Attribute-Based Access Control

info

This content is adapted from Okta documentation.

The main difference between RBAC vs. ABAC is the way each method grants access. RBAC techniques allow you to grant access by roles. ABAC techniques let you determine access by user characteristics, object characteristics, action types, and more.

What Is Attribute-Based Access Control?

Someone logs into your computer system. What can that person do? ABAC protocols answer that question via the user, the resource attributes, or the environment.

As the administrator of a system using ABAC, you can set permissions by:

• User. A person's job title, typical tasks, or seniority level could determine the work that can be done.
• Resource attributes. The type of file, the person who made it, or the document's sensitivity could determine access.
• Environment. Where the person is accessing the file, the time of day, or the calendar date could all determine access.

Administrators have a great deal of nuanced control in a system like this. You could set permissions based on a variety of attributes, all working together to keep documents safe. In theory, you could even give the same person different permissions based on where the person logs in or what the person tries to do on a different day of the week.

In ABAC, elements work together in a coordinated fashion.

• Subjects: Who is trying to do the work?
• Objects: What file within the network is the user trying to work with?
• Operation: What is the person trying to do with said file?

Relationships are defined by if/then statements. For example:

• If the user is in accounting, then the person may access accounting files.
• If the person is a manager, then that person may read/write files.
• If the company policy specifies “no Saturday work” and today is Saturday, then no one may access any files today.