', values: ['eng', 'sales'] }],
+			});
+
+			await service.setRoomAbacAttributes('r1', { dept: ['eng', 'eng', 'sales'] }, fakeActor);
+
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+		});
+
+		it('does not call onRoomAttributesChanged when an existing value is removed', async () => {
+			const existing = [{ key: 'dept', values: ['eng', 'sales'] }];
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			mockAbacFind.mockReturnValueOnce({
+				toArray: async () => [{ key: 'dept', values: ['eng', 'sales'] }],
+			});
+
+			await service.setRoomAbacAttributes('r1', { dept: ['eng'] }, fakeActor); // removing 'sales'
+
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+			expect(mockSetAbacAttributesById).toHaveBeenCalledWith('r1', [{ key: 'dept', values: ['eng'] }]);
+		});
+
+		it('calls onRoomAttributesChanged when adding values to an existing attribute', async () => {
+			const existing = [{ key: 'dept', values: ['eng'] }];
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			mockAbacFind.mockReturnValueOnce({
+				toArray: async () => [{ key: 'dept', values: ['eng', 'sales'] }],
+			});
+
+			await service.setRoomAbacAttributes('r1', { dept: ['eng', 'sales'] }, fakeActor); // adding sales
+
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(expect.objectContaining({ _id: 'r1' }), [
+				{ key: 'dept', values: ['eng', 'sales'] },
+			]);
+			expect(mockSetAbacAttributesById).toHaveBeenCalledWith('r1', [{ key: 'dept', values: ['eng', 'sales'] }]);
+		});
+	});
+
+	describe('isAbacAttributeInUseByKey', () => {
+		beforeEach(() => {
+			mockAbacFindOne.mockReset();
+			mockRoomsIsAbacAttributeInUse.mockReset();
+		});
+		it('returns false when attribute does not exist', async () => {
+			mockAbacFindOne.mockResolvedValueOnce(null);
+			const result = await service.isAbacAttributeInUseByKey('missing');
+			expect(result).toBe(false);
+			expect(mockRoomsIsAbacAttributeInUse).not.toHaveBeenCalled();
+		});
+
+		it('returns false when attribute exists but has no values', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id14', key: 'Empty', values: [] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			const result = await service.isAbacAttributeInUseByKey('Empty');
+			expect(result).toBe(false);
+			expect(mockRoomsIsAbacAttributeInUse).toHaveBeenCalledWith('Empty', []);
+		});
+
+		it('returns true when any value is in use', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id15', key: 'Attr2', values: ['x', 'y'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(true);
+			const result = await service.isAbacAttributeInUseByKey('Attr2');
+			expect(result).toBe(true);
+			expect(mockRoomsIsAbacAttributeInUse).toHaveBeenCalledWith('Attr2', ['x', 'y']);
+		});
+
+		it('returns false when no values are in use', async () => {
+			mockAbacFindOne.mockResolvedValueOnce({ _id: 'id16', key: 'Attr3', values: ['m', 'n'] });
+			mockRoomsIsAbacAttributeInUse.mockResolvedValueOnce(false);
+			const result = await service.isAbacAttributeInUseByKey('Attr3');
+			expect(result).toBe(false);
+			expect(mockRoomsIsAbacAttributeInUse).toHaveBeenCalledWith('Attr3', ['m', 'n']);
+		});
+	});
+
+	describe('updateRoomAbacAttributeValues', () => {
+		beforeEach(() => {
+			mockFindOneByIdAndType.mockReset();
+			mockUpdateSingleAbacAttributeValuesById.mockReset();
+			mockUpdateAbacAttributeValuesArrayFilteredById.mockReset();
+			mockAbacFind.mockReset();
+			(service as any).onRoomAttributesChanged = jest.fn().mockResolvedValue(undefined);
+			// default definition cursor
+			mockAbacFind.mockReturnValue({ toArray: async () => [{ key: 'dept', values: ['eng', 'sales', 'hr'] }] });
+		});
+
+		it('throws error-room-not-found if room missing', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce(null);
+			await expect(service.updateRoomAbacAttributeValues('missing', 'dept', ['eng'], fakeActor)).rejects.toThrow('error-room-not-found');
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is default', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], default: true });
+			await expect(service.updateRoomAbacAttributeValues('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is teamDefault', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], teamDefault: true });
+			await expect(service.updateRoomAbacAttributeValues('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+		});
+
+		it('throws error-invalid-attribute-values if adding new key exceeds max attributes', async () => {
+			const existing = Array.from({ length: 10 }, (_, i) => ({ key: `k${i}`, values: ['x'] }));
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			await expect(service.updateRoomAbacAttributeValues('r1', 'newKey', ['val'], fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+		});
+
+		it('adds new key using updateSingleAbacAttributeValuesById when within limit', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'other', values: ['x'] }] });
+			await service.updateRoomAbacAttributeValues('r1', 'dept', ['eng'], fakeActor);
+			expect(mockUpdateSingleAbacAttributeValuesById).toHaveBeenCalledWith('r1', 'dept', ['eng']);
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).not.toHaveBeenCalled();
+		});
+
+		it('does nothing when values array is identical (no update, no hook)', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] });
+			await service.updateRoomAbacAttributeValues('r1', 'dept', ['eng', 'sales'], fakeActor);
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).not.toHaveBeenCalled();
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+		});
+
+		it('updates existing key (addition only) and triggers hook when a value is added', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'dept', values: ['eng'] }] });
+			await service.updateRoomAbacAttributeValues('r1', 'dept', ['eng', 'sales'], fakeActor);
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).toHaveBeenCalledWith('r1', 'dept', ['eng', 'sales']);
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(expect.objectContaining({ _id: 'r1' }), [
+				{ key: 'dept', values: ['eng', 'sales'] },
+			]);
+		});
+
+		it('updates existing key and does NOT trigger hook when a value is removed', async () => {
+			// Existing attribute loses one value; hook should NOT fire per new behavior
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] });
+			await service.updateRoomAbacAttributeValues('r1', 'dept', ['eng'], fakeActor);
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).toHaveBeenCalledWith('r1', 'dept', ['eng']);
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+		});
+
+		it('validates against global definitions (invalid value)', async () => {
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			await expect(service.updateRoomAbacAttributeValues('r1', 'dept', ['eng', 'sales'], fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+		});
+	});
+
+	describe('removeRoomAbacAttribute', () => {
+		beforeEach(() => {
+			mockFindOneByIdAndType.mockReset();
+			mockRemoveAbacAttributeByRoomIdAndKey.mockReset();
+			(service as any).onRoomAttributesChanged = jest.fn().mockResolvedValue(undefined);
+		});
+
+		it('throws error-room-not-found when room does not exist', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce(null);
+			await expect((service as any).removeRoomAbacAttribute('missing', 'dept', fakeActor)).rejects.toThrow('error-room-not-found');
+			expect(mockRemoveAbacAttributeByRoomIdAndKey).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is default', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], default: true });
+			await expect((service as any).removeRoomAbacAttribute('r1', 'dept', fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockRemoveAbacAttributeByRoomIdAndKey).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is teamDefault', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], teamDefault: true });
+			await expect((service as any).removeRoomAbacAttribute('r1', 'dept', fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockRemoveAbacAttributeByRoomIdAndKey).not.toHaveBeenCalled();
+		});
+
+		it('returns early (no update, no hook) when attribute key not present', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [{ key: 'other', values: ['x'] }] });
+			await (service as any).removeRoomAbacAttribute('r1', 'dept', fakeActor);
+			expect(mockRemoveAbacAttributeByRoomIdAndKey).not.toHaveBeenCalled();
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+		});
+
+		it('removes attribute and does NOT call hook when key exists', async () => {
+			// Removing an entire attribute should not trigger the hook anymore
+			const existing = [
+				{ key: 'dept', values: ['eng', 'sales'] },
+				{ key: 'other', values: ['x'] },
+			];
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			await (service as any).removeRoomAbacAttribute('r1', 'dept', fakeActor);
+			expect(mockRemoveAbacAttributeByRoomIdAndKey).toHaveBeenCalledWith('r1', 'dept');
+			expect((service as any).onRoomAttributesChanged).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('replaceRoomAbacAttributeByKey', () => {
+		beforeEach(() => {
+			mockFindOneByIdAndType.mockReset();
+			mockUpdateAbacAttributeValuesArrayFilteredById.mockReset();
+			mockInsertAbacAttributeIfNotExistsById.mockReset();
+			mockAbacFind.mockReset();
+			(service as any).onRoomAttributesChanged = jest.fn().mockResolvedValue(undefined);
+			// default attribute definitions
+			mockAbacFind.mockReturnValue({ toArray: async () => [{ key: 'dept', values: ['eng', 'sales', 'hr'] }] });
+		});
+
+		it('throws error-invalid-attribute-values when more than 10 values provided', async () => {
+			const values = Array.from({ length: 11 }, (_, i) => `v${i}`);
+			await expect((service as any).replaceRoomAbacAttributeByKey('r1', 'dept', values, fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+		});
+
+		it('throws error-room-not-found if room missing', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce(null);
+			await expect((service as any).replaceRoomAbacAttributeByKey('missing', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-room-not-found',
+			);
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is default', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], default: true });
+			await expect((service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is teamDefault', async () => {
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], teamDefault: true });
+			await expect((service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+		});
+
+		it('throws error-invalid-attribute-values if adding new key exceeds max attributes', async () => {
+			const existing = Array.from({ length: 10 }, (_, i) => ({ key: `k${i}`, values: ['x'] }));
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			await expect((service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('adds new key when under limit (calls insert and hook)', async () => {
+			const existing = [{ key: 'other', values: ['x'] }];
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			const updatedDoc = { abacAttributes: [...existing, { key: 'dept', values: ['eng'] }] };
+			mockInsertAbacAttributeIfNotExistsById.mockResolvedValueOnce(updatedDoc);
+
+			await (service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor);
+
+			expect(mockInsertAbacAttributeIfNotExistsById).toHaveBeenCalledWith('r1', 'dept', ['eng']);
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).not.toHaveBeenCalled();
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(
+				expect.objectContaining({ _id: 'r1' }),
+				updatedDoc.abacAttributes,
+			);
+		});
+
+		it('replaces existing key (calls update and hook)', async () => {
+			const existing = [{ key: 'dept', values: ['eng'] }];
+			const updatedDoc = { abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] };
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			mockUpdateAbacAttributeValuesArrayFilteredById.mockResolvedValueOnce(updatedDoc);
+
+			await (service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng', 'sales'], fakeActor);
+
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).toHaveBeenCalledWith('r1', 'dept', ['eng', 'sales']);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(
+				expect.objectContaining({ _id: 'r1' }),
+				updatedDoc.abacAttributes,
+			);
+		});
+
+		it('validates definitions and rejects invalid value', async () => {
+			// Only 'eng' allowed for dept
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+
+			await expect((service as any).replaceRoomAbacAttributeByKey('r1', 'dept', ['eng', 'sales'], fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+			expect(mockUpdateAbacAttributeValuesArrayFilteredById).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('addRoomAbacAttributeByKey', () => {
+		beforeEach(() => {
+			mockFindOneByIdAndType.mockReset();
+			mockInsertAbacAttributeIfNotExistsById.mockReset();
+			mockAbacFind.mockReset();
+			(service as any).onRoomAttributesChanged = jest.fn().mockResolvedValue(undefined);
+		});
+
+		it('throws error-room-not-found when room does not exist', async () => {
+			// Ensure definitions exist to pass definition check, but room missing
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce(null);
+			await expect(service.addRoomAbacAttributeByKey('missing', 'dept', ['eng'], fakeActor)).rejects.toThrow('error-room-not-found');
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is default', async () => {
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], default: true });
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-cannot-convert-default-room-to-abac when room is teamDefault', async () => {
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [], teamDefault: true });
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-cannot-convert-default-room-to-abac',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-attribute-definition-not-found when attribute definition missing', async () => {
+			// No definitions returned
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow(
+				'error-attribute-definition-not-found',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-duplicate-attribute-key when key already exists in room', async () => {
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng', 'sales'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({
+				_id: 'r1',
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+			});
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['sales'], fakeActor)).rejects.toThrow('error-duplicate-attribute-key');
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('throws error-invalid-attribute-values when room already has 10 attributes', async () => {
+			const existing = Array.from({ length: 10 }, (_, i) => ({ key: `k${i}`, values: ['x'] }));
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor)).rejects.toThrow('error-invalid-attribute-values');
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+
+		it('inserts new attribute and calls hook with DB returned document', async () => {
+			const existing = [{ key: 'other', values: ['x'] }];
+			const updatedDoc = { abacAttributes: [...existing, { key: 'dept', values: ['eng', 'sales'] }] };
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng', 'sales'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			mockInsertAbacAttributeIfNotExistsById.mockResolvedValueOnce(updatedDoc);
+
+			await service.addRoomAbacAttributeByKey('r1', 'dept', ['eng', 'sales'], fakeActor);
+
+			expect(mockInsertAbacAttributeIfNotExistsById).toHaveBeenCalledWith('r1', 'dept', ['eng', 'sales']);
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(
+				expect.objectContaining({ _id: 'r1' }),
+				updatedDoc.abacAttributes,
+			);
+		});
+
+		it('inserts new attribute and calls hook with constructed list when DB returns undefined', async () => {
+			const existing = [{ key: 'other', values: ['x'] }];
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: existing });
+			mockInsertAbacAttributeIfNotExistsById.mockResolvedValueOnce(undefined);
+
+			await service.addRoomAbacAttributeByKey('r1', 'dept', ['eng'], fakeActor);
+
+			expect(mockInsertAbacAttributeIfNotExistsById).toHaveBeenCalledWith('r1', 'dept', ['eng']);
+			expect((service as any).onRoomAttributesChanged).toHaveBeenCalledWith(expect.objectContaining({ _id: 'r1' }), [
+				...existing,
+				{ key: 'dept', values: ['eng'] },
+			]);
+		});
+
+		it('rejects when provided value not allowed by definition', async () => {
+			mockAbacFind.mockReturnValueOnce({ toArray: async () => [{ key: 'dept', values: ['eng'] }] });
+			mockFindOneByIdAndType.mockResolvedValueOnce({ _id: 'r1', abacAttributes: [] });
+			await expect(service.addRoomAbacAttributeByKey('r1', 'dept', ['eng', 'sales'], fakeActor)).rejects.toThrow(
+				'error-invalid-attribute-values',
+			);
+			expect(mockInsertAbacAttributeIfNotExistsById).not.toHaveBeenCalled();
+		});
+	});
+
+	describe('checkUsernamesMatchAttributes', () => {
+		beforeEach(() => {
+			mockUsersFind.mockReset();
+			mockCreateAuditServerEvent.mockReset();
+		});
+
+		const attributes = [{ key: 'dept', values: ['eng'] }];
+
+		it('returns early (no query) when usernames array is empty', async () => {
+			await expect(
+				service.checkUsernamesMatchAttributes([], attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
+			expect(mockUsersFind).not.toHaveBeenCalled();
+		});
+
+		it('returns early (no query) when attributes array is empty', async () => {
+			await expect(service.checkUsernamesMatchAttributes(['alice'], [], { _id: 'xxxxx', name: 'name' } as any)).resolves.toBeUndefined();
+			expect(mockUsersFind).not.toHaveBeenCalled();
+		});
+
+		it('resolves when all provided usernames are compliant (query returns empty)', async () => {
+			const usernames = ['alice', 'bob'];
+			mockUsersFind.mockImplementationOnce(() => ({
+				map: () => ({
+					toArray: async () => [],
+				}),
+			}));
+
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
+
+			expect(mockUsersFind).toHaveBeenCalledWith(
+				{
+					username: { $in: usernames },
+					$or: [
+						{
+							abacAttributes: {
+								$not: {
+									$elemMatch: {
+										key: 'dept',
+										values: { $all: ['eng'] },
+									},
+								},
+							},
+						},
+					],
+				},
+				{ projection: { username: 1 } },
+			);
+		});
+
+		it('rejects with error-only-compliant-users-can-be-added-to-abac-rooms and details for non-compliant users', async () => {
+			const usernames = ['alice', 'bob', 'charlie'];
+			const nonCompliantDocs = [{ username: 'bob' }, { username: 'charlie' }];
+			mockUsersFind.mockImplementationOnce(() => ({
+				map: (fn: (u: any) => string) => ({
+					toArray: async () => nonCompliantDocs.map(fn),
+				}),
+			}));
+
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).rejects.toMatchObject({
+				code: 'error-only-compliant-users-can-be-added-to-abac-rooms',
+			});
+		});
+
+		it('generates an audit log for every compliant username', async () => {
+			const usernames = ['alice', 'bob'];
+
+			mockUsersFind.mockImplementationOnce(() => ({
+				map: () => ({
+					toArray: async () => [],
+				}),
+			}));
+
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).resolves.toBeUndefined();
+
+			expect(mockCreateAuditServerEvent).toHaveBeenCalledTimes(usernames.length);
+			const calledUsernames = mockCreateAuditServerEvent.mock.calls.map(([, payload]: any[]) => payload?.subject?.username).filter(Boolean);
+			expect(calledUsernames.sort()).toEqual(usernames.sort());
+		});
+
+		it('does not generate audit logs when usernames do not match attributes', async () => {
+			const usernames = ['alice', 'bob', 'charlie'];
+			const nonCompliantDocs = [{ username: 'alice' }, { username: 'bob' }, { username: 'charlie' }];
+
+			mockUsersFind.mockImplementationOnce(() => ({
+				map: (fn: (u: any) => string) => ({
+					toArray: async () => nonCompliantDocs.map(fn),
+				}),
+			}));
+
+			await expect(
+				service.checkUsernamesMatchAttributes(usernames, attributes as any, { _id: 'xxxxx', name: 'name' } as any),
+			).rejects.toMatchObject({
+				code: 'error-only-compliant-users-can-be-added-to-abac-rooms',
+			});
+
+			expect(mockCreateAuditServerEvent).not.toHaveBeenCalled();
+		});
+	});
+});
diff --git a/ee/packages/abac/src/subject-attributes-validations.spec.ts b/ee/packages/abac/src/subject-attributes-validations.spec.ts
new file mode 100644
index 00000000000..dbc9e9b157c
--- /dev/null
+++ b/ee/packages/abac/src/subject-attributes-validations.spec.ts
@@ -0,0 +1,480 @@
+import type { ILDAPEntry, IUser, IAbacAttributeDefinition } from '@rocket.chat/core-typings';
+import { registerServiceModels, Users } from '@rocket.chat/models';
+import type { Collection, Db } from 'mongodb';
+import { MongoClient } from 'mongodb';
+import { MongoMemoryServer } from 'mongodb-memory-server';
+
+import { AbacService } from './index';
+
+jest.mock('@rocket.chat/core-services', () => ({
+	ServiceClass: class {},
+	Room: {
+		removeUserFromRoom: jest.fn(),
+	},
+	MeteorError: class extends Error {},
+}));
+
+const makeUser = (overrides: Partial<IUser> = {}): IUser =>
+	({
+		_id: `user-${Math.random().toString(36).substring(2, 15)}`,
+		username: `user${Math.random().toString(36).substring(2, 15)}`,
+		roles: [],
+		type: 'user',
+		active: true,
+		createdAt: new Date(),
+		_updatedAt: new Date(),
+		...overrides,
+	}) as IUser;
+
+const makeLdap = (overrides: Partial<ILDAPEntry> = {}): ILDAPEntry =>
+	({
+		...overrides,
+	}) as ILDAPEntry;
+
+describe('Subject Attributes validation', () => {
+	let db: Db;
+	let mongo: MongoMemoryServer;
+	let client: MongoClient;
+
+	beforeAll(async () => {
+		mongo = await MongoMemoryServer.create();
+		client = await MongoClient.connect(mongo.getUri(), {});
+		db = client.db('abac_global');
+		registerServiceModels(db);
+
+		// @ts-expect-error - ignore
+		await db.collection('abac_dummy_init').insertOne({ _id: 'init', createdAt: new Date() });
+	}, 30_000);
+
+	afterAll(async () => {
+		await client.close();
+		await mongo.stop();
+	});
+
+	describe('AbacService.addSubjectAttributes (unit)', () => {
+		let service: AbacService;
+
+		beforeEach(async () => {
+			service = new AbacService();
+		});
+
+		describe('early returns and no-ops', () => {
+			it('returns early when user has no _id', async () => {
+				const user = makeUser({ _id: undefined });
+				await service.addSubjectAttributes(user, makeLdap(), { group: 'dept' });
+				// Nothing inserted, ensure no user doc created
+				const found = await Users.findOne({ username: user.username });
+				expect(found).toBeFalsy();
+			});
+
+			it('does nothing (no update) when map produces no attributes and user had none', async () => {
+				const user = makeUser({ abacAttributes: undefined });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ group: '' });
+				await service.addSubjectAttributes(user, ldap, { group: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated).toBeTruthy();
+				expect(updated?.abacAttributes ?? undefined).toBeUndefined();
+			});
+		});
+
+		describe('building and setting attributes', () => {
+			it('merges multiple LDAP keys mapping to the same ABAC key, deduplicating values', async () => {
+				const user = makeUser();
+				await Users.insertOne(user);
+				const ldap = makeLdap({
+					memberOf: ['eng', 'sales', 'eng'],
+					department: ['sales', 'support'],
+				});
+				const map = { memberOf: 'dept', department: 'dept' };
+				await service.addSubjectAttributes(user, ldap, map);
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'sales', 'support'] }]);
+			});
+
+			it('creates distinct ABAC attributes for different mapped keys preserving insertion order', async () => {
+				const user = makeUser();
+				await Users.insertOne(user);
+				const ldap = makeLdap({
+					groups: ['alpha', 'beta'],
+					regionCodes: ['emea', 'apac'],
+					role: 'admin',
+				});
+				const map = { groups: 'team', regionCodes: 'region', role: 'role' };
+				await service.addSubjectAttributes(user, ldap, map);
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([
+					{ key: 'team', values: ['alpha', 'beta'] },
+					{ key: 'region', values: ['emea', 'apac'] },
+					{ key: 'role', values: ['admin'] },
+				]);
+			});
+
+			it('merges array and string LDAP values into one attribute', async () => {
+				const user = makeUser();
+				await Users.insertOne(user);
+				const ldap = makeLdap({ deptCode: 'eng', deptName: ['engineering', 'eng'] });
+				const map = { deptCode: 'dept', deptName: 'dept' };
+				await service.addSubjectAttributes(user, ldap, map);
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'engineering'] }]);
+			});
+		});
+
+		describe('unsetting attributes when none extracted', () => {
+			it('unsets abacAttributes when user previously had attributes but now extracts none', async () => {
+				const user = makeUser({ abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ other: ['x'] });
+				const map = { missing: 'dept' };
+				await service.addSubjectAttributes(user, ldap, map);
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toBeUndefined();
+			});
+
+			it('does not unset when user had no prior attributes and extraction yields none', async () => {
+				const user = makeUser({ abacAttributes: [] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({});
+				const map = { missing: 'dept' };
+				await service.addSubjectAttributes(user, ldap, map);
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([]);
+			});
+		});
+
+		describe('loss detection triggering hook (attribute changes)', () => {
+			it('updates attributes reducing values on loss', async () => {
+				const user = makeUser({ abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ memberOf: ['eng'] });
+				await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng'] }]);
+			});
+
+			it('updates attributes removing an entire key', async () => {
+				const user = makeUser({
+					abacAttributes: [
+						{ key: 'dept', values: ['eng'] },
+						{ key: 'region', values: ['emea'] },
+					],
+				});
+				await Users.insertOne(user);
+				const ldap = makeLdap({ department: ['eng'] });
+				await service.addSubjectAttributes(user, ldap, { department: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng'] }]);
+			});
+
+			it('gains new values without triggering loss logic', async () => {
+				const user = makeUser({ abacAttributes: [{ key: 'dept', values: ['eng'] }] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ memberOf: ['eng', 'qa'] });
+				await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'qa'] }]);
+			});
+
+			it('keeps attributes unchanged when only ordering differs', async () => {
+				const user = makeUser({ abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ memberOf: ['qa', 'eng'] });
+				await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes?.[0].key).toBe('dept');
+				expect(new Set(updated?.abacAttributes?.[0].values)).toEqual(new Set(['eng', 'qa']));
+			});
+
+			it('merges duplicate LDAP mapping keys retaining union of values', async () => {
+				const user = makeUser({ abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] });
+				await Users.insertOne(user);
+				const ldap = makeLdap({ deptA: ['eng', 'sales'], deptB: ['eng'] });
+				await service.addSubjectAttributes(user, ldap, { deptA: 'dept', deptB: 'dept' });
+				const updated = await Users.findOneById(user._id, { projection: { abacAttributes: 1 } });
+				expect(updated?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'sales'] }]);
+			});
+		});
+
+		describe('input immutability', () => {
+			it('does not mutate original user.abacAttributes array reference contents', async () => {
+				const original = [{ key: 'dept', values: ['eng', 'sales'] }] as IAbacAttributeDefinition[];
+				const user = makeUser({ abacAttributes: original });
+				await Users.insertOne(user);
+				const clone = JSON.parse(JSON.stringify(original));
+				const ldap = makeLdap({ memberOf: ['eng', 'sales', 'support'] });
+				await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+				expect(original).toEqual(clone);
+			});
+		});
+	});
+
+	describe('AbacService.addSubjectAttributes (room removals)', () => {
+		let service: AbacService;
+		let roomsCol: Collection<any>;
