ABAC (Attribute-Based Access Control) is an evolution of the more traditional RBAC (Role-Based Access Control) methodology. It allows the use of additional attributes for a more granular approach. The option of using user, environment, and resource attributes is now allowing SaaS businesses to address more complex use cases. Let’s learn more.
Attribute-based access control (ABAC) is an authorization paradigm that defines access control policies according to attributes like resource, object, environment, and user attributes. ABAC uses Boolean logic to create access rules containing if-then statements, which define the user, the request, the resource, and the action. For example, if the requester is an accountant, then allow read-write access to financial data.
ABAC enables organizations to create dynamic, context-aware access control policies using specific attributes according to unique business needs and compliance requirements. Implementation of ABAC was announced as a Priority Objective for implementation by the US Federal Government, and the National Institute of Standards and Technology (NIST) issued a set of standard guidelines that define how to implement ABAC in an enterprise environment.
This is part of an extensive series of guides about access management.
In this article:
ABAC systems make access decisions by:
Here are the four main categories of ABAC security attributes:
ABAC systems establish policies that define what combination of various attributes is required to perform a specific action with a certain object or resource. The system uses these policies to grant or deny access.
Here is how the process typically works:
Related content: Read our guide to ABAC security
RBAC and ABAC are access management methods. RBAC grants access to roles, whereas ABAC uses attributes-based policies to grant or deny access.
What is RBAC?
RBAC was formalized by the NIST in 1992 and quickly became the standard for SMBs with over 500 employees. It was implemented in user provisioning systems to streamline the joiners, movers, and leavers (JML) human resources (HR) process. It enables organizations to manage access control by roles instead of the individual user ID or each employee. It involves grouping users and entitlements according to business functions or activities, called roles.
Organizations can now use RBAC to create flat or hierarchical roles and also include inheritance. The key benefit is using roles as an extra level of abstraction. Roles act as a set of entitlements or permissions. It significantly simplifies access management, enabling organizations to assign one role to hundreds of users, a big advantage while scaling up fast.
How ABAC differs from RBAC
ABAC enables organizations to extend existing roles via attributes and policies. It offers the context needed to make intelligent authorization decisions. Instead of granting access only by roles, ABAC systems account for the role, the relevant actions and resources for the job, the location, time, and how the request is made.
ABAC policies are based on individual attributes, consist of natural language, and include context. It eliminates the need for hundreds of overloaded roles, enabling administrators to add, remove, and reorganize attributes without rewriting the policy. It requires significantly fewer roles. As a result, it offers simpler identity management.
Related: RBAC vs ABAC
In healthcare, ABAC can enforce strict data access policies based on various attributes such as job role, location, and time of access. For example:
ABAC is particularly useful in the financial sector where regulatory compliance and security are paramount. Financial institutions can use ABAC to control access to sensitive data such as customer financial information, transaction histories, and internal reports. For example:
Government and defense sectors require highly granular access controls to protect classified information. ABAC allows these organizations to specify access policies based on security clearance levels, project assignments, and operational needs.
For example, a military officer may access classified documents only if they possess the necessary clearance, are currently assigned to a relevant project, and are accessing the information from a secure location.
Educational institutions can leverage ABAC to manage access to various digital resources such as student records, research data, and administrative systems. For example, a professor may access student grades and academic records for the courses they teach, but not for other departments. Students can be granted access to course materials and their own records, but restricted from accessing other students’ information. This approach helps in maintaining privacy and data integrity across the institution.
ABAC offers several key advantages over traditional access control models:
While ABAC offers significant benefits, its implementation can present several challenges:
ABAC is one of the access models offered by leading cloud providers. Here is how the two leading providers – Amazon Web Services (AWS) and Microsoft Azure have implemented ABAC.
Amazon Web Services (AWS) is a cloud computing vendor that offers ABAC as part of its identity access management (IAM) service. Here is how AWS ABAC works:
ABAC is ideal for rapidly-growing environments and complex policy management scenarios. AWS ABAC enables organizations to control access to AWS resources, helping teams and resources grow with little changes to AWS policies. It lets you pass session tags when assuming a role or federating a user and then define policies that use tag condition keys to grant permissions to principals.
Organizations using a SAML-based identity provider (IdP) can use SAML attributes to set up fine-grained access control within the AWS cloud. SAML attributes include user email addresses, cost center identifiers, project assignments, and department classifications. Passing these attributes as session tags enables you to use them to control access to AWS.
Microsoft Azure is a cloud computing vendor that offers various access control management options, including RBAC and ABAC. Azure RBAC is an authorization system for managing access to Azure resources via role definitions and role assignments. Azure ABAC builds on Azure RBAC, adding attributes-based role assignment conditions in context to specific actions.
A role assignment condition serves as an additional check you can add to a role assignment for granular access control. A condition can filter permissions granted for a role definition and a role assignment. It lets you add a condition that requires a certain object to have a specific tag in order to read this object. However, it does not let you use conditions to explicitly deny access to specific resources.
Azure ABAC enables you to significantly reduce the number of role assignments. Currently, Azure subscriptions have a role assignment limit. In some cases, it can require thousands of role assignments that you also need to manage. You can add conditions to reduce the number of role assignments.
Here is a template of key factors to consider before deploying an ABAC solution, based on the NIST guidelines.
You can use this template to fill in your organization’s unique considerations for implementing an ABAC solution.
SaaS app usage is becoming more and more unpredictable, with multiplying usage patterns and use cases. TBusinesses need a versatile solution that’s self-served and plug-and-play in nature, enabling engineering teams to focus more on core technology development and customers to enjoy more in-app independence with less friction points. Enter Frontegg.
Frontegg’s SaaS-as-a-Service infrastructure takes user management to the next level by providing users with maximum flexibility when it comes to implementation and adoption for complex use cases and requirements.
Start For Free
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.
