What is ABAC (Attribute-based access control)?

Published by Alex Olivier on October 02, 2023
What is ABAC (Attribute-based access control)?

Read on to understand what attribute-based access control is, the advantages of using ABAC, and it's key components.

What is attribute-based access control (ABAC)

Attribute-Based Access Control, also referred to as ABAC, is a method of managing access to systems or resources based on the user’s attributes. Compared to traditional access control methods it is considered to be more flexible and dynamic.

With Attribute-Based Access Control, access is allowed or prohibited based on an evaluation of various attributes defined within the access policy. These attributes typically include, but are not limited to, an individual’s department, location, and user role along with the context in which the access request is made.

Advantage of ABAC

Attribute-based access control is a flexible and comprehensive approach to access control. Instead of just looking at roles, ABAC considers multiple factors, or attributes of the user, which are: the resource, the environment, and the action.

Although ABAC is more complicated than RBAC, ABAC actually provides a high-degree of versatility and subtle control over system access.

ABAC is the way to go, in cases when versatility and security are of paramount importance.

Key components of the ABAC access control system

Attributes

Attributes are characteristics assigned to all the players in an access event that the system uses to determine whether access should be granted. Attributes typically take the form of information about the user, the resources the user is attempting to access and the context in which they are making their access request. So, for instance, access may be granted in one context but denied in a different context

Attributes can also be applied to the resources themselves, and can be based on a wide range of characteristics such as a file’s owner, its creation date, sensitivity of data and more.

Access request evaluations

Whenever a user requests access, the ABAC system evaluates that request by weighing the principal’s personal attributes along with which resources they are attempting to access and the context in which the request is being made.

Centralized policy management

More often than not, ABAC involves a centralized policy management system. The goal of such a system is to provide a uniform framework for defining and enforcing an organization’s access control policies.

Fine-grained access

When compared to more generalized access control models - typically referred to as "coarse-grained access" - the ABAC's fine grain-access model enables more nuanced control over who gains access to what. While this can make it somewhat more complex to devise and implement, many organizations relish the more sophisticated control.

Policies and access rules

Access rules are the main components that determine who can access resources and under what conditions.

Policies are where these access rules live; they are collections of rules, intended as a way to organize and manage access control within an organization.

Scalability

The fine-grained control provided by the ABAC model can be applied just as easily to mid-sized organizations as it can to multinational conglomerates.

FAQ

What is attribute-based-access-control (ABAC)?

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team