+		let usersCol: Collection<any>;
+
+		const originalCoreServices = jest.requireMock('@rocket.chat/core-services');
+		originalCoreServices.Room.removeUserFromRoom = async (rid: string, user: IUser) => {
+			// @ts-expect-error - test
+			await usersCol.updateOne({ _id: user._id }, { $pull: { __rooms: rid } });
+		};
+
+		const insertRoom = async (room: { _id: string; abacAttributes?: IAbacAttributeDefinition[] }) =>
+			roomsCol.insertOne({
+				_id: room._id,
+				name: room._id,
+				t: 'p',
+				abacAttributes: room.abacAttributes,
+			});
+
+		const insertUser = async (user: IUser & { __rooms?: string[] }) =>
+			usersCol.insertOne({
+				...user,
+				__rooms: user.__rooms || [],
+			});
+
+		beforeEach(async () => {
+			service = new AbacService();
+			roomsCol = db.collection('rocketchat_room');
+			usersCol = db.collection('users');
+			await Promise.all([roomsCol.deleteMany({}), usersCol.deleteMany({})]);
+		});
+
+		it('removes user from rooms whose attributes become non-compliant after losing a value', async () => {
+			const user: IUser = {
+				_id: 'u-loss',
+				username: 'lossy',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }],
+				__rooms: ['rKeep', 'rRemove'],
+			};
+
+			// Rooms:
+			// rKeep requires only 'eng' (will remain compliant)
+			// rRemove requires both 'eng' and 'qa' (will become non-compliant after loss)
+			await Promise.all([
+				insertRoom({ _id: 'rKeep', abacAttributes: [{ key: 'dept', values: ['eng'] }] }),
+				insertRoom({ _id: 'rRemove', abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }] }),
+			]);
+
+			await insertUser({ ...user, __rooms: ['rKeep', 'rRemove'] });
+
+			const ldap: ILDAPEntry = {
+				memberOf: ['eng'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toEqual([{ key: 'dept', values: ['eng'] }]);
+			expect(updatedUser?.abacAttributes).not.toEqual(user.abacAttributes);
+			expect(updatedUser?.__rooms.sort()).toEqual(['rKeep']);
+		});
+
+		it('removes user from rooms containing attribute keys they no longer possess (key loss)', async () => {
+			const user: IUser = {
+				_id: 'u-key-loss',
+				username: 'keyloss',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [
+					{ key: 'dept', values: ['eng'] },
+					{ key: 'region', values: ['emea'] },
+				],
+				__rooms: ['rDeptOnly', 'rRegionOnly', 'rBoth'],
+			};
+
+			// Rooms:
+			// rDeptOnly -> only dept (will stay)
+			// rRegionOnly -> region only (will be removed after region key loss)
+			// rBoth -> both dept & region (will be removed)
+			await Promise.all([
+				insertRoom({ _id: 'rDeptOnly', abacAttributes: [{ key: 'dept', values: ['eng'] }] }),
+				insertRoom({ _id: 'rRegionOnly', abacAttributes: [{ key: 'region', values: ['emea'] }] }),
+				insertRoom({
+					_id: 'rBoth',
+					abacAttributes: [
+						{ key: 'dept', values: ['eng'] },
+						{ key: 'region', values: ['emea'] },
+					],
+				}),
+			]);
+
+			await insertUser({ ...user, __rooms: ['rDeptOnly', 'rRegionOnly', 'rBoth'] });
+
+			const ldap: ILDAPEntry = {
+				department: ['eng'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { department: 'dept' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toEqual([{ key: 'dept', values: ['eng'] }]);
+			expect(updatedUser?.abacAttributes).not.toEqual(user.abacAttributes);
+			expect(updatedUser?.__rooms).toEqual(['rDeptOnly']);
+		});
+
+		it('does not remove user from any room when attribute values only grow (gain without loss)', async () => {
+			const user: IUser = {
+				_id: 'u-growth',
+				username: 'growth',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+				__rooms: ['rGrowthA', 'rGrowthB'],
+			};
+
+			await Promise.all([
+				insertRoom({ _id: 'rGrowthA', abacAttributes: [{ key: 'dept', values: ['eng'] }] }),
+				insertRoom({ _id: 'rGrowthB', abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }] }), // superset; still compliant after growth
+			]);
+
+			await insertUser({ ...user, __rooms: ['rGrowthA', 'rGrowthB'] });
+
+			const ldap: ILDAPEntry = {
+				memberOf: ['eng', 'qa'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { memberOf: 'dept' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'qa'] }]);
+			expect(updatedUser?.__rooms.sort()).toEqual(['rGrowthA', 'rGrowthB']);
+		});
+
+		it('removes user from rooms having attribute keys not present in new attribute set (extra keys in room)', async () => {
+			const user: IUser = {
+				_id: 'u-extra-room-key',
+				username: 'extrakey',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [
+					{ key: 'dept', values: ['eng', 'sales'] },
+					{ key: 'otherKey', values: ['value'] },
+				],
+				__rooms: ['rExtraKeyRoom', 'rBaseline'],
+			};
+
+			await Promise.all([
+				insertRoom({
+					_id: 'rExtraKeyRoom',
+					abacAttributes: [
+						{ key: 'dept', values: ['eng', 'sales'] },
+						{ key: 'project', values: ['X'] },
+					],
+				}),
+				insertRoom({
+					_id: 'rBaseline',
+					abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }],
+				}),
+			]);
+
+			await insertUser({ ...user, __rooms: ['rExtraKeyRoom', 'rBaseline'] });
+
+			const ldap: ILDAPEntry = {
+				deptCodes: ['eng', 'sales'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { deptCodes: 'dept' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toEqual([{ key: 'dept', values: ['eng', 'sales'] }]);
+			expect(updatedUser?.__rooms.sort()).toEqual(['rBaseline']);
+		});
+
+		it('unsets attributes and removes user from all ABAC rooms when no LDAP values extracted', async () => {
+			const user: IUser = {
+				_id: 'u-empty',
+				username: 'empty',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [{ key: 'dept', values: ['eng'] }],
+				__rooms: ['rAny1', 'rAny2'],
+			};
+
+			await Promise.all([
+				insertRoom({ _id: 'rAny1', abacAttributes: [{ key: 'dept', values: ['eng'] }] }),
+				insertRoom({ _id: 'rAny2', abacAttributes: [{ key: 'dept', values: ['eng', 'qa'] }] }),
+			]);
+
+			await insertUser({ ...user, __rooms: ['rAny1', 'rAny2'] });
+
+			const ldap: ILDAPEntry = {
+				unrelated: ['x'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { missing: 'dept' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toBeUndefined();
+			expect(updatedUser?.abacAttributes).not.toEqual(user.abacAttributes);
+			expect(updatedUser?.__rooms).toEqual([]);
+		});
+
+		it('does not remove user from room when losing attribute not used by room (hook runs but no change)', async () => {
+			const user: IUser = {
+				_id: 'u-lose-unrelated',
+				username: 'unrelated',
+				roles: [],
+				type: 'user',
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: [
+					{ key: 'dept', values: ['eng'] },
+					{ key: 'region', values: ['emea'] },
+					{ key: 'project', values: ['X'] },
+				],
+				__rooms: ['rDeptRegion'],
+			};
+
+			await insertRoom({
+				_id: 'rDeptRegion',
+				abacAttributes: [
+					{ key: 'dept', values: ['eng'] },
+					{ key: 'region', values: ['emea'] },
+				],
+			});
+
+			await insertUser({ ...user, __rooms: ['rDeptRegion'] });
+
+			const ldap: ILDAPEntry = {
+				department: ['eng', 'ceo'],
+				regionCodes: ['emea', 'apac'],
+				_raw: {},
+			};
+
+			await service.addSubjectAttributes(user, ldap, { department: 'dept', regionCodes: 'region', projectCodes: 'project' });
+
+			const updatedUser = await usersCol.findOne({ _id: user._id }, { projection: { abacAttributes: 1, __rooms: 1 } });
+			expect(updatedUser?.abacAttributes).toEqual([
+				{ key: 'dept', values: ['eng', 'ceo'] },
+				{ key: 'region', values: ['emea', 'apac'] },
+			]);
+			expect(updatedUser?.abacAttributes).not.toEqual(user.abacAttributes);
+			expect(updatedUser?.__rooms).toEqual(['rDeptRegion']);
+		});
+	});
+});
diff --git a/ee/packages/abac/src/user-auto-removal.spec.ts b/ee/packages/abac/src/user-auto-removal.spec.ts
new file mode 100644
index 00000000000..4fae4f0c05c
--- /dev/null
+++ b/ee/packages/abac/src/user-auto-removal.spec.ts
@@ -0,0 +1,477 @@
+import type { IAbacAttributeDefinition, IRoom, IUser } from '@rocket.chat/core-typings';
+import { registerServiceModels } from '@rocket.chat/models';
+import type { Collection, Db } from 'mongodb';
+import { MongoClient } from 'mongodb';
+import { MongoMemoryServer } from 'mongodb-memory-server';
+
+import { Audit } from './audit';
+import { AbacService } from './index';
+
+jest.mock('@rocket.chat/core-services', () => ({
+	ServiceClass: class {},
+	Room: {
+		// Mimic the DB side-effects of removing a user from a room (no apps/system messages)
+		removeUserFromRoom: async (roomId: string, user: any) => {
+			const { Subscriptions } = await import('@rocket.chat/models');
+			await Subscriptions.removeByRoomIdAndUserId(roomId, user._id);
+		},
+	},
+}));
+
+describe('AbacService integration (onRoomAttributesChanged)', () => {
+	let mongo: MongoMemoryServer;
+	let client: MongoClient;
+	let db: Db;
+	let service: AbacService;
+
+	let roomsCol: Collection<IRoom>;
+	let usersCol: Collection<IUser>;
+
+	const fakeActor = { _id: 'test-user', username: 'testuser', type: 'user' };
+
+	const insertDefinitions = async (defs: { key: string; values: string[] }[]) => {
+		const svc = new AbacService();
+		await Promise.all(
+			defs.map((def) =>
+				svc.addAbacAttribute({ key: def.key, values: def.values }, fakeActor).catch((e: any) => {
+					if (e instanceof Error && e.message === 'error-duplicate-attribute-key') {
+						return;
+					}
+					throw e;
+				}),
+			),
+		);
+	};
+
+	const insertRoom = async (abacAttributes: IAbacAttributeDefinition[] = []) => {
+		const rid = `r-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 8)}`;
+		await roomsCol.insertOne({
+			_id: rid,
+			t: 'p',
+			name: `Test Room ${rid}`,
+			abacAttributes,
+		} as any);
+		return rid;
+	};
+
+	const insertUsers = async (
+		users: Array<{
+			_id: string;
+			abacAttributes?: IAbacAttributeDefinition[];
+			member?: boolean;
+			extraRooms?: string[];
+		}>,
+	) => {
+		await usersCol.insertMany(
+			users.map((u) => ({
+				_id: u._id,
+				username: u._id,
+				type: 'user',
+				roles: [],
+				active: true,
+				createdAt: new Date(),
+				_updatedAt: new Date(),
+				abacAttributes: u.abacAttributes,
+				__rooms: u.extraRooms || [],
+			})),
+		);
+	};
+
+	let debugSpy: jest.SpyInstance;
+	let auditSpy: jest.SpyInstance;
+
+	beforeAll(async () => {
+		mongo = await MongoMemoryServer.create();
+		client = await MongoClient.connect(mongo.getUri(), {});
+		db = client.db('abac_integration');
+
+		// Hack to register the models in here with a custom database without having to call every model by one
+		registerServiceModels(db as any);
+
+		// @ts-expect-error - ignore
+		await db.collection('abac_dummy_init').insertOne({ _id: 'init', createdAt: new Date() });
+
+		service = new AbacService();
+		debugSpy = jest.spyOn((service as any).logger, 'debug').mockImplementation(() => undefined);
+		auditSpy = jest.spyOn(Audit, 'actionPerformed').mockResolvedValue();
+
+		roomsCol = db.collection<IRoom>('rocketchat_room');
+		usersCol = db.collection<IUser>('users');
+	}, 30_000);
+
+	afterAll(async () => {
+		await client.close();
+		await mongo.stop();
+	});
+
+	beforeEach(async () => {
+		debugSpy.mockClear();
+		auditSpy.mockClear();
+	});
+
+	describe('setRoomAbacAttributes - new key addition', () => {
+		let rid1: string;
+		let rid2: string;
+
+		beforeAll(async () => {
+			rid1 = await insertRoom([]);
+			await Promise.all([
+				insertDefinitions([{ key: 'dept', values: ['eng', 'sales', 'hr'] }]),
+				insertUsers([
+					{ _id: 'u1_newkey', member: true, extraRooms: [rid1], abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] }, // compliant
+					{ _id: 'u2_newkey', member: true, extraRooms: [rid1], abacAttributes: [{ key: 'dept', values: ['eng'] }] }, // missing sales
+					{ _id: 'u3_newkey', member: true, extraRooms: [rid1], abacAttributes: [{ key: 'location', values: ['emea'] }] }, // missing dept key
+					{ _id: 'u4_newkey', member: true, extraRooms: [rid1], abacAttributes: [{ key: 'dept', values: ['eng', 'sales', 'hr'] }] }, // superset
+					{ _id: 'u5_newkey', member: false, abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] }, // not in room
+				]),
+			]);
+
+			rid2 = await insertRoom([]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'dep2t', values: ['eng', 'sales'] }]),
+				insertUsers([
+					{ _id: 'u1_dupvals', member: true, extraRooms: [rid2], abacAttributes: [{ key: 'dep2t', values: ['eng', 'sales'] }] },
+					{ _id: 'u2_dupvals', member: true, extraRooms: [rid2], abacAttributes: [{ key: 'dep2t', values: ['eng'] }] }, // non compliant (missing sales)
+				]),
+			]);
+		}, 30_000);
+
+		beforeEach(() => {
+			auditSpy.mockReset();
+		});
+		it('logs users that do not satisfy newly added attribute key or its values and actually removes them', async () => {
+			const changeSpy = jest.spyOn<any, any>(service as any, 'onRoomAttributesChanged');
+
+			await service.setRoomAbacAttributes(rid1, { dept: ['eng', 'sales'] }, fakeActor);
+
+			expect(changeSpy).toHaveBeenCalledTimes(1);
+			expect(changeSpy.mock.calls[0][0]).toMatchObject({ _id: rid1 });
+			expect(Array.isArray((changeSpy as any).mock.calls[0][0].abacAttributes)).toBe(true);
+
+			expect(auditSpy).toHaveBeenCalledTimes(2);
+			const auditedUsers = auditSpy.mock.calls.map((call) => call[0]._id).sort();
+			const auditedRooms = new Set(auditSpy.mock.calls.map((call) => call[1]._id));
+			const auditedActions = new Set(auditSpy.mock.calls.map((call) => call[2]));
+			expect(auditedUsers).toEqual(['u2_newkey', 'u3_newkey']);
+			expect(auditedRooms).toEqual(new Set([rid1]));
+			expect(auditedActions).toEqual(new Set(['room-attributes-change']));
+
+			const remaining = await usersCol
+				.find({ _id: { $in: ['u1_newkey', 'u2_newkey', 'u3_newkey', 'u4_newkey'] } }, { projection: { __rooms: 1 } })
+				.toArray()
+				.then((docs) => Object.fromEntries(docs.map((d) => [d._id, d.__rooms || []])));
+			expect(remaining.u1_newkey).toContain(rid1);
+			expect(remaining.u4_newkey).toContain(rid1);
+			expect(remaining.u2_newkey).not.toContain(rid1);
+			expect(remaining.u3_newkey).not.toContain(rid1);
+		});
+
+		it('handles duplicate values in room attributes equivalently to unique set (logs non compliant and removes them)', async () => {
+			await service.setRoomAbacAttributes(rid2, { dep2t: ['eng', 'eng', 'sales'] }, fakeActor);
+
+			expect(auditSpy).toHaveBeenCalledTimes(1);
+
+			expect(auditSpy.mock.calls[0][0]).toMatchObject({ _id: 'u2_dupvals', username: 'u2_dupvals' });
+			expect(auditSpy.mock.calls[0][1]).toMatchObject({ _id: rid2 });
+			expect(auditSpy.mock.calls[0][2]).toBe('room-attributes-change');
+
+			const u1 = await usersCol.findOne({ _id: 'u1_dupvals' }, { projection: { __rooms: 1 } });
+			const u2 = await usersCol.findOne({ _id: 'u2_dupvals' }, { projection: { __rooms: 1 } });
+			expect(u1?.__rooms || []).toContain(rid2);
+			expect(u2?.__rooms || []).not.toContain(rid2);
+		});
+	});
+
+	describe('updateRoomAbacAttributeValues - new value addition', () => {
+		let rid: string;
+
+		beforeAll(async () => {
+			rid = await insertRoom([{ key: 'dept', values: ['eng'] }]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'dept', values: ['eng', 'sales'] }]),
+				insertUsers([
+					{ _id: 'u1_newval', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] }, // already superset
+					{ _id: 'u2_newval', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng'] }] }, // missing new value
+					{ _id: 'u3_newval', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng', 'sales', 'hr'] }] }, // superset
+				]),
+			]);
+		}, 30_000);
+
+		it('logs users missing newly added value while retaining compliant ones and removes the missing ones', async () => {
+			await service.updateRoomAbacAttributeValues(rid, 'dept', ['eng', 'sales'], fakeActor);
+
+			expect(auditSpy).toHaveBeenCalledTimes(1);
+			expect(auditSpy.mock.calls[0][0]).toMatchObject({ _id: 'u2_newval', username: 'u2_newval' });
+			expect(auditSpy.mock.calls[0][1]).toMatchObject({ _id: rid });
+			expect(auditSpy.mock.calls[0][2]).toBe('room-attributes-change');
+
+			const users = await usersCol
+				.find({ _id: { $in: ['u1_newval', 'u2_newval', 'u3_newval'] } }, { projection: { __rooms: 1 } })
+				.toArray()
+				.then((docs) => Object.fromEntries(docs.map((d) => [d._id, d.__rooms || []])));
+			expect(users.u1_newval).toContain(rid);
+			expect(users.u3_newval).toContain(rid);
+			expect(users.u2_newval).not.toContain(rid);
+		});
+
+		it('produces no evaluation log when only removing values from existing attribute', async () => {
+			const rid = await insertRoom([{ key: 'dept', values: ['eng', 'sales'] }]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'dept', values: ['eng', 'sales'] }]),
+				insertUsers([
+					{ _id: 'u1_rmval', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng'] }] },
+					{ _id: 'u2_rmval', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] },
+				]),
+			]);
+
+			await service.updateRoomAbacAttributeValues(rid, 'dept', ['eng'], fakeActor); // removal only
+
+			expect(auditSpy).not.toHaveBeenCalled();
+
+			// nobody removed because removal only does not trigger reevaluation
+			const u1 = await usersCol.findOne({ _id: 'u1_rmval' }, { projection: { __rooms: 1 } });
+			const u2 = await usersCol.findOne({ _id: 'u2_rmval' }, { projection: { __rooms: 1 } });
+			expect(u1?.__rooms || []).toContain(rid);
+			expect(u2?.__rooms || []).toContain(rid);
+		});
+	});
+
+	describe('setRoomAbacAttributes - multi-attribute addition', () => {
+		let rid: string;
+
+		beforeAll(async () => {
+			rid = await insertRoom([{ key: 'dept', values: ['eng'] }]);
+
+			await Promise.all([
+				insertDefinitions([
+					{ key: 'dept', values: ['eng', 'sales', 'hr'] },
+					{ key: 'region', values: ['emea', 'apac'] },
+				]),
+				insertUsers([
+					{
+						_id: 'u1_multi',
+						member: true,
+						extraRooms: [rid],
+						abacAttributes: [
+							{ key: 'dept', values: ['eng', 'sales'] },
+							{ key: 'region', values: ['emea'] },
+						],
+					}, // compliant after expansion
+					{
+						_id: 'u2_multi',
+						member: true,
+						extraRooms: [rid],
+						abacAttributes: [{ key: 'dept', values: ['eng'] }], // missing region
+					},
+					{
+						_id: 'u3_multi',
+						member: true,
+						extraRooms: [rid],
+						abacAttributes: [{ key: 'region', values: ['emea'] }], // missing dept key
+					},
+					{
+						_id: 'u4_multi',
+						member: true,
+						extraRooms: [rid],
+						abacAttributes: [
+							{ key: 'dept', values: ['eng', 'sales', 'hr'] },
+							{ key: 'region', values: ['emea', 'apac'] },
+						],
+					}, // superset across both
+					{
+						_id: 'u5_multi',
+						member: true,
+						extraRooms: [rid],
+						abacAttributes: [
+							{ key: 'dept', values: ['eng', 'sales'] },
+							{ key: 'region', values: ['apac'] },
+						],
+					},
+				]),
+			]);
+		}, 30_000);
+
+		it('enforces all attributes (AND semantics) removing users failing any', async () => {
+			await service.setRoomAbacAttributes(
+				rid,
+				{
+					dept: ['eng', 'sales'],
+					region: ['emea'],
+				},
+				fakeActor,
+			);
+
+			expect(auditSpy).toHaveBeenCalledTimes(3);
+			const auditedUsers = auditSpy.mock.calls.map((call) => call[0]._id).sort();
+			expect(auditedUsers).toEqual(['u2_multi', 'u3_multi', 'u5_multi']);
+			const auditedRooms = new Set(auditSpy.mock.calls.map((call) => call[1]._id));
+			expect(auditedRooms).toEqual(new Set([rid]));
+			const auditedActions = new Set(auditSpy.mock.calls.map((call) => call[2]));
+			expect(auditedActions).toEqual(new Set(['room-attributes-change']));
+
+			const memberships = await usersCol
+				.find({ _id: { $in: ['u1_multi', 'u2_multi', 'u3_multi', 'u4_multi', 'u5_multi'] } }, { projection: { __rooms: 1 } })
+				.toArray()
+				.then((docs) => Object.fromEntries(docs.map((d) => [d._id, d.__rooms || []])));
+			expect(memberships.u1_multi).toContain(rid);
+			expect(memberships.u4_multi).toContain(rid);
+			expect(memberships.u2_multi).not.toContain(rid);
+			expect(memberships.u3_multi).not.toContain(rid);
+			expect(memberships.u5_multi).not.toContain(rid);
+		});
+	});
+
+	describe('Idempotency & no-op behavior', () => {
+		let rid: string;
+
+		beforeAll(async () => {
+			rid = await insertRoom([]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'dept', values: ['eng', 'sales'] }]),
+				insertUsers([
+					{ _id: 'u1_idem', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng', 'sales'] }] },
+					{ _id: 'u2_idem', member: true, extraRooms: [rid], abacAttributes: [{ key: 'dept', values: ['eng'] }] }, // will be removed on first pass
+				]),
+			]);
+		}, 30_000);
+
+		it('does not remove anyone when calling with identical attribute set twice', async () => {
+			await service.setRoomAbacAttributes(rid, { dept: ['eng', 'sales'] }, fakeActor);
+			expect(auditSpy).toHaveBeenCalledTimes(1);
+			expect(auditSpy.mock.calls[0][0]).toMatchObject({ _id: 'u2_idem', username: 'u2_idem' });
+			expect(auditSpy.mock.calls[0][1]).toMatchObject({ _id: rid });
+			expect(auditSpy.mock.calls[0][2]).toBe('room-attributes-change');
+
+			let u1 = await usersCol.findOne({ _id: 'u1_idem' }, { projection: { __rooms: 1 } });
+			let u2 = await usersCol.findOne({ _id: 'u2_idem' }, { projection: { __rooms: 1 } });
+			expect(u1?.__rooms || []).toContain(rid);
+			expect(u2?.__rooms || []).not.toContain(rid);
+
+			// Reset mock counts for clarity
+			debugSpy.mockClear();
+			auditSpy.mockClear();
+
+			await service.setRoomAbacAttributes(rid, { dept: ['eng', 'sales'] }, fakeActor);
+			expect(auditSpy).not.toHaveBeenCalled();
+
+			u1 = await usersCol.findOne({ _id: 'u1_idem' }, { projection: { __rooms: 1 } });
+			u2 = await usersCol.findOne({ _id: 'u2_idem' }, { projection: { __rooms: 1 } });
+			expect(u1?.__rooms || []).toContain(rid);
+			expect(u2?.__rooms || []).not.toContain(rid);
+		});
+	});
+
+	describe('Superset and missing attribute edge cases', () => {
+		let ridSuperset: string;
+		let ridMissingKey: string;
+
+		beforeAll(async () => {
+			ridSuperset = await insertRoom([]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'dept', values: ['eng', 'sales', 'hr'] }]),
+				insertUsers([
+					{
+						_id: 'u1_superset',
+						member: true,
+						extraRooms: [ridSuperset],
+						abacAttributes: [{ key: 'dept', values: ['eng', 'sales', 'hr'] }],
+					},
+					{ _id: 'u2_superset', member: true, extraRooms: [ridSuperset], abacAttributes: [{ key: 'dept', values: ['eng', 'hr'] }] }, // missing sales
+				]),
+			]);
+
+			ridMissingKey = await insertRoom([]);
+
+			await Promise.all([
+				insertDefinitions([{ key: 'region', values: ['emea', 'apac'] }]),
+				insertUsers([
+					{ _id: 'u1_misskey', member: true, extraRooms: [ridMissingKey], abacAttributes: [{ key: 'region', values: ['emea'] }] },
+					{ _id: 'u2_misskey', member: true, extraRooms: [ridMissingKey], abacAttributes: [{ key: 'dept', values: ['eng'] }] }, // missing region
+					{ _id: 'u3_misskey', member: true, extraRooms: [ridMissingKey] }, // no abacAttributes field
+				]),
+			]);
+		}, 30_000);
+
+		it('keeps user with superset values and removes user missing one required value', async () => {
+			await service.setRoomAbacAttributes(ridSuperset, { dept: ['eng', 'sales', 'hr'] }, fakeActor);
+
+			expect(auditSpy).toHaveBeenCalledTimes(1);
+			expect(auditSpy.mock.calls[0][0]).toMatchObject({ _id: 'u2_superset', username: 'u2_superset' });
+			expect(auditSpy.mock.calls[0][1]).toMatchObject({ _id: ridSuperset });
+			expect(auditSpy.mock.calls[0][2]).toBe('room-attributes-change');
+
+			const u1 = await usersCol.findOne({ _id: 'u1_superset' }, { projection: { __rooms: 1 } });
+			const u2 = await usersCol.findOne({ _id: 'u2_superset' }, { projection: { __rooms: 1 } });
+			expect(u1?.__rooms || []).toContain(ridSuperset);
+			expect(u2?.__rooms || []).not.toContain(ridSuperset);
+		});
+
+		it('removes user missing attribute key entirely', async () => {
+			await service.setRoomAbacAttributes(ridMissingKey, { region: ['emea'] }, fakeActor);
+
+			expect(auditSpy).toHaveBeenCalledTimes(2);
+			const auditedUsers = auditSpy.mock.calls.map((call) => call[0]._id).sort();
+			expect(auditedUsers).toEqual(['u2_misskey', 'u3_misskey']);
+			const auditedRooms = new Set(auditSpy.mock.calls.map((call) => call[1]._id));
+			expect(auditedRooms).toEqual(new Set([ridMissingKey]));
+			const auditedActions = new Set(auditSpy.mock.calls.map((call) => call[2]));
+			expect(auditedActions).toEqual(new Set(['room-attributes-change']));
+
+			const memberships = await usersCol
+				.find({ _id: { $in: ['u1_misskey', 'u2_misskey', 'u3_misskey'] } }, { projection: { __rooms: 1 } })
+				.toArray()
+				.then((docs) => Object.fromEntries(docs.map((d) => [d._id, d.__rooms || []])));
+			expect(memberships.u1_misskey).toContain(ridMissingKey);
+			expect(memberships.u2_misskey).not.toContain(ridMissingKey);
+			expect(memberships.u3_misskey).not.toContain(ridMissingKey);
+		});
+	});
+
+	describe('Large member set performance sanity (lightweight)', () => {
+		let rid: string;
+
+		beforeAll(async () => {
+			rid = await insertRoom([]);
+
+			await Promise.all([insertDefinitions([{ key: 'dept', values: ['eng', 'sales'] }])]);
+
+			const bulk: Parameters<typeof insertUsers>[0] = [];
+			for (let i = 0; i < 300; i++) {
+				// Half compliant with both values, half only 'eng'
+				const values = i % 2 === 0 ? ['eng', 'sales'] : ['eng'];
+				bulk.push({
+					_id: `u${i}`,
+					member: true,
+					extraRooms: [rid],
+					abacAttributes: [{ key: 'dept', values }],
+				});
+			}
+			await insertUsers(bulk);
+		}, 30_000);
+
+		it('removes only expected fraction in a larger population', async () => {
+			await service.setRoomAbacAttributes(rid, { dept: ['eng', 'sales'] }, fakeActor);
+
+			expect(auditSpy).toHaveBeenCalledTimes(150);
+			const removed = auditSpy.mock.calls.map((call) => call[0]._id);
+			expect(removed.length).toBe(150);
+			expect(removed).toContain('u1');
+			expect(removed).toContain('u299');
+			expect(removed).not.toContain('u0');
+			expect(removed).not.toContain('u298');
+
+			const auditedRooms = new Set(auditSpy.mock.calls.map((call) => call[1]._id));
+			expect(auditedRooms).toEqual(new Set([rid]));
+			const auditedActions = new Set(auditSpy.mock.calls.map((call) => call[2]));
+			expect(auditedActions).toEqual(new Set(['room-attributes-change']));
+
+			const remainingCount = await usersCol.countDocuments({ __rooms: rid });
+			expect(remainingCount).toBe(150);
+		});
+	});
+});
diff --git a/ee/packages/abac/tsconfig.json b/ee/packages/abac/tsconfig.json
new file mode 100644
index 00000000000..8afe4ba1f5c
--- /dev/null
+++ b/ee/packages/abac/tsconfig.json
@@ -0,0 +1,10 @@
+{
+	"extends": "@rocket.chat/tsconfig/server.json",
+	"compilerOptions": {
+		"declaration": true,
+		"rootDir": "./src",
+		"outDir": "./dist"
+	},
+	"include": ["./src/**/*"],
+	"exclude": ["./dist"]
+}
diff --git a/packages/apps-engine/src/definition/messages/MessageType.ts b/packages/apps-engine/src/definition/messages/MessageType.ts
index 4b2734c1d36..308d1bacaca 100644
--- a/packages/apps-engine/src/definition/messages/MessageType.ts
+++ b/packages/apps-engine/src/definition/messages/MessageType.ts
@@ -144,4 +144,6 @@ export type MessageType =
 	/** Sent when a leader was removed */
 	| 'leader-removed'
 	/** Sent when a user was added to a room */
-	| 'discussion-created';
+	| 'discussion-created'
+	// ** Sent when a user was removed from an abac room */
+	| 'abac-removed-user-from-room';
diff --git a/packages/core-services/src/index.ts b/packages/core-services/src/index.ts
index 2d7e4b9a960..68bfe62196f 100644
--- a/packages/core-services/src/index.ts
+++ b/packages/core-services/src/index.ts
@@ -1,4 +1,5 @@
 import { proxify } from './lib/proxify';
+import type { IAbacService } from './types/IAbacService';
 import type { IAccount, ILoginResult } from './types/IAccount';
 import type { IAnalyticsService } from './types/IAnalyticsService';
 import { IApiService } from './types/IApiService';
@@ -52,6 +53,7 @@ import type { IVoipFreeSwitchService } from './types/IVoipFreeSwitchService';
 import type { IVoipService } from './types/IVoipService';
 
