Attribute Based Access Control (ABAC) is an access control method based on attributes (key-value pairs) that are used inside policies and rules to express access control logic.
Attribute Based Access Control (ABAC) is an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.
Source: Guide to Attribute Based Access Control (ABAC) Definition and Considerations
In short, ABAC is an evolution of the role-based access control model (rbac). Where RBAC focuses on the user, its role(s), permissions, and optionally group(s) to define authorization logic, ABAC uses attributes and policies to define access control logic.
Attributes are key-values pairs e.g. role==manager or citizenship==Swedish. Attributes can describe:
- the user
- the resource or object being accessed / requested
- the action being attempted (view, delete, approve...)
- contextual data such as the time of the day, the user's IP, the authentication method...
xacml is an example of a standard which implements ABAC. alfa is a pseudo-code that can be used to design and implement ABAC policies.
