Glossary / Authorization
Attribute-Based Access Control (ABAC)
Attribute-based access control decides access by evaluating attributes of the user, the resource, the action, and the context against policy rules, allowing finer and more dynamic decisions than roles alone.
Also: ABAC
Attribute-based access control makes decisions from attributes rather than fixed roles. A policy can combine properties of the user such as department or clearance, properties of the resource such as classification or owner, properties of the action, and context such as time or location, then allow or deny based on the result.
This flexibility lets ABAC express rules that role-based control struggles with, such as allowing access only during business hours or only to records in the user’s own region, without creating a new role for every combination. The cost is more complex policy that has to be written and tested carefully.
ABAC is one of the foundations of fine-grained authorization. In CIAM-connected applications it appears where access decisions genuinely depend on data rather than on a small fixed set of roles.
Sources
- NIST SP 800-162, Guide to Attribute Based Access Control: https://csrc.nist.gov/pubs/sp/800/162/upd2/final
Related terms
Standards
- NIST SP 800-162