 export { AppStatusReport } from './types/IAppsEngineService';
+export { IAbacService, AbacActor } from './types/IAbacService';
 export { asyncLocalStorage } from './lib/asyncLocalStorage';
 export { MeteorError, isMeteorError } from './MeteorError';
 export { api } from './api';
@@ -197,3 +199,4 @@ export const User = proxify<IUserService>('user');
 export const EnterpriseSettings = proxify<IEnterpriseSettings>('ee-settings');
 
 export const FederationMatrix = proxify<IFederationMatrixService>('federation-matrix');
+export const Abac = proxify<IAbacService>('abac');
diff --git a/packages/core-services/src/types/IAbacService.ts b/packages/core-services/src/types/IAbacService.ts
new file mode 100644
index 00000000000..e7f19e0ad1f
--- /dev/null
+++ b/packages/core-services/src/types/IAbacService.ts
@@ -0,0 +1,49 @@
+import type {
+	IAbacAttributeDefinition,
+	IAbacAttribute,
+	IRoom,
+	IUser,
+	AbacAccessOperation,
+	AbacObjectType,
+	ILDAPEntry,
+} from '@rocket.chat/core-typings';
+
+export type AbacActor = Pick<IUser, '_id' | 'username' | 'name'>;
+
+export interface IAbacService {
+	addAbacAttribute(attribute: IAbacAttributeDefinition, actor: AbacActor | undefined): Promise<void>;
+	listAbacAttributes(
+		filters?: {
+			key?: string;
+			values?: string;
+			offset?: number;
+			count?: number;
+		},
+		actor?: AbacActor,
+	): Promise<{ attributes: IAbacAttribute[]; offset: number; count: number; total: number }>;
+	listAbacRooms(
+		filters?: {
+			offset?: number;
+			count?: number;
+			filter?: string;
+			filterType?: 'all' | 'roomName' | 'attribute' | 'value';
+		},
+		actor?: AbacActor,
+	): Promise<{ rooms: IRoom[]; offset: number; count: number; total: number }>;
+	updateAbacAttributeById(_id: string, update: { key?: string; values?: string[] }, actor: AbacActor | undefined): Promise<void>;
+	deleteAbacAttributeById(_id: string, actor: AbacActor | undefined): Promise<void>;
+	getAbacAttributeById(_id: string, actor: AbacActor | undefined): Promise<{ key: string; values: string[] }>;
+	isAbacAttributeInUseByKey(key: string): Promise<boolean>;
+	setRoomAbacAttributes(rid: string, attributes: Record<string, string[]>, actor: AbacActor | undefined): Promise<void>;
+	removeRoomAbacAttribute(rid: string, key: string, actor: AbacActor | undefined): Promise<void>;
+	addRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise<void>;
+	replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor | undefined): Promise<void>;
+	checkUsernamesMatchAttributes(usernames: string[], attributes: IAbacAttributeDefinition[], object: IRoom): Promise<void>;
+	canAccessObject(
+		room: Pick<IRoom, '_id' | 't' | 'teamId' | 'prid' | 'abacAttributes'>,
+		user: Pick<IUser, '_id'>,
+		action: AbacAccessOperation,
+		objectType: AbacObjectType,
+	): Promise<boolean>;
+	addSubjectAttributes(user: IUser, ldapUser: ILDAPEntry, map: Record<string, string>, actor: AbacActor | undefined): Promise<void>;
+}
diff --git a/packages/core-services/src/types/IAuthorization.ts b/packages/core-services/src/types/IAuthorization.ts
index 0176db5c9a9..d4bb1c1c67d 100644
--- a/packages/core-services/src/types/IAuthorization.ts
+++ b/packages/core-services/src/types/IAuthorization.ts
@@ -1,7 +1,7 @@
 import type { IRoom, IUser, IRole } from '@rocket.chat/core-typings';
 
