Attribute-Based Access Control (ABAC)
ABAC grants access by evaluating policies over user, resource, action, and environment attributes, enabling fine-grained, context-aware control.
Attribute-based access control (ABAC) is a flexible authorization model that decides access by evaluating rules against attributes rather than fixed roles. It can express fine-grained, context-aware policies that adapt to the situation.
How It Works
ABAC policies combine four kinds of attributes. Subject attributes describe the user (department, clearance, role). Resource attributes describe the object (classification, owner, type). Action attributes describe the operation (read, write, delete). Environment attributes describe context (time of day, location, device posture, network).
A policy is a rule such as: "Allow a user to read a document if their department equals the document's department and the request comes from a managed device during business hours." A policy engine, sometimes following the XACML model with a policy decision point and policy enforcement point, evaluates these attributes for each request and returns allow or deny.
Because policies are dynamic, ABAC can capture nuanced requirements without creating an explosion of roles.
Why It Matters
RBAC works well for stable, role-aligned access but struggles when decisions depend on context or on fine-grained data attributes. ABAC handles these cases, supporting requirements like data residency, need-to-know restrictions, and conditional access central to zero trust.
The trade-off is complexity. Policies can be hard to author, test, and audit, and a poorly designed policy set becomes difficult to reason about. Many organizations use a hybrid: RBAC for coarse access and ABAC for fine-grained, contextual rules.
ABAC strongly supports least privilege by tailoring access precisely to circumstances.
Related Terms
ABAC complements role-based access control, enforces least privilege with context, and underpins the conditional access used in zero-trust architectures.