Term · 2. Authentication & Authorization
Attribute-Based Access Control ABAC
Attribute-based access control (ABAC) makes access decisions by evaluating policies against attributes of the user, resource, action and environment — for example, allow finance managers to approve invoices under a threshold during business hours. It enables fine-grained, context-aware authorization that RBAC's static roles cannot express. More expressive but harder to audit, ABAC is usually combined with RBAC rather than replacing it.
Definition
Authorization model evaluating attributes of subject (role, department, clearance), object (sensitivity, owner), action (read/write/delete), and environment (time, location, device posture) against policy rules. More flexible than RBAC — encodes complex business logic without explosion of role definitions. NIST SP 800-162 defines the reference architecture.
- Application
- MidPoint: A mechanism for managing user access to information systems based on user attribute values.
- Standards & regulations
-
- NIST SP 800-162 «Attribute Based Access Control (ABAC): A logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, objec»
- NIST SP 800-162 (Draft, update 2) «ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, i»
- NIST SP 800-205 «NIST Special Publication (SP) 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, introduced guidance on access control using attributes, categorizing ABAC as a logi»
- Sources
-
- NIST SP 800-162 ABAC (Update 1, final) primary source
Related terms
-
Access Control (AC)
Mechanism that determines whether a principal is permitted to perform a specific action on a specific resource. Includes …
-
Access Management (AM)
Discipline of granting and enforcing access to resources after identity has been established. Encompasses authentication …
-
Authorization (AuthZ)
Process of deciding whether an authenticated principal is permitted to perform a requested action on a resource. Distinc …
-
Cloud Data Access Governance
Discovery, classification, and access control for sensitive data across cloud data stores (S3, Snowflake, BigQuery, Data …
-
Delegated Administration (DA)
Permission model where administrators delegate specific management functions to other users within scoped boundaries — t …
-
Hierarchical Role Model (HRM)
Role design where roles form a hierarchy and child roles inherit permissions from parent roles. Senior Developer inherit …
Frequently asked questions
What is the difference between RBAC and ABAC?
RBAC grants access based on a user's role; ABAC grants it based on attributes and rules evaluated at request time (who, what, when, where). RBAC is simpler to audit; ABAC is more flexible and context-aware. Most organizations use RBAC as the base and ABAC for dynamic exceptions.
When should we use ABAC?
Use ABAC when access depends on context — data classification, location, time, device posture or relationship — and where pure roles would explode into thousands of variants. It shines in data-centric and Zero Trust scenarios.
What is the downside of ABAC?
Expressiveness comes at the cost of reviewability: policies can interact in ways that are hard to predict and audit. Good ABAC needs strong policy testing, central policy management (OPA/Rego, XACML) and clear ownership.