 export type RoomAccessValidator = (
-	room?: Pick<IRoom, '_id' | 't' | 'teamId' | 'prid'>,
+	room?: Pick<IRoom, '_id' | 't' | 'teamId' | 'prid' | 'abacAttributes'>,
 	user?: Pick<IUser, '_id'>,
 	extraData?: Record<string, any>,
 ) => Promise<boolean>;
diff --git a/packages/core-services/src/types/IRoomService.ts b/packages/core-services/src/types/IRoomService.ts
index ecb850d45ef..9e74a6d0225 100644
--- a/packages/core-services/src/types/IRoomService.ts
+++ b/packages/core-services/src/types/IRoomService.ts
@@ -1,4 +1,4 @@
-import type { AtLeast, IRoom, ISubscription, IUser } from '@rocket.chat/core-typings';
+import type { AtLeast, IRoom, ISubscription, IUser, MessageTypesValues } from '@rocket.chat/core-typings';
 
 export interface ISubscriptionExtraData {
 	open: boolean;
@@ -35,9 +35,13 @@ export interface IRoomService {
 			createAsHidden?: boolean;
 		},
 	): Promise<boolean | undefined>;
-	removeUserFromRoom(roomId: string, user: IUser, options?: { byUser: Pick<IUser, '_id' | 'username'> }): Promise<void>;
 	performUserRemoval(room: IRoom, user: IUser, options?: { byUser?: IUser }): Promise<void>;
 	performAcceptRoomInvite(room: IRoom, subscription: ISubscription, user: IUser): Promise<void>;
+	removeUserFromRoom(
+		roomId: string,
+		user: IUser,
+		options?: { byUser?: Pick<IUser, '_id' | 'username'>; skipAppPreEvents?: boolean; customSystemMessage?: MessageTypesValues },
+	): Promise<void>;
 	getValidRoomName(displayName: string, roomId?: string, options?: { allowDuplicates?: boolean }): Promise<string>;
 	saveRoomTopic(
 		roomId: string,
diff --git a/packages/core-typings/src/Abac.ts b/packages/core-typings/src/Abac.ts
new file mode 100644
index 00000000000..a4a9cbad696
--- /dev/null
+++ b/packages/core-typings/src/Abac.ts
@@ -0,0 +1,9 @@
+export enum AbacAccessOperation {
+	READ = 'read',
+	WRITE = 'write',
+}
+
+export enum AbacObjectType {
+	ROOM = 'room',
+	// Just room for now :)
+}
diff --git a/packages/core-typings/src/IAbacAttribute.ts b/packages/core-typings/src/IAbacAttribute.ts
new file mode 100644
index 00000000000..d46a0866b5f
--- /dev/null
+++ b/packages/core-typings/src/IAbacAttribute.ts
@@ -0,0 +1,16 @@
+import type { IRocketChatRecord } from './IRocketChatRecord';
+
+export interface IAbacAttributeDefinition {
+	/**
+	 * Validation expectation (NOT enforced here, must be enforced by caller):
+	 *   /^[A-Za-z0-9_-]+$/
+	 */
+	key: string;
+
+	/**
+	 * List of string values for this attribute key.
+	 */
+	values: string[];
+}
+
+export interface IAbacAttribute extends IRocketChatRecord, IAbacAttributeDefinition {}
diff --git a/packages/core-typings/src/IMessage/IMessage.ts b/packages/core-typings/src/IMessage/IMessage.ts
index 381ab53b03d..15ca5f76b15 100644
--- a/packages/core-typings/src/IMessage/IMessage.ts
+++ b/packages/core-typings/src/IMessage/IMessage.ts
@@ -106,6 +106,7 @@ const MessageTypes = [
 	'new-leader',
 	'leader-removed',
 	'discussion-created',
+	'abac-removed-user-from-room',
 	...TeamMessageTypesValues,
 	...LivechatMessageTypesValues,
 	...VoipMessageTypesValues,
diff --git a/packages/core-typings/src/IRoom.ts b/packages/core-typings/src/IRoom.ts
index c2975b49b07..0e0b5996ccb 100644
--- a/packages/core-typings/src/IRoom.ts
+++ b/packages/core-typings/src/IRoom.ts
@@ -1,3 +1,4 @@
+import type { IAbacAttributeDefinition } from './IAbacAttribute';
 import type { ILivechatDepartment } from './ILivechatDepartment';
 import type { ILivechatPriority } from './ILivechatPriority';
 import type { ILivechatVisitor } from './ILivechatVisitor';
@@ -33,6 +34,8 @@ export interface IRoom extends IRocketChatRecord {
 		style?: string;
 	};
 	encrypted?: boolean;
+	// The existence of an abac attribute definition indicates that ABAC is enabled for the room
+	abacAttributes?: IAbacAttributeDefinition[];
 	topic?: string;
 
 	reactWhenReadOnly?: boolean;
@@ -400,7 +403,8 @@ export type RoomAdminFieldsType =
 	| 'description'
 	| 'broadcast'
 	| 'uids'
-	| 'avatarETag';
+	| 'avatarETag'
+	| 'abacAttributes';
 
 export interface IRoomWithRetentionPolicy extends IRoom {
 	retention: {
diff --git a/packages/core-typings/src/IStats.ts b/packages/core-typings/src/IStats.ts
index a940be16fd3..bee28ac0ddf 100644
--- a/packages/core-typings/src/IStats.ts
+++ b/packages/core-typings/src/IStats.ts
@@ -271,4 +271,8 @@ export interface IStats {
 		totalUpsellViews: number;
 		totalUpsellClicks: number;
 	};
+	abacEnabled?: boolean;
+	abacTotalAttributes?: number;
+	abacTotalAttributeValues?: number;
+	abacRoomsEnrolled?: number;
 }
diff --git a/packages/core-typings/src/ISubscription.ts b/packages/core-typings/src/ISubscription.ts
index 73eae10004d..23e84326dd1 100644
--- a/packages/core-typings/src/ISubscription.ts
+++ b/packages/core-typings/src/ISubscription.ts
@@ -76,6 +76,8 @@ export interface ISubscription extends IRocketChatRecord {
 
 	status?: SubscriptionStatus;
 	inviter?: Required<Pick<IUser, '_id' | 'username'>> & Pick<IUser, 'name'>;
+
+	abacLastTimeChecked?: Date;
 }
 
 export interface IInviteSubscription extends ISubscription {
diff --git a/packages/core-typings/src/IUser.ts b/packages/core-typings/src/IUser.ts
index 6961781a88d..820e4d3c712 100644
--- a/packages/core-typings/src/IUser.ts
+++ b/packages/core-typings/src/IUser.ts
@@ -1,3 +1,4 @@
+import type { IAbacAttributeDefinition } from './IAbacAttribute';
 import type { IRocketChatRecord } from './IRocketChatRecord';
 import type { IRole } from './IRole';
 import type { Serialized } from './Serialized';
@@ -253,6 +254,8 @@ export interface IUser extends IRocketChatRecord {
 	isOAuthUser?: boolean; // client only field
 	__rooms?: string[];
 	inactiveReason?: 'deactivated' | 'pending_approval' | 'idle_too_long';
+
+	abacAttributes?: IAbacAttributeDefinition[];
 }
 
 export interface IRegisterUser extends IUser {
diff --git a/packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts b/packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
new file mode 100644
index 00000000000..d7f5bb8e02e
--- /dev/null
+++ b/packages/core-typings/src/ServerAudit/IAuditServerAbacAction.ts
@@ -0,0 +1,89 @@
+import type { IUser, IRoom, IAuditServerEventType, IAbacAttributeDefinition, IServerEvents, Optional } from '..';
+
+export type MinimalUser = Pick<IUser, 'username'> & Optional<Pick<IUser, '_id'>, '_id'>;
+export type MinimalRoom = Pick<IRoom, '_id' | 'name'>;
+
+export type AbacAuditReason = 'ldap-sync' | 'room-attributes-change' | 'system' | 'api' | 'realtime-policy-eval';
+
+export type AbacActionPerformed = 'revoked-object-access' | 'granted-object-access';
+
+export type AbacAttributeDefinitionChangeType =
+	| 'created'
+	| 'updated'
+	| 'deleted'
+	| 'all-deleted'
+	| 'key-removed'
+	| 'key-renamed'
+	| 'value-removed'
+	| 'key-added'
+	| 'key-updated';
+
+export type AbacAttributeDefinitionDiff = {
+	added?: string[];
+	removed?: string[];
+	renamedFrom?: string;
+};
+
+// Since user attributes can grow without limits, we're only logging the diffs
+interface IServerEventAbacSubjectAttributeChanged
+	extends IAuditServerEventType<
+		{ key: 'subject'; value: MinimalUser } | { key: 'reason'; value: AbacAuditReason } | { key: 'diff'; value: IAbacAttributeDefinition[] }
+	> {
+	t: 'abac.subject.attribute.changed';
+}
+
+interface IServerEventAbacObjectAttributeChanged
+	extends IAuditServerEventType<
+		| { key: 'room'; value: MinimalRoom }
+		| { key: 'reason'; value: AbacAuditReason }
+		| { key: 'previous'; value: IAbacAttributeDefinition[] }
+		| { key: 'current'; value: IAbacAttributeDefinition[] | null }
+		| { key: 'change'; value: AbacAttributeDefinitionChangeType }
+	> {
+	t: 'abac.object.attribute.changed';
+}
+
+interface IServerEventAbacAttributeChanged
+	extends IAuditServerEventType<
+		| { key: 'attributeKey'; value: string }
+		| { key: 'reason'; value: AbacAuditReason }
+		| { key: 'change'; value: AbacAttributeDefinitionChangeType }
+		| { key: 'current'; value: IAbacAttributeDefinition | null | undefined }
+		| { key: 'diff'; value: IAbacAttributeDefinition | undefined }
+	> {
+	t: 'abac.attribute.changed';
+}
+
+interface IServerEventAbacActionPerformed
+	extends IAuditServerEventType<
+		| { key: 'action'; value: AbacActionPerformed }
+		| { key: 'reason'; value: AbacAuditReason }
+		| { key: 'subject'; value: MinimalUser | undefined }
+		| { key: 'object'; value: MinimalRoom | undefined }
+	> {
+	t: 'abac.action.performed';
+}
+
+interface IServerEventAbacObjectAttributesRemoved
+	extends IAuditServerEventType<
+		| { key: 'room'; value: MinimalRoom }
+		| { key: 'reason'; value: AbacAuditReason }
+		| { key: 'previous'; value: IAbacAttributeDefinition[] }
+		| { key: 'current'; value: IAbacAttributeDefinition[] | null }
+		| { key: 'change'; value: AbacAttributeDefinitionChangeType }
+	> {
+	t: 'abac.object.attributes.removed';
+}
+declare module '../IServerEvent' {
+	interface IServerEvents {
+		'abac.subject.attribute.changed': IServerEventAbacSubjectAttributeChanged;
+		'abac.object.attribute.changed': IServerEventAbacObjectAttributeChanged;
+		'abac.attribute.changed': IServerEventAbacAttributeChanged;
+		'abac.action.performed': IServerEventAbacActionPerformed;
+		'abac.object.attributes.removed': IServerEventAbacObjectAttributesRemoved;
+	}
+}
+
+// Utility type to extract all ABAC-related server event names
+// (ensures that only events prefixed with "abac." are included)
+export type AbacAuditServerEventKey = Extract<keyof IServerEvents, `abac.${string}`>;
diff --git a/packages/core-typings/src/index.ts b/packages/core-typings/src/index.ts
index fb6335e1c6b..9c5bfc5dd64 100644
--- a/packages/core-typings/src/index.ts
+++ b/packages/core-typings/src/index.ts
@@ -1,5 +1,6 @@
 import './ServerAudit/IAuditServerSettingEvent';
 import './ServerAudit/IAuditUserChangedEvent';
+import './ServerAudit/IAuditServerAbacAction';
 
 export * from './ServerAudit/IAuditUserChangedEvent';
 export * from './Apps';
@@ -148,5 +149,8 @@ export * as Cloud from './cloud';
 export * from './themes';
 export * from './mediaCalls';
 export * from './ICallHistoryItem';
+export * from './IAbacAttribute';
+export * from './Abac';
+export * from './ServerAudit/IAuditServerAbacAction';
 
 export { schemas } from './Ajv';
diff --git a/packages/core-typings/src/license/LicenseModule.ts b/packages/core-typings/src/license/LicenseModule.ts
index 6174d5542dd..5267817164d 100644
--- a/packages/core-typings/src/license/LicenseModule.ts
+++ b/packages/core-typings/src/license/LicenseModule.ts
@@ -23,6 +23,7 @@ export const CoreModules = [
 	'contact-id-verification',
 	'teams-voip',
 	'outbound-messaging',
+	'abac',
 ] as const;
 
