Attribute-Based Access Control (ABAC)
What is Attribute-Based Access Control (ABAC)?
Attribute-Based Access Control (ABAC)An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request.
Attribute-Based Access Control replaces static role assignments with dynamic policies. A decision engine evaluates rules over attributes such as the user's department and clearance, the resource's classification, the requested action, the time of day, and the device posture. This enables very fine-grained, context-aware decisions — for example, allowing a doctor to read a chart only during their on-call shift and from a managed device. ABAC is described in NIST SP 800-162 and implemented through standards like XACML and OPA Rego. Its strengths are flexibility and scale; its weaknesses are policy complexity, harder auditing, and the need for trustworthy attribute sources.
● Examples
- 01
An OPA policy allowing access only if user.region == resource.region and device.compliant == true.
- 02
A XACML rule restricting export of personal data to EU users from EU IP ranges.
● Frequently asked questions
What is Attribute-Based Access Control (ABAC)?
An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request. It belongs to the Identity & Access category of cybersecurity.
What does Attribute-Based Access Control (ABAC) mean?
An authorization model that evaluates policies over attributes of the subject, resource, action, and environment to decide whether to allow an access request.
How do you defend against Attribute-Based Access Control (ABAC)?
Defences for Attribute-Based Access Control (ABAC) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Attribute-Based Access Control (ABAC)?
Common alternative names include: ABAC, Policy-based access control.