Attribute-Based Access Control, also referred to as ABAC, is a method of managing access to systems or resources based on the user’s attributes. Compared to traditional access control methods it is considered to be more flexible and dynamic.
With Attribute-Based Access Control access is allowed or prohibited based on an evaluation of various attributes defined within the access policy. These attributes typically include, but are not limited to, an individual’s department, location, and user role along with the context in which the access request is made.
Attributes are characteristics assigned to all the players in an access event that the system uses to determine whether access should be granted. Attributes typically take the form of information about the user, the resources the user is attempting to access and the context in which they are making their access request. So, for instance, access may be granted in one context but denied in a different context
Attributes can also be applied to the resources themselves, and can be based on a wide range of characteristics such as a file’s owner, its creation date, sensitivity of data and more.
Whenever a user requests access, the ABAC system evaluates that request by weighing the principal’s personal attributes along with which resources they are attempting to access and the context in which the request is being made.
More often than not, ABAC involves a centralized policy management system. The goal of such a system is to provide a uniform framework for defining and enforcing an organization’s access control policies.
When compared to more generalized access control models - typically referred to as "coarse-grained access" - the ABAC's fine grain-access model enables more nuanced control over who gains access to what. While this can make it somewhat more complex to devise and implement, many organizations relish the more sophisticated control.
Access rules are the main components that determine who can access resources and under what conditions.
Policies are where these access rules live; they are collections of rules, intended as a way to organize and manage access control within an organization.
The fine-grained control provided by the ABAC model can be applied just as easily to mid-sized organizations as it can to multinational conglomerates.
Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team