 export type InternalModuleName = (typeof CoreModules)[number];
diff --git a/packages/i18n/src/locales/en.i18n.json b/packages/i18n/src/locales/en.i18n.json
index 3329dfa7310..b0ffa0d1323 100644
--- a/packages/i18n/src/locales/en.i18n.json
+++ b/packages/i18n/src/locales/en.i18n.json
@@ -11,6 +11,77 @@
   "2_Erros_Information_and_Debug": "2 - Errors, Information and Debug",
   "@username": "@username",
   "@username_message": "@username <message>",
+  "ABAC": "Attribute Based Access Control",
+  "ABAC_Enabled": "Enable Attribute Based Access Control (ABAC)",
+  "ABAC_Enabled_Description": "Controls access to rooms based on user and room attributes.",
+  "Abac_Cache_Decision_Time_Seconds": "ABAC Cache Decision Time (seconds)",
+  "Abac_Cache_Decision_Time_Seconds_Description": "Time in seconds to cache access control decisions. Setting this value to 0 will disable caching.",
+  "ABAC_Enabled_callout": "User attributes are synchronized via LDAP. <1>Learn more</1>",
+  "ABAC_Learn_More": "Learn about ABAC",
+  "ABAC_automatically_disabled_callout": "ABAC automatically disabled",
+  "ABAC_automatically_disabled_callout_description": "Renew your license to continue using all <1>ABAC capabilities without restriction</1>.",
+  "ABAC_Warning_Modal_Title": "Deactivate ABAC",
+  "ABAC_Warning_Modal_Confirm_Text": "Deactivate ABAC",
+  "ABAC_Warning_Modal_Content": "You will not be able to automatically or manually manage users in existing ABAC-managed rooms. To restore a room's default access control, it must be removed from ABAC management in <1>ABAC > Rooms</1>.",
+  "ABAC_ShowAttributesInRooms": "Show ABAC attributes in rooms",
+  "ABAC_ShowAttributesInRooms_Description": "Display the ABAC attributes assigned to the room in the contextual bar",
+  "ABAC_Room": "Room",
+  "ABAC_Room_Attribute": "Room Attribute",
+  "ABAC_Element": "ABAC Element",
+  "ABAC_Element_Name": "Element Name",
+  "ABAC_Cannot_delete_attribute": "Cannot delete attribute assigned to rooms",
+  "ABAC_Cannot_delete_attribute_content": "Unassign <bold>{{attributeName}}</bold> from all rooms before attempting to delete it.",
+  "ABAC_Delete_room_attribute": "Delete attribute",
+  "ABAC_Delete_room_attribute_content": "Are you sure you want to delete <bold>{{attributeName}}</bold> ?<br/>Existing rooms will not be affected as it is not currently assigned to any.",
+  "ABAC_Attribute_created": "{{attributeName}} attribute created",
+  "ABAC_Attribute_updated": "{{attributeName}} attribute updated",
+  "ABAC_Attribute_deleted": "{{attributeName}} attribute deleted",
+  "ABAC_New_attribute": "New attribute",
+  "ABAC_Edit_attribute": "Edit attribute",
+  "ABAC_Edit_attribute_description": "Attribute values cannot be edited, but can be added or deleted.",
+  "ABAC_New_attribute_description": "Create an attribute that can later be assigned to rooms.",
+  "ABAC_No_logs": "No logs",
+  "ABAC_No_logs_description": "ABAC-management related activity will appear here.",
+  "ABAC_Search_attributes": "Search attributes",
+  "ABAC_Remove_attribute": "Delete attribute value",
+  "ABAC_Delete_room": "Remove room from ABAC management",
+  "ABAC_Delete_room_annotation": "Proceed with caution",
+  "ABAC_Delete_room_content": "Removing <bold>{{roomName}}</bold> from ABAC management may result in unintended users gaining access.",
+  "ABAC_Room_removed": "Room {{roomName}} removed from ABAC management",
+  "ABAC_Add_Attribute": "Add Attribute",
+  "ABAC_Attribute_Values": "Attribute Values",
+  "ABAC_Edit_Room": "Edit Room",
+  "ABAC_Add_room": "Add Room",
+  "ABAC_No_repeated_attributes": "Attribute already added",
+  "ABAC_No_repeated_values": "Value already added",
+  "ABAC_Room_created": "Access to {{roomName}} is now restricted to attribute-compliant users",
+  "ABAC_Room_to_be_managed": "Room to be ABAC-managed",
+  "ABAC_Room_updated": "{{roomName}} ABAC room updated",
+  "ABAC_Search_Attribute": "Search attribute",
+  "ABAC_Search_rooms": "Search rooms, attributes or attribute values",
+  "ABAC_Select_Attribute_Values": "Select attribute values",
+  "ABAC_Update_room_confirmation_modal_annotation": "Proceed with caution",
+  "ABAC_Update_room_confirmation_modal_title": "Update ABAC room",
+  "ABAC_Update_room_content": "{{roomName}} is currently ABAC-managed. Changes may alter who can access this room.",
+  "abac-management": "Manage ABAC configuration",
+  "abac_removed_user_from_the_room": "was removed by ABAC",
+  "ABAC_No_attributes": "No Attributes",
+  "ABAC_No_attributes_description": "Create custom characteristics to determine who can access a room.",
+  "ABAC_No_rooms": "No rooms",
+  "ABAC_No_rooms_description": "ABAC-managed rooms will appear here.",
+  "ABAC_All_Attributes_deleted": "All attributes deleted",
+  "ABAC_Key_removed": "Key removed",
+  "ABAC_Key_renamed": "Key renamed",
+  "ABAC_Value_removed": "Value removed",
+  "ABAC_Key_added": "Key added",
+  "ABAC_Key_updated": "Key updated",
+  "ABAC_Revoked_Object_Access": "Automatic removal",
+  "ABAC_Granted_Object_Access": "Manual add approved",
+  "ABAC_room_membership": "Room membership",
+  "ABAC_Managed": "ABAC Managed",
+  "ABAC_Managed_description": "Only compliant users have access to attribute-based access controlled rooms. Attributes determine room access.",
+  "ABAC_Room_Attributes": "Room Attributes",
+  "ABAC_Logs": "Logs",
   "AI_Actions": "AI actions",
   "API": "API",
   "API_Add_Personal_Access_Token": "Add new Personal Access Token",
@@ -77,9 +148,6 @@
   "A_new_owner_will_be_assigned_automatically_to_those__count__rooms__rooms__": "A new owner will be assigned automatically to those <bold>{{count}}</bold> rooms:<br/> {{rooms}}.",
   "A_secure_and_highly_private_self-managed_solution_for_conference_calls": "A secure and highly private self-managed solution for conference calls.",
   "A_workspace_admin_needs_to_install_and_configure_a_conference_call_app": "A workspace admin needs to install and configure a conference call app.",
-  "ABAC_Managed": "ABAC Managed",
-  "ABAC_Managed_description": "Only compliant users have access to attribute-based access controlled rooms. Attributes determine room access.",
-  "ABAC_Room_Attributes": "Room Attributes",
   "Accept": "Accept",
   "Accept_Call": "Accept Call",
   "Accept_incoming_livechat_requests_even_if_there_are_no_online_agents": "Accept incoming omnichannel requests even if there are no online agents",
@@ -349,6 +417,8 @@
   "Activity": "Activity",
   "Actor": "Actor",
   "Add": "Add",
+  "Add_Value": "Add Value",
+  "Add_room": "Add Room",
   "Add-on": "Add-on",
   "Add-on_required": "Add-on required",
   "Add-on_required_modal_enable_content": "App cannot be enabled without the required subscription add-on. Contact sales to get the add-on for this app.",
@@ -697,6 +767,8 @@
   "AtlassianCrowd_Description": "Integrate Atlassian Crowd.",
   "Attachment_File_Uploaded": "File Uploaded",
   "Attribute_handling": "Attribute handling",
+  "Attribute_Values": "Attribute Values",
+  "Attributes": "Attributes",
   "Attribute_based_access_control": "Attribute-Based Access Control",
   "Attribute_based_access_control_title": "Automate complex access management across your entire organization",
   "Attribute_based_access_control_description": "ABAC automates room access, granting or revoking access based on dynamic user attributes rather than fixed roles.",
@@ -2773,6 +2845,12 @@
   "LDAP_Background_Sync_Keep_Existant_Users_Updated_Description": "Will sync the avatar, fields, username, etc (based on your configuration) of all users already imported from LDAP on every **Sync Interval**",
   "LDAP_Background_Sync_Merge_Existent_Users": "Background Sync Merge Existing Users",
   "LDAP_Background_Sync_Merge_Existent_Users_Description": "Will merge all users (based on your filter criteria) that exist in LDAP and also exist in Rocket.Chat. To enable this, activate the 'Merge Existing Users' setting in the Data Sync tab.",
+  "LDAP_DataSync_ABAC": "Sync ABAC Attributes",
+  "LDAP_Background_Sync_ABAC_Attributes": "ABAC Attributes Background Sync",
+  "LDAP_Background_Sync_ABAC_Attributes_Description": "Enable a separate background process to sync user ABAC attributes.",
+  "LDAP_Background_Sync_ABAC_Attributes_Interval": "ABAC Attributes Background Sync Interval",
+  "LDAP_ABAC_AttributeMap": "ABAC Attribute Mapping",
+  "LDAP_ABAC_AttributeMap_Description": "Map LDAP user attributes to Rocket.Chat ABAC attributes.  \n As an example, `{\"department\":\"dept\", \"region\":\"region\"}` will map the LDAP attribute `department` to the ABAC attribute `dept` and `region` to `region`.  \n The structure must be a JSON object where each key is an LDAP attribute name and each value is the ABAC attribute name to set on the user.",
   "LDAP_BaseDN": "Base DN",
   "LDAP_BaseDN_Description": "The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users and groups. You can add as many as you like; however, each group must be defined in the same domain base as the users that belong to it. Example: `ou=Users+ou=Projects,dc=Example,dc=com`. If you specify restricted user groups, only users that belong to those groups will be in scope. We recommend that you specify the top level of your LDAP directory tree as your domain base and use search filter to control access.",
   "LDAP_CA_Cert": "CA Cert",
@@ -5457,6 +5535,7 @@
   "Update_version": "Update version",
   "Update_your_RocketChat": "Update your Rocket.Chat",
   "Updated_at": "Updated at",
+  "Updated": "Updated",
   "Upgrade": "Upgrade",
   "UpgradeToGetMore_Headline": "Upgrade to get more",
   "UpgradeToGetMore_Subtitle": "Supercharge your workspace with advanced capabilities.",
@@ -5647,8 +5726,10 @@
   "Utilities": "Utilities",
   "Validate_email_address": "Validate Email Address",
   "Validation": "Validation",
+  "Value": "Value",
   "Value_messages": "{{value}} messages",
   "Value_users": "{{value}} users",
+  "Values": "Values",
   "Verification": "Verification",
   "Verification_Description": "You may use the following placeholders:  \n - `[Verification_Url]` for the verification URL.  \n - `[name]`, `[fname]`, `[lname]` for the user's full name, first name or last name, respectively.  \n - `[email]` for the user's email.  \n - `[Site_Name]` and `[Site_URL]` for the Application Name and URL respectively. ",
   "Verification_Email": "Click <a href=\"[Verification_Url]\">here</a> to verify your email address.",
@@ -5693,6 +5774,7 @@
   "Videos": "Videos",
   "View_All": "View All Members",
   "View_Logs": "View Logs",
+  "View_rooms": "View rooms",
   "View_channels": "View channels",
   "View_full_conversation": "View full conversation",
   "View_mode": "View Mode",
@@ -6279,6 +6361,7 @@
   "error-not-authorized": "Not authorized",
   "error-not-authorized-federation": "Not authorized to access federation",
   "error-office-hours-are-closed": "The office hours are closed.",
+  "error-only-compliant-users-can-be-added-to-abac-rooms": "Only compliant users can be added to ABAC rooms.",
   "error-password-in-history": "Entered password has been previously used",
   "error-password-policy-not-met": "Password does not meet the server's policy",
   "error-password-policy-not-met-maxLength": "Password does not meet the server's policy of maximum length (password too long)",
@@ -6305,6 +6388,7 @@
   "error-room-is-not-closed": "Room is not closed",
   "error-room-not-on-hold": "Error! Room is not On Hold",
   "error-room-onHold": "Error! Room is On Hold",
+  "error-room-is-abac-managed": "This room is ABAC managed and new users cannot be added",
   "error-adding-monitor": "Error adding monitor",
   "error-saving-sla": "An error ocurred while saving the SLA",
   "error-selected-agent-room-agent-are-same": "The selected agent and the room agent are the same",
diff --git a/packages/jwt/__tests__/jwt.spec.ts b/packages/jwt/__tests__/jwt.spec.ts
index 2c96a394dd5..c5398985544 100644
--- a/packages/jwt/__tests__/jwt.spec.ts
+++ b/packages/jwt/__tests__/jwt.spec.ts
@@ -54,6 +54,7 @@ it('should sign and verify a jwt with RS256', async () => {
 			{ module: 'outlook-calendar' },
 			{ module: 'unlimited-presence' },
 			{ module: 'outbound-messaging' },
+			{ module: 'abac' },
 		],
 		limits: {
 			activeUsers: [
diff --git a/packages/message-types/src/registrations/common.ts b/packages/message-types/src/registrations/common.ts
index 88566517c81..67f45939945 100644
--- a/packages/message-types/src/registrations/common.ts
+++ b/packages/message-types/src/registrations/common.ts
@@ -212,4 +212,10 @@ export default (instance: MessageTypes) => {
 		system: true,
 		text: (t) => t('Pinned_a_message'),
 	});
+
+	instance.registerType({
+		id: 'abac-removed-user-from-room',
+		system: true,
+		text: (t) => t('abac_removed_user_from_the_room'),
+	});
 };
diff --git a/packages/model-typings/src/index.ts b/packages/model-typings/src/index.ts
index 612b471b10b..3d7e5eb1c35 100644
--- a/packages/model-typings/src/index.ts
+++ b/packages/model-typings/src/index.ts
@@ -87,3 +87,4 @@ export * from './models/IMediaCallNegotiationsModel';
 export * from './updater';
 export * from './models/IWorkspaceCredentialsModel';
 export * from './models/ICallHistoryModel';
+export * from './models/IAbacAttributesModel';
diff --git a/packages/model-typings/src/models/IAbacAttributesModel.ts b/packages/model-typings/src/models/IAbacAttributesModel.ts
new file mode 100644
index 00000000000..485aa7bae75
--- /dev/null
+++ b/packages/model-typings/src/models/IAbacAttributesModel.ts
@@ -0,0 +1,10 @@
+import type { IAbacAttribute } from '@rocket.chat/core-typings';
+import type { FindOptions } from 'mongodb';
+
+import type { IBaseModel } from './IBaseModel';
+
+// eslint-disable-next-line @typescript-eslint/no-empty-interface
+export interface IAbacAttributesModel extends IBaseModel<IAbacAttribute> {
+	findOneByKey(key: string, options?: FindOptions<IAbacAttribute>): Promise<IAbacAttribute | null>;
+	countTotalValues(): Promise<number>;
+}
diff --git a/packages/model-typings/src/models/IRoomsModel.ts b/packages/model-typings/src/models/IRoomsModel.ts
index 5408cdbf940..ace72ff4d00 100644
--- a/packages/model-typings/src/models/IRoomsModel.ts
+++ b/packages/model-typings/src/models/IRoomsModel.ts
@@ -29,6 +29,7 @@ export interface IChannelsWithNumberOfMessagesBetweenDate {
 }
 
 export interface IRoomsModel extends IBaseModel<IRoom> {
+	isAbacAttributeInUse(key: string, values: string[]): Promise<boolean>;
 	findOneByRoomIdAndUserId(rid: IRoom['_id'], uid: IUser['_id'], options?: FindOptions<IRoom>): Promise<IRoom | null>;
 
 	findManyByRoomIds(roomIds: Array<IRoom['_id']>, options?: FindOptions<IRoom>): FindCursor<IRoom>;
@@ -48,6 +49,8 @@ export interface IRoomsModel extends IBaseModel<IRoom> {
 		options?: FindOptions<IRoom>,
 	): FindPaginated<FindCursor<IRoom>>;
 
+	findPrivateRoomsAndTeamsPaginated(name: NonNullable<IRoom['name']>, options?: FindOptions<IRoom>): FindPaginated<FindCursor<IRoom>>;
+
 	findByTeamId(teamId: ITeam['_id'], options?: FindOptions<IRoom>): FindCursor<IRoom>;
 
 	countByTeamId(teamId: ITeam['_id']): Promise<number>;
@@ -124,6 +127,8 @@ export interface IRoomsModel extends IBaseModel<IRoom> {
 
 	findByBroadcast(options?: FindOptions<IRoom>): FindCursor<IRoom>;
 
+	countAbacEnabled(): Promise<number>;
+
 	setAsFederated(roomId: IRoom['_id'], { mrid, origin }: { mrid: string; origin: string }): Promise<UpdateResult>;
 
 	setRoomTypeById(roomId: IRoom['_id'], roomType: IRoom['t']): Promise<UpdateResult>;
@@ -218,6 +223,7 @@ export interface IRoomsModel extends IBaseModel<IRoom> {
 	findByIds(rids: string[], options?: FindOptions<IRoom>): FindCursor<IRoom>;
 	findByType(type: IRoom['t'], options?: FindOptions<IRoom>): FindCursor<IRoom>;
 	findByTypeInIds(type: IRoom['t'], ids: string[], options?: FindOptions<IRoom>): FindCursor<IRoom>;
+	findPrivateRoomsByIdsWithAbacAttributes(ids: string[], options?: FindOptions<IRoom>): FindCursor<IRoom>;
 	findBySubscriptionUserId(userId: string, options?: FindOptions<IRoom>): Promise<FindCursor<IRoom>>;
 	findBySubscriptionUserIdUpdatedAfter(userId: string, updatedAfter: Date, options?: FindOptions<IRoom>): Promise<FindCursor<IRoom>>;
 	findByNameAndTypeNotDefault(
@@ -316,4 +322,11 @@ export interface IRoomsModel extends IBaseModel<IRoom> {
 	markRolePrioritesCreatedForRoom(rid: IRoom['_id'], version: number): Promise<UpdateResult>;
 	hasCreatedRolePrioritiesForRoom(rid: IRoom['_id'], syncVersion: number): Promise<number>;
 	countDistinctFederationRoomsExcluding(serverNames?: string[]): Promise<string[]>;
+	updateAbacConfigurationById(rid: IRoom['_id'], abac: boolean): Promise<UpdateResult>;
+	setAbacAttributesById(rid: IRoom['_id'], attributes: NonNullable<IRoom['abacAttributes']>): Promise<IRoom | null>;
+	unsetAbacAttributesById(rid: IRoom['_id']): Promise<UpdateResult>;
+	updateSingleAbacAttributeValuesById(rid: IRoom['_id'], key: string, values: string[]): Promise<UpdateResult>;
+	insertAbacAttributeIfNotExistsById(rid: IRoom['_id'], key: string, values: string[]): Promise<IRoom | null>;
+	updateAbacAttributeValuesArrayFilteredById(rid: IRoom['_id'], key: string, values: string[]): Promise<IRoom | null>;
+	removeAbacAttributeByRoomIdAndKey(rid: IRoom['_id'], key: string): Promise<UpdateResult>;
 }
diff --git a/packages/model-typings/src/models/ISubscriptionsModel.ts b/packages/model-typings/src/models/ISubscriptionsModel.ts
index c8e1e9ed6c5..7958feae702 100644
--- a/packages/model-typings/src/models/ISubscriptionsModel.ts
+++ b/packages/model-typings/src/models/ISubscriptionsModel.ts
@@ -338,4 +338,5 @@ export interface ISubscriptionsModel extends IBaseModel<ISubscription> {
 	findUserFederatedRoomIds(userId: IUser['_id']): AggregationCursor<{ _id: IRoom['_id']; externalRoomId: string }>;
 	findInvitedSubscription(roomId: ISubscription['rid'], userId: ISubscription['u']['_id']): Promise<ISubscription | null>;
 	acceptInvitationById(subscriptionId: ISubscription['_id']): Promise<UpdateResult>;
+	setAbacLastTimeCheckedByUserIdAndRoomId(userId: string, roomId: string, time: Date): Promise<UpdateResult>;
 }
diff --git a/packages/model-typings/src/models/IUsersModel.ts b/packages/model-typings/src/models/IUsersModel.ts
index 66cc22607f9..1a92d53622b 100644
--- a/packages/model-typings/src/models/IUsersModel.ts
+++ b/packages/model-typings/src/models/IUsersModel.ts
@@ -91,6 +91,10 @@ export interface IUsersModel extends IBaseModel<IUser> {
 	findOneByLDAPId<T extends Document = IUser>(id: string, attribute?: string): Promise<T | null>;
 
 	findOneByAppId<T extends Document = IUser>(appId: string, options?: FindOptions<IUser>): Promise<T | null>;
+	findUsersByIdentifiers(
+		params: { usernames?: string[]; ids?: string[]; emails?: string[]; ldapIds?: string[] },
+		options?: FindOptions<IUser>,
+	): FindCursor<IUser>;
 
 	findLDAPUsers<T extends Document = IUser>(options?: FindOptions<IUser>): FindCursor<T>;
 
