Attribute Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is an access control model used in Identity and Access Management (IAM) systems to determine whether a user should be granted access to a particular resource. Unlike traditional access control models such as Role-Based Access Control (RBAC) or Discretionary Access Control (DAC), ABAC makes decisions based on the attributes associated with the user, the resource, and the environment at the time of the access request.

In ABAC, access control policies are defined using a set of attributes and conditions. These attributes can contain various information about the user (e.g., role, department, authorisation level, location), the resource (e.g., sensitivity, type), and the context in which access is requested (e.g., time, location, device used). The policies are evaluated by an access control engine, which determines whether access should be granted, denied, or further evaluated based on the attributes and conditions specified in the policies.

Reasons to implement ABAC:

Fine-grained access control

ABAC allows organisations to define granular access control policies, providing greater flexibility and precision in managing access to resources. This level of granularity ensures that users only have access to the specific resources they need for their roles and responsibilities.

Dynamic access decisions

ABAC considers real-time characteristics and context, enabling dynamic access decisions. For example, access can be granted during business hours and from a trusted location, but denied outside those hours or from a suspicious location.

Adaptability and scalability

As organisations grow and change, access control requirements can become more complex. ABAC is adaptable and scalable, allowing organisations to easily add or modify attributes and policies without changing the underlying architecture.

Regulatory compliance

Many industries are subject to strict compliance regulations (e.g., HIPAA, GDPR, PCI DSS) that require a high level of control over access to sensitive information. ABAC can help organisations meet these requirements by providing a more comprehensive and auditable access control system.

Centralised management

ABAC can be implemented centrally, making it easier to manage access control policies across multiple systems, applications, and resources within an organization.

Risk-based access control

ABAC can incorporate risk factors into access decisions, taking into account factors such as user behavior, location, and resource sensitivity. This helps organisations effectively mitigate security risks.

Enhanced Security

By basing access decisions on multiple attributes and context, ABAC can significantly improve security by reducing the risk of unauthorised access.