Beyond roles
Plain role based control checks a fixed set of roles. Attribute based access control evaluates rules over attributes of four things: the subject making the request, the resource being touched, the action attempted, and the context such as time or device.
This lets you express rich rules like allow a manager to approve an expense only if it belongs to their own department and is below their limit.
How the engine works
- Each policy is a rule over attributes that yields permit or deny.
- The engine gathers the relevant attributes, evaluates all applicable rules, and combines their results with a strategy such as deny overrides.
- Attributes may come from the token, the resource record, or an external lookup.
Strengths and costs
- It is expressive and avoids a combinatorial explosion of roles.
- But it is harder to reason about since a decision depends on live attribute values.
- Performance depends on how fast attributes can be fetched, so caching attributes matters.
Key idea
An attribute based engine decides access by evaluating rules over subject resource action and context attributes, trading reasoning simplicity for rich expressiveness.