@@ -157,6 +161,9 @@ export interface IUsersModel extends IBaseModel<IUser> {
 
 	getUserLanguages(): Promise<{ _id: string; total: number }[]>;
 
+	setAbacAttributesById(userId: IUser['_id'], attributes: NonNullable<IUser['abacAttributes']>): Promise<IUser | null>;
+	unsetAbacAttributesById(userId: IUser['_id']): Promise<IUser | null>;
+
 	updateStatusText(_id: IUser['_id'], statusText: string, options?: UpdateOptions): Promise<UpdateResult>;
 
 	updateStatusByAppId(appId: string, status: UserStatus): Promise<UpdateResult | Document>;
diff --git a/packages/models/src/index.ts b/packages/models/src/index.ts
index dc77a653dcd..27d3fa41e81 100644
--- a/packages/models/src/index.ts
+++ b/packages/models/src/index.ts
@@ -92,6 +92,7 @@ import type {
 	IMediaCallChannelsModel,
 	IMediaCallNegotiationsModel,
 	ICallHistoryModel,
+	IAbacAttributesModel,
 } from '@rocket.chat/model-typings';
 import type { Collection, Db } from 'mongodb';
 
@@ -118,6 +119,8 @@ import {
 	TeamRaw,
 	UsersRaw,
 	UsersSessionsRaw,
+	AbacAttributesRaw,
+	ServerEventsRaw,
 } from './modelClasses';
 import { proxify, registerModel } from './proxify';
 
@@ -226,6 +229,7 @@ export const CronHistory = proxify<ICronHistoryModel>('ICronHistoryModel');
 export const Migrations = proxify<IMigrationsModel>('IMigrationsModel');
 export const ModerationReports = proxify<IModerationReportsModel>('IModerationReportsModel');
 export const WorkspaceCredentials = proxify<IWorkspaceCredentialsModel>('IWorkspaceCredentialsModel');
+export const AbacAttributes = proxify<IAbacAttributesModel>('IAbacAttributesModel');
 
 export function registerServiceModels(db: Db, trash?: Collection<RocketChatRecordDeleted<any>>): void {
 	registerModel('ISettingsModel', () => new SettingsRaw(db, trash as Collection<RocketChatRecordDeleted<ISetting>>));
@@ -260,6 +264,8 @@ export function registerServiceModels(db: Db, trash?: Collection<RocketChatRecor
 	registerModel('ILivechatRoomsModel', () => new LivechatRoomsRaw(db));
 	registerModel('IUploadsModel', () => new UploadsRaw(db));
 	registerModel('ILivechatVisitorsModel', () => new LivechatVisitorsRaw(db));
+	registerModel('IAbacAttributesModel', () => new AbacAttributesRaw(db));
+	registerModel('IServerEventsModel', () => new ServerEventsRaw(db));
 }
 
 if (!dbWatchersDisabled) {
diff --git a/packages/models/src/modelClasses.ts b/packages/models/src/modelClasses.ts
index bb7c60fd209..04405a18c4d 100644
--- a/packages/models/src/modelClasses.ts
+++ b/packages/models/src/modelClasses.ts
@@ -1,4 +1,5 @@
 export * from './models/BaseRaw';
+export * from './models/AbacAttributes';
 export * from './models/Analytics';
 export * from './models/Apps';
 export * from './models/AppsPersistence';
diff --git a/packages/models/src/models/AbacAttributes.ts b/packages/models/src/models/AbacAttributes.ts
new file mode 100644
index 00000000000..750c6bcfe7a
--- /dev/null
+++ b/packages/models/src/models/AbacAttributes.ts
@@ -0,0 +1,39 @@
+import type { IAbacAttribute } from '@rocket.chat/core-typings';
+import type { Db, FindOptions, IndexDescription } from 'mongodb';
+
+import { BaseRaw } from './BaseRaw';
+
+export class AbacAttributesRaw extends BaseRaw<IAbacAttribute> {
+	constructor(db: Db) {
+		super(db, 'abac_attributes');
+	}
+
+	protected override modelIndexes(): IndexDescription[] {
+		return [{ key: { key: 1 }, unique: true }, { key: { values: 1 } }];
+	}
+
+	findOneByKey(key: string, options: FindOptions<IAbacAttribute> = {}): Promise<IAbacAttribute | null> {
+		return this.findOne({ key }, options);
+	}
+
+	async countTotalValues(): Promise<number> {
+		const [result] = await this.col
+			.aggregate<{ totalValues: number }>([
+				{
+					$group: {
+						_id: null,
+						totalValues: {
+							$sum: {
+								$size: {
+									$ifNull: ['$values', []],
+								},
+							},
+						},
+					},
+				},
+			])
+			.toArray();
+
+		return result?.totalValues ?? 0;
+	}
+}
diff --git a/packages/models/src/models/Rooms.ts b/packages/models/src/models/Rooms.ts
index 949014bc360..d0bc2cc13f3 100644
--- a/packages/models/src/models/Rooms.ts
+++ b/packages/models/src/models/Rooms.ts
@@ -110,9 +110,31 @@ export class RoomsRaw extends BaseRaw<IRoom> implements IRoomsModel {
 					},
 				},
 			},
+			{
+				key: { 'abacAttributes.key': 1, 'abacAttributes.values': 1 },
+				partialFilterExpression: { abacAttributes: { $exists: true } },
+			},
 		];
 	}
 
+	async isAbacAttributeInUse(key: string, values: string[]): Promise<boolean> {
+		if (!values.length) {
+			return false;
+		}
+		const room = await this.findOne(
+			{
+				abacAttributes: {
+					$elemMatch: {
+						key,
+						values: { $in: values },
+					},
+				},
+			},
+			{ projection: { _id: 1 } },
+		);
+		return !!room;
+	}
+
 	findOneByRoomIdAndUserId(rid: IRoom['_id'], uid: IUser['_id'], options: FindOptions<IRoom> = {}): Promise<IRoom | null> {
 		const query: Filter<IRoom> = {
 			'_id': rid,
@@ -218,6 +240,26 @@ export class RoomsRaw extends BaseRaw<IRoom> implements IRoomsModel {
 		return this.findPaginated(query, options);
 	}
 
+	findPrivateRoomsAndTeamsPaginated(name: NonNullable<IRoom['name']>, options: FindOptions<IRoom> = {}): FindPaginated<FindCursor<IRoom>> {
+		const nameRegex = new RegExp(escapeRegExp(name).trim(), 'i');
+
+		const nameCondition: Filter<IRoom> = {
+			$or: [{ name: nameRegex, federated: { $ne: true } }, { fname: nameRegex }],
+		};
+
+		const query: Filter<IRoom> = {
+			$and: [
+				name ? nameCondition : {},
+				{
+					t: 'p',
+				},
+			],
+			prid: { $exists: false },
+		};
+
+		return this.findPaginated(query, options);
+	}
+
 	findByTeamId(teamId: ITeam['_id'], options: FindOptions<IRoom> = {}): FindCursor<IRoom> {
 		const query: Filter<IRoom> = {
 			teamId,
@@ -1255,6 +1297,16 @@ export class RoomsRaw extends BaseRaw<IRoom> implements IRoomsModel {
 		return this.find(query, options);
 	}
 
+	findPrivateRoomsByIdsWithAbacAttributes(ids: Array<IRoom['_id']>, options: FindOptions<IRoom> = {}): FindCursor<IRoom> {
+		const query: Filter<IRoom> = {
+			_id: { $in: ids },
+			t: 'p',
+			abacAttributes: { $exists: true, $ne: [] },
+		};
+
+		return this.find(query, options);
+	}
+
 	async findBySubscriptionUserId(userId: IUser['_id'], options: FindOptions<IRoom> = {}): Promise<FindCursor<IRoom>> {
 		const data = (await Subscriptions.findByUserId(userId, { projection: { rid: 1 } }).toArray()).map((item) => item.rid);
 
@@ -1932,6 +1984,64 @@ export class RoomsRaw extends BaseRaw<IRoom> implements IRoomsModel {
 		return this.updateOne(query, update);
 	}
 
+	updateAbacConfigurationById(_id: IRoom['_id'], value: boolean): Promise<UpdateResult> {
+		const query: Filter<IRoom> = { _id };
+
+		const update: UpdateFilter<IRoom> = {
+			$set: {
+				abac: value === true,
+			},
+		};
+
+		return this.updateOne(query, update);
+	}
+
+	setAbacAttributesById(_id: IRoom['_id'], attributes: NonNullable<IRoom['abacAttributes']>): Promise<IRoom | null> {
+		return this.findOneAndUpdate({ _id }, { $set: { abacAttributes: attributes } }, { returnDocument: 'after' });
+	}
+
+	unsetAbacAttributesById(_id: IRoom['_id']): Promise<UpdateResult> {
+		return this.updateOne({ _id }, { $unset: { abacAttributes: 1 } });
+	}
+
+	updateSingleAbacAttributeValuesById(_id: IRoom['_id'], key: string, values: string[]): Promise<UpdateResult> {
+		const query: Filter<IRoom> = { _id, 'abacAttributes.key': key };
+
+		const update: UpdateFilter<IRoom> = {
+			$set: {
+				'abacAttributes.$.values': values,
+			},
+		};
+
+		return this.updateOne(query, update);
+	}
+
+	insertAbacAttributeIfNotExistsById(_id: IRoom['_id'], key: string, values: string[]): Promise<IRoom | null> {
+		return this.findOneAndUpdate(
+			{ _id, 'abacAttributes.key': { $ne: key } },
+			{ $push: { abacAttributes: { key, values } } },
+			{ returnDocument: 'after', projection: { abacAttributes: 1 } },
+		) as unknown as Promise<IRoom | null>;
+	}
+
+	updateAbacAttributeValuesArrayFilteredById(_id: IRoom['_id'], key: string, values: string[]): Promise<IRoom | null> {
+		return this.findOneAndUpdate(
+			{ _id },
+			{ $set: { 'abacAttributes.$[attr].values': values } },
+			{ arrayFilters: [{ 'attr.key': key }], returnDocument: 'after' },
+		);
+	}
+
+	removeAbacAttributeByRoomIdAndKey(_id: IRoom['_id'], key: string): Promise<UpdateResult> {
+		const query: Filter<IRoom> = { _id };
+		const update: UpdateFilter<IRoom> = {
+			$pull: {
+				abacAttributes: { key },
+			},
+		};
+		return this.updateOne(query, update);
+	}
+
 	updateGroupDMsRemovingUsernamesByUsername(username: string, userId: string): Promise<Document | UpdateResult> {
 		const query: Filter<IRoom> = {
 			t: 'd',
@@ -2231,4 +2341,8 @@ export class RoomsRaw extends BaseRaw<IRoom> implements IRoomsModel {
 		// TODO implement
 		return [];
 	}
+
+	countAbacEnabled(): Promise<number> {
+		return this.countDocuments({ abacAttributes: { $exists: true }, archived: { $ne: true } });
+	}
 }
diff --git a/packages/models/src/models/Subscriptions.ts b/packages/models/src/models/Subscriptions.ts
index 99b50ef84de..e73a4c19134 100644
--- a/packages/models/src/models/Subscriptions.ts
+++ b/packages/models/src/models/Subscriptions.ts
@@ -2110,4 +2110,19 @@ export class SubscriptionsRaw extends BaseRaw<ISubscription> implements ISubscri
 			},
 		);
 	}
+
+	setAbacLastTimeCheckedByUserIdAndRoomId(userId: string, roomId: string, time: Date): Promise<UpdateResult> {
+		const query = {
+			'rid': roomId,
+			'u._id': userId,
+		};
+
+		const update: UpdateFilter<ISubscription> = {
+			$set: {
+				abacLastTimeChecked: time,
+			},
+		};
+
+		return this.updateOne(query, update);
+	}
 }
diff --git a/packages/models/src/models/Users.ts b/packages/models/src/models/Users.ts
index dd11568dff7..49b50370578 100644
--- a/packages/models/src/models/Users.ts
+++ b/packages/models/src/models/Users.ts
@@ -129,6 +129,46 @@ export class UsersRaw extends BaseRaw<IUser, DefaultFields<IUser>> implements IU
 		];
 	}
 
