← Lessons

quiz vs the machine

Gold1420

Security

Attribute Based Access Control

Decide access from attributes of the user, resource, and context rather than fixed roles.

5 min read · core · beat Gold to climb

When Roles Are Not Enough

Roles are coarse. Real rules often depend on context: a doctor may read a chart only for their own patients, during their shift, from a hospital network. Encoding every combination as a separate role causes a role explosion.

How ABAC Works

Attribute Based Access Control evaluates a policy over attributes at request time.

  • Subject attributes describe the user, such as department or clearance.
  • Resource attributes describe the object, such as owner or classification.
  • Action and environment attributes describe the operation, time, and location.

A policy engine combines these into a decision like allow if subject department equals resource department and time is within working hours.

Trade Offs

  • ABAC is expressive and captures fine grained, context aware rules.
  • Policies can become hard to reason about, so testing and review matter.
  • A clear policy decision point keeps logic central and auditable.

Key idea

ABAC makes access decisions from the attributes of subject, resource, action, and environment, enabling fine grained context aware rules beyond fixed roles.

Check yourself

Answer to earn rating on the learn ladder.

1. What does ABAC primarily evaluate to decide access?

2. What problem with roles does ABAC help avoid?

3. What keeps ABAC policies auditable?