+	findUsersByIdentifiers(
+		{ usernames, ids, emails, ldapIds }: { usernames?: string[]; ids?: string[]; emails?: string[]; ldapIds?: string[] },
+		options: FindOptions<IUser> = {},
+	): FindCursor<IUser> {
+		const normalizedIds = (ids ?? []).filter(Boolean);
+		const normalizedUsernames = (usernames ?? []).filter(Boolean);
+		const normalizedEmails = (emails ?? []).map((e) => String(e).trim()).filter(Boolean);
+		const normalizedLdapIds = (ldapIds ?? []).filter(Boolean);
+
+		const or: Filter<IUser>[] = [];
+
+		if (normalizedIds.length) {
+			or.push({ _id: { $in: normalizedIds } });
+		}
+		if (normalizedUsernames.length) {
+			or.push({ username: { $in: normalizedUsernames } });
+		}
+		if (normalizedEmails.length) {
+			or.push({ 'emails.address': { $in: normalizedEmails } });
+		}
+		if (normalizedLdapIds.length) {
+			or.push({ 'services.ldap.id': { $in: normalizedLdapIds } });
+		}
+
+		const query: Filter<IUser> = {
+			active: true,
+			$or: or,
+		};
+
+		return this.find(query, options);
+	}
+
+	setAbacAttributesById(_id: IUser['_id'], attributes: NonNullable<IUser['abacAttributes']>) {
+		return this.findOneAndUpdate({ _id }, { $set: { abacAttributes: attributes } }, { returnDocument: 'after' });
+	}
+
+	unsetAbacAttributesById(_id: IUser['_id']) {
+		return this.findOneAndUpdate({ _id }, { $unset: { abacAttributes: 1 } }, { returnDocument: 'after' });
+	}
+
 	/**
 	 * @param {string} uid
 	 * @param {IRole['_id'][]} roles list of role ids
diff --git a/yarn.lock b/yarn.lock
index 36545d2a25b..f0bf761fe3e 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4064,6 +4064,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/console@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/console@npm:30.0.5"
+  dependencies:
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    chalk: "npm:^4.1.2"
+    jest-message-util: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+  checksum: 10/df991610228b3544c5d93282d144f211960c526f2699a9f25bf6e9f76fbc1e7fbcdf7df994da6b55f44f5459aafee3e78a4d323d59f6ac3ca614ccd07841060f
+  languageName: node
+  linkType: hard
+
 "@jest/console@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/console@npm:30.2.0"
@@ -4092,6 +4106,47 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/core@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/core@npm:30.0.5"
+  dependencies:
+    "@jest/console": "npm:30.0.5"
+    "@jest/pattern": "npm:30.0.1"
+    "@jest/reporters": "npm:30.0.5"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/transform": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    ansi-escapes: "npm:^4.3.2"
+    chalk: "npm:^4.1.2"
+    ci-info: "npm:^4.2.0"
+    exit-x: "npm:^0.2.2"
+    graceful-fs: "npm:^4.2.11"
+    jest-changed-files: "npm:30.0.5"
+    jest-config: "npm:30.0.5"
+    jest-haste-map: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-regex-util: "npm:30.0.1"
+    jest-resolve: "npm:30.0.5"
+    jest-resolve-dependencies: "npm:30.0.5"
+    jest-runner: "npm:30.0.5"
+    jest-runtime: "npm:30.0.5"
+    jest-snapshot: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-validate: "npm:30.0.5"
+    jest-watcher: "npm:30.0.5"
+    micromatch: "npm:^4.0.8"
+    pretty-format: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+  peerDependencies:
+    node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
+  peerDependenciesMeta:
+    node-notifier:
+      optional: true
+  checksum: 10/8299628ce0e2552361a5ddd5b4df3f0999c5f6eda00e16ae8e80f9640127776ea38eaa2893821606ccb8e6dc16855f18212cbc98213bd908625002824febc2bc
+  languageName: node
+  linkType: hard
+
 "@jest/core@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/core@npm:30.2.0"
@@ -4220,6 +4275,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/environment@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/environment@npm:30.0.5"
+  dependencies:
+    "@jest/fake-timers": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    jest-mock: "npm:30.0.5"
+  checksum: 10/b7104cd1dbb5d7e0ed250df959fd98cdc6cbc05d2f0b8a4bf0d8d24121d74e263b94df3fb0d967a382e2ac0003adcbd44a121fbffb2e03f30a26aa7117c52c76
+  languageName: node
+  linkType: hard
+
 "@jest/environment@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/environment@npm:30.2.0"
@@ -4271,6 +4338,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/expect@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/expect@npm:30.0.5"
+  dependencies:
+    expect: "npm:30.0.5"
+    jest-snapshot: "npm:30.0.5"
+  checksum: 10/e51954d86941b05641f1a0aa0fb9ec10ea82008feabdd085c7b05a97d3a84cc5f9fc5cd7f15822bcde0648f233717911d2f2891b3870ac3caf95d10d42b00da8
+  languageName: node
+  linkType: hard
+
 "@jest/expect@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/expect@npm:30.2.0"
@@ -4291,6 +4368,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/fake-timers@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/fake-timers@npm:30.0.5"
+  dependencies:
+    "@jest/types": "npm:30.0.5"
+    "@sinonjs/fake-timers": "npm:^13.0.0"
+    "@types/node": "npm:*"
+    jest-message-util: "npm:30.0.5"
+    jest-mock: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+  checksum: 10/5c3b3ad1c940c24b64f77b9ba953b627a8f648bc4dbdba03f497cc9257dc220fd7efedd2f855d9e49c84079e1ff2cbb0e1d1a9e8beb460a0ce7c07ff0ac348fc
+  languageName: node
+  linkType: hard
+
 "@jest/fake-timers@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/fake-timers@npm:30.2.0"
@@ -4333,6 +4424,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/globals@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/globals@npm:30.0.5"
+  dependencies:
+    "@jest/environment": "npm:30.0.5"
+    "@jest/expect": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    jest-mock: "npm:30.0.5"
+  checksum: 10/44091f5d8386bf5cadd7d36e2fb36b0794b2dd1e0c866d4cecceaf12f9304bb139544a597b1d1edf4c8158baa5684042bcfda4bc9a5603bd2c41c17509c4151b
+  languageName: node
+  linkType: hard
+
 "@jest/globals@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/globals@npm:30.2.0"
@@ -4367,6 +4470,42 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/reporters@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/reporters@npm:30.0.5"
+  dependencies:
+    "@bcoe/v8-coverage": "npm:^0.2.3"
+    "@jest/console": "npm:30.0.5"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/transform": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@jridgewell/trace-mapping": "npm:^0.3.25"
+    "@types/node": "npm:*"
+    chalk: "npm:^4.1.2"
+    collect-v8-coverage: "npm:^1.0.2"
+    exit-x: "npm:^0.2.2"
+    glob: "npm:^10.3.10"
+    graceful-fs: "npm:^4.2.11"
+    istanbul-lib-coverage: "npm:^3.0.0"
+    istanbul-lib-instrument: "npm:^6.0.0"
+    istanbul-lib-report: "npm:^3.0.0"
+    istanbul-lib-source-maps: "npm:^5.0.0"
+    istanbul-reports: "npm:^3.1.3"
+    jest-message-util: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-worker: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+    string-length: "npm:^4.0.2"
+    v8-to-istanbul: "npm:^9.0.1"
+  peerDependencies:
+    node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
+  peerDependenciesMeta:
+    node-notifier:
+      optional: true
+  checksum: 10/8272e6dbe26fc1252fc54fe147be188a13ff577a96f523964b16b3fede87a6f648949256423537720a2ac179f9e5050c349afb995922a9874f4cf4480d15021e
+  languageName: node
+  linkType: hard
+
 "@jest/reporters@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/reporters@npm:30.2.0"
@@ -4458,6 +4597,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/snapshot-utils@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/snapshot-utils@npm:30.0.5"
+  dependencies:
+    "@jest/types": "npm:30.0.5"
+    chalk: "npm:^4.1.2"
+    graceful-fs: "npm:^4.2.11"
+    natural-compare: "npm:^1.4.0"
+  checksum: 10/f132296d8851c562f6c44d78ea29c7c216d0498e24f45b5f6c1113a2f1c5de61841e398cb90cfaf36dc9370a95d4e9c7ccbc0f88e348aa835d81f3523da7f002
+  languageName: node
+  linkType: hard
+
 "@jest/snapshot-utils@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/snapshot-utils@npm:30.2.0"
@@ -4492,6 +4643,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/test-result@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/test-result@npm:30.0.5"
+  dependencies:
+    "@jest/console": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/istanbul-lib-coverage": "npm:^2.0.6"
+    collect-v8-coverage: "npm:^1.0.2"
+  checksum: 10/41682497c98f5b8b2b9e81e3ce3a540418bdca7bce358b4dddf3c63abdb90d57476d89042ebc98e0acd5ea870ace17e1ed3b4b45df05e32cdaa970c1e4aca0d9
+  languageName: node
+  linkType: hard
+
 "@jest/test-result@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/test-result@npm:30.2.0"
@@ -4516,6 +4679,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/test-sequencer@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/test-sequencer@npm:30.0.5"
+  dependencies:
+    "@jest/test-result": "npm:30.0.5"
+    graceful-fs: "npm:^4.2.11"
+    jest-haste-map: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+  checksum: 10/f73ce9513d858861602c74f5e04124f2b9e3718faed9efaa1b7de1ffbab1d388e9698e3e10b80f0d8f4cf87d3fd3e67f2b39ab9e6f1429d3779f7bad8fac98de
+  languageName: node
+  linkType: hard
+
 "@jest/test-sequencer@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/test-sequencer@npm:30.2.0"
@@ -4540,6 +4715,29 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@jest/transform@npm:30.0.5":
+  version: 30.0.5
+  resolution: "@jest/transform@npm:30.0.5"
+  dependencies:
+    "@babel/core": "npm:^7.27.4"
+    "@jest/types": "npm:30.0.5"
+    "@jridgewell/trace-mapping": "npm:^0.3.25"
+    babel-plugin-istanbul: "npm:^7.0.0"
+    chalk: "npm:^4.1.2"
+    convert-source-map: "npm:^2.0.0"
+    fast-json-stable-stringify: "npm:^2.1.0"
+    graceful-fs: "npm:^4.2.11"
+    jest-haste-map: "npm:30.0.5"
+    jest-regex-util: "npm:30.0.1"
+    jest-util: "npm:30.0.5"
+    micromatch: "npm:^4.0.8"
+    pirates: "npm:^4.0.7"
+    slash: "npm:^3.0.0"
+    write-file-atomic: "npm:^5.0.1"
+  checksum: 10/2b3e0bc39aa6ff0c521f9fff4724e3ca1d720cd51f6fd3a97a18d832f66b3f7d021f38fb2d26053461a32577ef187fe5e2d636050be419aefd0d06d23ea1d35a
+  languageName: node
+  linkType: hard
+
 "@jest/transform@npm:30.2.0":
   version: 30.2.0
   resolution: "@jest/transform@npm:30.2.0"
@@ -8075,6 +8273,28 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@rocket.chat/abac@workspace:^, @rocket.chat/abac@workspace:ee/packages/abac":
+  version: 0.0.0-use.local
+  resolution: "@rocket.chat/abac@workspace:ee/packages/abac"
+  dependencies:
+    "@rocket.chat/core-services": "workspace:^"
+    "@rocket.chat/core-typings": "workspace:^"
+    "@rocket.chat/eslint-config": "workspace:^"
+    "@rocket.chat/logger": "workspace:^"
+    "@rocket.chat/models": "workspace:^"
+    "@rocket.chat/tsconfig": "workspace:*"
+    "@types/jest": "npm:~30.0.0"
+    "@types/node": "npm:~22.16.1"
+    eslint: "npm:~8.45.0"
+    jest: "npm:~30.0.5"
+    mem: "npm:^8.1.1"
+    mongodb: "npm:6.10.0"
+    mongodb-memory-server: "npm:^10.1.4"
+    p-limit: "npm:3.1.0"
+    typescript: "npm:~5.9.2"
+  languageName: unknown
+  linkType: soft
+
 "@rocket.chat/account-service@workspace:ee/apps/account-service":
   version: 0.0.0-use.local
   resolution: "@rocket.chat/account-service@workspace:ee/apps/account-service"
@@ -8216,6 +8436,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@rocket.chat/authorization-service@workspace:ee/apps/authorization-service"
   dependencies:
+    "@rocket.chat/abac": "workspace:^"
     "@rocket.chat/core-services": "workspace:^"
     "@rocket.chat/core-typings": "workspace:^"
     "@rocket.chat/emitter": "npm:~0.31.25"
@@ -9164,6 +9385,7 @@ __metadata:
     "@playwright/test": "npm:^1.52.0"
     "@react-aria/toolbar": "npm:^3.0.0-nightly.5042"
     "@react-pdf/renderer": "npm:^3.4.5"
+    "@rocket.chat/abac": "workspace:^"
     "@rocket.chat/account-utils": "workspace:^"
     "@rocket.chat/agenda": "workspace:^"
     "@rocket.chat/api-client": "workspace:^"
@@ -13910,7 +14132,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/node@npm:~22.16.5":
+"@types/node@npm:~22.16.1, @types/node@npm:~22.16.5":
   version: 22.16.5
   resolution: "@types/node@npm:22.16.5"
   dependencies:
@@ -16072,7 +16294,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"async-mutex@npm:~0.5.0":
+"async-mutex@npm:^0.5.0, async-mutex@npm:~0.5.0":
   version: 0.5.0
   resolution: "async-mutex@npm:0.5.0"
   dependencies:
@@ -16266,6 +16488,23 @@ __metadata:
   languageName: node
   linkType: hard
 
+"babel-jest@npm:30.0.5":
+  version: 30.0.5
+  resolution: "babel-jest@npm:30.0.5"
+  dependencies:
+    "@jest/transform": "npm:30.0.5"
+    "@types/babel__core": "npm:^7.20.5"
+    babel-plugin-istanbul: "npm:^7.0.0"
+    babel-preset-jest: "npm:30.0.1"
+    chalk: "npm:^4.1.2"
+    graceful-fs: "npm:^4.2.11"
+    slash: "npm:^3.0.0"
+  peerDependencies:
+    "@babel/core": ^7.11.0
+  checksum: 10/39a36b86484e8d545ff0f83c81fccd4952e6fc68b98015fd72a03ba2a5650edde20412fdf92328200a5cbdd0aed6f1c2982269f590fb0e5f131e0a2533436c81
+  languageName: node
+  linkType: hard
+
 "babel-jest@npm:30.2.0, babel-jest@npm:~30.2.0":
   version: 30.2.0
   resolution: "babel-jest@npm:30.2.0"
@@ -16332,7 +16571,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"babel-plugin-istanbul@npm:^7.0.1, babel-plugin-istanbul@npm:~7.0.1":
+"babel-plugin-istanbul@npm:^7.0.0, babel-plugin-istanbul@npm:^7.0.1, babel-plugin-istanbul@npm:~7.0.1":
   version: 7.0.1
   resolution: "babel-plugin-istanbul@npm:7.0.1"
   dependencies:
@@ -16345,6 +16584,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"babel-plugin-jest-hoist@npm:30.0.1":
+  version: 30.0.1
+  resolution: "babel-plugin-jest-hoist@npm:30.0.1"
+  dependencies:
+    "@babel/template": "npm:^7.27.2"
+    "@babel/types": "npm:^7.27.3"
+    "@types/babel__core": "npm:^7.20.5"
+  checksum: 10/4d8d0eb3726fb16b85322449fff15fa48404ef92dae48f9b0c956f6d504208e604e4e40fe71665433cb21f35be0faf5b2b11732330f67b3add66728edcfbcb93
+  languageName: node
+  linkType: hard
+
 "babel-plugin-jest-hoist@npm:30.2.0":
   version: 30.2.0
   resolution: "babel-plugin-jest-hoist@npm:30.2.0"
@@ -16438,7 +16688,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"babel-preset-current-node-syntax@npm:^1.2.0":
+"babel-preset-current-node-syntax@npm:^1.1.0, babel-preset-current-node-syntax@npm:^1.2.0":
   version: 1.2.0
   resolution: "babel-preset-current-node-syntax@npm:1.2.0"
   dependencies:
@@ -16463,6 +16713,18 @@ __metadata:
   languageName: node
   linkType: hard
 
+"babel-preset-jest@npm:30.0.1":
+  version: 30.0.1
+  resolution: "babel-preset-jest@npm:30.0.1"
+  dependencies:
+    babel-plugin-jest-hoist: "npm:30.0.1"
+    babel-preset-current-node-syntax: "npm:^1.1.0"
+  peerDependencies:
+    "@babel/core": ^7.11.0
+  checksum: 10/fa37b0fa11baffd983f42663c7a4db61d9b10704bd061333950c3d2a191457930e68e172a93f6675d85cd6a1315fd6954143bda5709a3ba38ef7bd87a13d0aa6
+  languageName: node
+  linkType: hard
+
 "babel-preset-jest@npm:30.2.0":
   version: 30.2.0
   resolution: "babel-preset-jest@npm:30.2.0"
@@ -17145,6 +17407,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"buffer-crc32@npm:~0.2.3":
+  version: 0.2.13
+  resolution: "buffer-crc32@npm:0.2.13"
+  checksum: 10/06252347ae6daca3453b94e4b2f1d3754a3b146a111d81c68924c22d91889a40623264e95e67955b1cb4a68cbedf317abeabb5140a9766ed248973096db5ce1c
+  languageName: node
+  linkType: hard
+
 "buffer-equal-constant-time@npm:1.0.1":
   version: 1.0.1
   resolution: "buffer-equal-constant-time@npm:1.0.1"
@@ -21567,6 +21836,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"expect@npm:30.0.5, expect@npm:^30.0.0":
+  version: 30.0.5
+  resolution: "expect@npm:30.0.5"
+  dependencies:
+    "@jest/expect-utils": "npm:30.0.5"
+    "@jest/get-type": "npm:30.0.1"
+    jest-matcher-utils: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-mock: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+  checksum: 10/48ee8a444bfb7c6b23ca9b416a43f6c418ab698b1c3f59848d711d13b362a393dcc7d30b97ce73e0a15959a98644f51a600e6d76e20091aa7016441899b1e9c4
+  languageName: node
+  linkType: hard
+
 "expect@npm:30.2.0":
   version: 30.2.0
   resolution: "expect@npm:30.2.0"
@@ -21594,20 +21877,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"expect@npm:^30.0.0":
-  version: 30.0.5
-  resolution: "expect@npm:30.0.5"
-  dependencies:
-    "@jest/expect-utils": "npm:30.0.5"
-    "@jest/get-type": "npm:30.0.1"
-    jest-matcher-utils: "npm:30.0.5"
-    jest-message-util: "npm:30.0.5"
-    jest-mock: "npm:30.0.5"
-    jest-util: "npm:30.0.5"
-  checksum: 10/48ee8a444bfb7c6b23ca9b416a43f6c418ab698b1c3f59848d711d13b362a393dcc7d30b97ce73e0a15959a98644f51a600e6d76e20091aa7016441899b1e9c4
-  languageName: node
-  linkType: hard
-
 "expiry-map@npm:^2.0.0":
   version: 2.0.0
   resolution: "expiry-map@npm:2.0.0"
@@ -22023,7 +22292,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"find-cache-dir@npm:^3.2.0, find-cache-dir@npm:^3.3.1":
+"find-cache-dir@npm:^3.2.0, find-cache-dir@npm:^3.3.1, find-cache-dir@npm:^3.3.2":
   version: 3.3.2
   resolution: "find-cache-dir@npm:3.3.2"
   dependencies:
@@ -24884,6 +25153,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-changed-files@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-changed-files@npm:30.0.5"
+  dependencies:
+    execa: "npm:^5.1.1"
+    jest-util: "npm:30.0.5"
+    p-limit: "npm:^3.1.0"
+  checksum: 10/cc2df02d1c05465da4ba05dc6d0868fee69a7389ffa784f5ee2680a915886359d618b291105d46b061e74225d7d999c03701dda56e9f8df04ef815e05bff621b
+  languageName: node
+  linkType: hard
+
 "jest-changed-files@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-changed-files@npm:30.2.0"
@@ -24906,6 +25186,34 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-circus@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-circus@npm:30.0.5"
+  dependencies:
+    "@jest/environment": "npm:30.0.5"
+    "@jest/expect": "npm:30.0.5"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    chalk: "npm:^4.1.2"
+    co: "npm:^4.6.0"
+    dedent: "npm:^1.6.0"
+    is-generator-fn: "npm:^2.1.0"
+    jest-each: "npm:30.0.5"
+    jest-matcher-utils: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-runtime: "npm:30.0.5"
+    jest-snapshot: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    p-limit: "npm:^3.1.0"
+    pretty-format: "npm:30.0.5"
+    pure-rand: "npm:^7.0.0"
+    slash: "npm:^3.0.0"
+    stack-utils: "npm:^2.0.6"
+  checksum: 10/ccbfa6a95cbc3dee0f82650c9c6c483c53aac6892d0e167536f1791806b4834e79081f25b7048a5ac890c64df8d9863fca914c259835de4556de5572ed4e95c7
+  languageName: node
+  linkType: hard
+
 "jest-circus@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-circus@npm:30.2.0"
@@ -24962,6 +25270,31 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-cli@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-cli@npm:30.0.5"
+  dependencies:
+    "@jest/core": "npm:30.0.5"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    chalk: "npm:^4.1.2"
+    exit-x: "npm:^0.2.2"
+    import-local: "npm:^3.2.0"
+    jest-config: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-validate: "npm:30.0.5"
+    yargs: "npm:^17.7.2"
+  peerDependencies:
+    node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
+  peerDependenciesMeta:
+    node-notifier:
+      optional: true
+  bin:
+    jest: ./bin/jest.js
+  checksum: 10/228c3b525b2b64513e41cf3afb7cee7195c4574a10d9c05af13ad33e3a56661cf670d2fedc60954e6c3fab6f73a8cf775e47ef1471d06273eedd42c5c6adeeee
+  languageName: node
+  linkType: hard
+
 "jest-cli@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-cli@npm:30.2.0"
@@ -25013,6 +25346,49 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-config@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-config@npm:30.0.5"
+  dependencies:
+    "@babel/core": "npm:^7.27.4"
+    "@jest/get-type": "npm:30.0.1"
+    "@jest/pattern": "npm:30.0.1"
+    "@jest/test-sequencer": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    babel-jest: "npm:30.0.5"
+    chalk: "npm:^4.1.2"
+    ci-info: "npm:^4.2.0"
+    deepmerge: "npm:^4.3.1"
+    glob: "npm:^10.3.10"
+    graceful-fs: "npm:^4.2.11"
+    jest-circus: "npm:30.0.5"
+    jest-docblock: "npm:30.0.1"
+    jest-environment-node: "npm:30.0.5"
+    jest-regex-util: "npm:30.0.1"
+    jest-resolve: "npm:30.0.5"
+    jest-runner: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-validate: "npm:30.0.5"
+    micromatch: "npm:^4.0.8"
+    parse-json: "npm:^5.2.0"
+    pretty-format: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+    strip-json-comments: "npm:^3.1.1"
+  peerDependencies:
+    "@types/node": "*"
+    esbuild-register: ">=3.4.0"
+    ts-node: ">=9.0.0"
+  peerDependenciesMeta:
+    "@types/node":
+      optional: true
+    esbuild-register:
+      optional: true
+    ts-node:
+      optional: true
+  checksum: 10/3cb313650adfa34d9a383883b7e8eba89df907f38bbdf321db6d151af099479371a8f33143d09e83faf0cea843d37ca9c45edc92e7e15dae8fd72b57c96a1dc6
+  languageName: node
+  linkType: hard
+
 "jest-config@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-config@npm:30.2.0"
@@ -25130,6 +25506,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-docblock@npm:30.0.1":
+  version: 30.0.1
+  resolution: "jest-docblock@npm:30.0.1"
+  dependencies:
+    detect-newline: "npm:^3.1.0"
+  checksum: 10/92ebee39282e764cd64bbfffe4a1bbae323e3b01684028c7206aada198314522a8ebe6892660d2ddeeb9a4b8d270a90da8af0fc654502a428e412867d732a459
+  languageName: node
+  linkType: hard
+
 "jest-docblock@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-docblock@npm:30.2.0"
@@ -25148,6 +25533,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-each@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-each@npm:30.0.5"
+  dependencies:
+    "@jest/get-type": "npm:30.0.1"
+    "@jest/types": "npm:30.0.5"
+    chalk: "npm:^4.1.2"
+    jest-util: "npm:30.0.5"
+    pretty-format: "npm:30.0.5"
+  checksum: 10/457512eda80141f99b6c6d350261eb440d545e4a5c357687bc1fdf1719c2d1f41829c8b8f5d1710be02f5e555572d2bad9526e5acb85f901b1066d2ca3dcd2ba
+  languageName: node
+  linkType: hard
+
 "jest-each@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-each@npm:30.2.0"
@@ -25192,6 +25590,21 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-environment-node@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-environment-node@npm:30.0.5"
+  dependencies:
+    "@jest/environment": "npm:30.0.5"
+    "@jest/fake-timers": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    jest-mock: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-validate: "npm:30.0.5"
+  checksum: 10/2f0a59370660753ae3e4852a7c905fefab00c4b758e1d19c85b1affe715d40e9563bfa1cccef06a116f610c93fcce2b1a94f4ced99fefea060606a2c10964921
+  languageName: node
+  linkType: hard
+
 "jest-environment-node@npm:30.2.0, jest-environment-node@npm:~30.2.0":
   version: 30.2.0
   resolution: "jest-environment-node@npm:30.2.0"
@@ -25238,6 +25651,28 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-haste-map@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-haste-map@npm:30.0.5"
+  dependencies:
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    anymatch: "npm:^3.1.3"
+    fb-watchman: "npm:^2.0.2"
+    fsevents: "npm:^2.3.3"
+    graceful-fs: "npm:^4.2.11"
+    jest-regex-util: "npm:30.0.1"
+    jest-util: "npm:30.0.5"
+    jest-worker: "npm:30.0.5"
+    micromatch: "npm:^4.0.8"
+    walker: "npm:^1.0.8"
+  dependenciesMeta:
+    fsevents:
+      optional: true
+  checksum: 10/3539359589c94a6300c0696fbcfc3df4aad6ee0580cb7873c97a2ae2a009a40e49174b1f25c864302203407e0876e6287fca44b3bbbf7e2c29675436935a347c
+  languageName: node
+  linkType: hard
+
 "jest-haste-map@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-haste-map@npm:30.2.0"
@@ -25295,6 +25730,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-leak-detector@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-leak-detector@npm:30.0.5"
+  dependencies:
+    "@jest/get-type": "npm:30.0.1"
+    pretty-format: "npm:30.0.5"
+  checksum: 10/60ba8c0afb0a20c0cdd8665469aba7f6663d2e94b01db18174db4986b1f50c0f74e979fa1e70ab78c9215ec8e48e6f43de6b0cdd3b3546c53f47b5ea92e343f0
+  languageName: node
+  linkType: hard
+
 "jest-leak-detector@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-leak-detector@npm:30.2.0"
@@ -25524,6 +25969,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-resolve-dependencies@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-resolve-dependencies@npm:30.0.5"
+  dependencies:
+    jest-regex-util: "npm:30.0.1"
+    jest-snapshot: "npm:30.0.5"
+  checksum: 10/8d7d94d96424a8d12e12245a0ed1242262e47587c06fed93aa4c876d549cdd26709dd583775f20b42bbf64e7ab63ba004d560df74989efd8b4cd2e6fbde6acbf
+  languageName: node
+  linkType: hard
+
 "jest-resolve-dependencies@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-resolve-dependencies@npm:30.2.0"
@@ -25544,6 +25999,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-resolve@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-resolve@npm:30.0.5"
+  dependencies:
+    chalk: "npm:^4.1.2"
+    graceful-fs: "npm:^4.2.11"
+    jest-haste-map: "npm:30.0.5"
+    jest-pnp-resolver: "npm:^1.2.3"
+    jest-util: "npm:30.0.5"
+    jest-validate: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+    unrs-resolver: "npm:^1.7.11"
+  checksum: 10/714c5d93a8ea9f2304ecb97fd3dee8634851836606784d0e02ae033da5abc8af7436d495248f2abcb6bab315952881447740cc272c53da128df573676247db01
+  languageName: node
+  linkType: hard
+
 "jest-resolve@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-resolve@npm:30.2.0"
@@ -25577,6 +26048,36 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-runner@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-runner@npm:30.0.5"
+  dependencies:
+    "@jest/console": "npm:30.0.5"
+    "@jest/environment": "npm:30.0.5"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/transform": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    chalk: "npm:^4.1.2"
+    emittery: "npm:^0.13.1"
+    exit-x: "npm:^0.2.2"
+    graceful-fs: "npm:^4.2.11"
+    jest-docblock: "npm:30.0.1"
+    jest-environment-node: "npm:30.0.5"
+    jest-haste-map: "npm:30.0.5"
+    jest-leak-detector: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-resolve: "npm:30.0.5"
+    jest-runtime: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    jest-watcher: "npm:30.0.5"
+    jest-worker: "npm:30.0.5"
+    p-limit: "npm:^3.1.0"
+    source-map-support: "npm:0.5.13"
+  checksum: 10/fd6cf9eff7c4ba256fe7cef4348543ff2baea1ca7784ea21fd5f1f060d2ba7125bc70b17d6b1ac0bad450e88e375a344c6e620e28b9222ec3e12f57d3d9a9d5e
+  languageName: node
+  linkType: hard
+
 "jest-runner@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-runner@npm:30.2.0"
@@ -25636,6 +26137,36 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-runtime@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-runtime@npm:30.0.5"
+  dependencies:
+    "@jest/environment": "npm:30.0.5"
+    "@jest/fake-timers": "npm:30.0.5"
+    "@jest/globals": "npm:30.0.5"
+    "@jest/source-map": "npm:30.0.1"
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/transform": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    chalk: "npm:^4.1.2"
+    cjs-module-lexer: "npm:^2.1.0"
+    collect-v8-coverage: "npm:^1.0.2"
+    glob: "npm:^10.3.10"
+    graceful-fs: "npm:^4.2.11"
+    jest-haste-map: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-mock: "npm:30.0.5"
+    jest-regex-util: "npm:30.0.1"
+    jest-resolve: "npm:30.0.5"
+    jest-snapshot: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    slash: "npm:^3.0.0"
+    strip-bom: "npm:^4.0.0"
+  checksum: 10/e62825f5b73e6df259c097a8f46ca032fcfba74f7783e12eeaadae3a9a70b8d15b6718c267ed54fca1267916396d986f295dfdb95bbdfadea486b8998f01476e
+  languageName: node
+  linkType: hard
+
 "jest-runtime@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-runtime@npm:30.2.0"
@@ -25705,6 +26236,35 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-snapshot@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-snapshot@npm:30.0.5"
+  dependencies:
+    "@babel/core": "npm:^7.27.4"
+    "@babel/generator": "npm:^7.27.5"
+    "@babel/plugin-syntax-jsx": "npm:^7.27.1"
+    "@babel/plugin-syntax-typescript": "npm:^7.27.1"
+    "@babel/types": "npm:^7.27.3"
+    "@jest/expect-utils": "npm:30.0.5"
+    "@jest/get-type": "npm:30.0.1"
+    "@jest/snapshot-utils": "npm:30.0.5"
+    "@jest/transform": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    babel-preset-current-node-syntax: "npm:^1.1.0"
+    chalk: "npm:^4.1.2"
+    expect: "npm:30.0.5"
+    graceful-fs: "npm:^4.2.11"
+    jest-diff: "npm:30.0.5"
+    jest-matcher-utils: "npm:30.0.5"
+    jest-message-util: "npm:30.0.5"
+    jest-util: "npm:30.0.5"
+    pretty-format: "npm:30.0.5"
+    semver: "npm:^7.7.2"
+    synckit: "npm:^0.11.8"
+  checksum: 10/954d42b201b76bf08f42dc942426176b2d1223aa44fb01260c90d43545bd9bf90ae4f195800d5e83c0b0ad980633a67a60898f190b26ec48c0deb1d63693eeb0
+  languageName: node
+  linkType: hard
+
 "jest-snapshot@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-snapshot@npm:30.2.0"
@@ -25804,6 +26364,20 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-validate@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-validate@npm:30.0.5"
+  dependencies:
+    "@jest/get-type": "npm:30.0.1"
+    "@jest/types": "npm:30.0.5"
+    camelcase: "npm:^6.3.0"
+    chalk: "npm:^4.1.2"
+    leven: "npm:^3.1.0"
+    pretty-format: "npm:30.0.5"
+  checksum: 10/5f595dae0edb3f8161343e4d07d6f15030a816fcc51aacfea7fb476b78a94d4daf9a06bc416b7458920a4e39266e24ee2cd8565e8465e487cf0e3cb388092fc1
+  languageName: node
+  linkType: hard
+
 "jest-validate@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-validate@npm:30.2.0"
@@ -25849,6 +26423,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-watcher@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-watcher@npm:30.0.5"
+  dependencies:
+    "@jest/test-result": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    "@types/node": "npm:*"
+    ansi-escapes: "npm:^4.3.2"
+    chalk: "npm:^4.1.2"
+    emittery: "npm:^0.13.1"
+    jest-util: "npm:30.0.5"
+    string-length: "npm:^4.0.2"
+  checksum: 10/e61caeca70ab6fc5608ccf0f4e72add9d56f0bdb0f2a65ee1c9e9c5bbc1b2ffd23e168c505f880d97efb284b8893a51e165c9edd75e30504fee3aa563fc8d4b6
+  languageName: node
+  linkType: hard
+
 "jest-watcher@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-watcher@npm:30.2.0"
@@ -25891,6 +26481,19 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest-worker@npm:30.0.5":
+  version: 30.0.5
+  resolution: "jest-worker@npm:30.0.5"
+  dependencies:
+    "@types/node": "npm:*"
+    "@ungap/structured-clone": "npm:^1.3.0"
+    jest-util: "npm:30.0.5"
+    merge-stream: "npm:^2.0.0"
+    supports-color: "npm:^8.1.1"
+  checksum: 10/04d9a58ddb210a2efe8ad3f46cf54190a5e29edfe4f11847a51fb753be1b4cda7db52b5a786fae833774506b3b75bee9ad7ef26bef81d85914fbcd63555a1c1a
+  languageName: node
+  linkType: hard
+
 "jest-worker@npm:30.2.0":
   version: 30.2.0
   resolution: "jest-worker@npm:30.2.0"
@@ -25957,6 +26560,25 @@ __metadata:
   languageName: node
   linkType: hard
 
+"jest@npm:~30.0.5":
+  version: 30.0.5
+  resolution: "jest@npm:30.0.5"
+  dependencies:
+    "@jest/core": "npm:30.0.5"
+    "@jest/types": "npm:30.0.5"
+    import-local: "npm:^3.2.0"
+    jest-cli: "npm:30.0.5"
+  peerDependencies:
+    node-notifier: ^8.0.1 || ^9.0.0 || ^10.0.0
+  peerDependenciesMeta:
+    node-notifier:
+      optional: true
+  bin:
+    jest: ./bin/jest.js
+  checksum: 10/76f0c7f5d43d42a1bc515f683ba4b8978940e5fb0663af8dd0506fc7da6be4d4847f2e1cb8a846632cd62099949c63be69f2f810350a973b029af2d7155ae03a
+  languageName: node
+  linkType: hard
+
 "jest@npm:~30.2.0":
   version: 30.2.0
   resolution: "jest@npm:30.2.0"
@@ -28191,6 +28813,36 @@ __metadata:
   languageName: node
   linkType: hard
 
+"mongodb-memory-server-core@npm:10.2.3":
+  version: 10.2.3
+  resolution: "mongodb-memory-server-core@npm:10.2.3"
+  dependencies:
+    async-mutex: "npm:^0.5.0"
+    camelcase: "npm:^6.3.0"
+    debug: "npm:^4.4.1"
+    find-cache-dir: "npm:^3.3.2"
+    follow-redirects: "npm:^1.15.9"
+    https-proxy-agent: "npm:^7.0.6"
+    mongodb: "npm:^6.9.0"
+    new-find-package-json: "npm:^2.0.0"
+    semver: "npm:^7.7.2"
+    tar-stream: "npm:^3.1.7"
+    tslib: "npm:^2.8.1"
+    yauzl: "npm:^3.2.0"
+  checksum: 10/eaf497167ed17fdbc464df5c26d8a9fa42e7acd3ca40c0646b6e0f27d92e31a37248191caadbefdc88c2b91ff7906465f11fd4c120e9e2c56805130723c00c24
+  languageName: node
+  linkType: hard
+
+"mongodb-memory-server@npm:^10.1.4":
+  version: 10.2.3
+  resolution: "mongodb-memory-server@npm:10.2.3"
+  dependencies:
+    mongodb-memory-server-core: "npm:10.2.3"
+    tslib: "npm:^2.8.1"
+  checksum: 10/72167e4ca7b9c188aeededa2f4920f7a92d9a18ff6dcc4f5549cefe6ec2eebccf045a72fc0ce3b0e529d055f2f6dc38cf59dca792c3d3a3c62c2ea1d81faf936
+  languageName: node
+  linkType: hard
+
 "mongodb@npm:6.10.0":
   version: 6.10.0
   resolution: "mongodb@npm:6.10.0"
@@ -28395,6 +29047,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"new-find-package-json@npm:^2.0.0":
+  version: 2.0.0
+  resolution: "new-find-package-json@npm:2.0.0"
+  dependencies:
+    debug: "npm:^4.3.4"
+  checksum: 10/5488ead794bd506894ddd8f3ac6240615e625ce56241ed6ff41a5ff46bdf495a81881bef6d25a3aa16d25f742e86e5629c2d052cd2f60530db3a85b2b1bd146c
+  languageName: node
+  linkType: hard
+
 "nise@npm:^6.1.1":
   version: 6.1.1
   resolution: "nise@npm:6.1.1"
@@ -29198,6 +29859,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"p-limit@npm:3.1.0, p-limit@npm:^3.0.1, p-limit@npm:^3.0.2, p-limit@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "p-limit@npm:3.1.0"
+  dependencies:
+    yocto-queue: "npm:^0.1.0"
+  checksum: 10/7c3690c4dbf62ef625671e20b7bdf1cbc9534e83352a2780f165b0d3ceba21907e77ad63401708145ca4e25bfc51636588d89a8c0aeb715e6c37d1c066430360
+  languageName: node
+  linkType: hard
+
 "p-limit@npm:^2.0.0, p-limit@npm:^2.2.0":
   version: 2.3.0
   resolution: "p-limit@npm:2.3.0"
@@ -29207,15 +29877,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"p-limit@npm:^3.0.1, p-limit@npm:^3.0.2, p-limit@npm:^3.1.0":
-  version: 3.1.0
-  resolution: "p-limit@npm:3.1.0"
-  dependencies:
-    yocto-queue: "npm:^0.1.0"
-  checksum: 10/7c3690c4dbf62ef625671e20b7bdf1cbc9534e83352a2780f165b0d3ceba21907e77ad63401708145ca4e25bfc51636588d89a8c0aeb715e6c37d1c066430360
-  languageName: node
-  linkType: hard
-
 "p-limit@npm:^4.0.0":
   version: 4.0.0
   resolution: "p-limit@npm:4.0.0"
@@ -29771,6 +30432,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"pend@npm:~1.2.0":
+  version: 1.2.0
+  resolution: "pend@npm:1.2.0"
+  checksum: 10/6c72f5243303d9c60bd98e6446ba7d30ae29e3d56fdb6fae8767e8ba6386f33ee284c97efe3230a0d0217e2b1723b8ab490b1bbf34fcbb2180dbc8a9de47850d
+  languageName: node
+  linkType: hard
+
 "performance-now@npm:^2.1.0":
   version: 2.1.0
   resolution: "performance-now@npm:2.1.0"
@@ -34992,7 +35660,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar-stream@npm:^3.0.0, tar-stream@npm:^3.1.5":
+"tar-stream@npm:^3.0.0, tar-stream@npm:^3.1.5, tar-stream@npm:^3.1.7":
   version: 3.1.7
   resolution: "tar-stream@npm:3.1.7"
   dependencies:
@@ -35694,6 +36362,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"tslib@npm:^2.8.1":
+  version: 2.8.1
+  resolution: "tslib@npm:2.8.1"
+  checksum: 10/3e2e043d5c2316461cb54e5c7fe02c30ef6dccb3384717ca22ae5c6b5bc95232a6241df19c622d9c73b809bea33b187f6dbc73030963e29950c2141bc32a79f7
+  languageName: node
+  linkType: hard
+
 "tsscmp@npm:^1.0.6":
   version: 1.0.6
   resolution: "tsscmp@npm:1.0.6"
@@ -36050,7 +36725,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"typescript@npm:~5.9.3":
+"typescript@npm:~5.9.2, typescript@npm:~5.9.3":
   version: 5.9.3
   resolution: "typescript@npm:5.9.3"
   bin:
@@ -36060,7 +36735,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"typescript@patch:typescript@npm%3A~5.9.3#optional!builtin<compat/typescript>":
+"typescript@patch:typescript@npm%3A~5.9.2#optional!builtin<compat/typescript>, typescript@patch:typescript@npm%3A~5.9.3#optional!builtin<compat/typescript>":
   version: 5.9.3
   resolution: "typescript@patch:typescript@npm%3A5.9.3#optional!builtin<compat/typescript>::version=5.9.3&hash=5786d5"
   bin:
@@ -37804,6 +38479,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"yauzl@npm:^3.2.0":
+  version: 3.2.0
+  resolution: "yauzl@npm:3.2.0"
+  dependencies:
+    buffer-crc32: "npm:~0.2.3"
+    pend: "npm:~1.2.0"
+  checksum: 10/a3cd2bfcf7590673bb35750f2a4e5107e3cc939d32d98a072c0673fe42329e390f471b4a53dbbd72512229099b18aa3b79e6ddb87a73b3a17446080c903a2c4b
+  languageName: node
+  linkType: hard
+
 "yn@npm:3.1.1":
   version: 3.1.1
   resolution: "yn@npm:3.1.1"