ABAC (Attribute-Based Access Control): A Complete Guide

ABAC (Attribute-Based Access Control) is an evolution of the more traditional RBAC (Role-Based Access Control) methodology. It allows the use of additional attributes for a more granular approach. The option of using user, environment, and resource attributes is now allowing SaaS businesses to address more complex use cases. Let’s learn more.

What Is Attribute-Based Access Control (ABAC)?

Attribute-based access control (ABAC) is an authorization paradigm that defines access control policies according to attributes like resource, object, environment, and user attributes. ABAC uses Boolean logic to create access rules containing if-then statements, which define the user, the request, the resource, and the action. For example, if the requester is an accountant, then allow read-write access to financial data. 

ABAC enables organizations to create dynamic, context-aware access control policies using specific attributes according to unique business needs and compliance requirements. Implementation of ABAC was announced as a Priority Objective for implementation by the US Federal Government, and the National Institute of Standards and Technology (NIST) issued a set of standard guidelines that define how to implement ABAC in an enterprise environment.

This is part of an extensive series of guides about access management.

How Does ABAC Security Work? 

ABAC systems make access decisions by: 

  1. Intelligently studying how attributes interact in an environment.
  2. Creating rules that determine access for a set of attributes if specific conditions are met.

Here are the four main categories of ABAC security attributes:

Subject/user attributesAttributes that indicate an individual is attempting to gain access. For example, username, age, ID, job title, organization, job role, department, and security clearance.
Resources/object attributesAttributes that indicate the resource requested for access.
ActionAttributes that indicate the action the user wants to perform with a resource. For example, view, transfer, read, or delete.
Environmental attributesAttributes that contextualize the access attempt. For example, time, device, and location.

ABAC systems establish policies that define what combination of various attributes is required to perform a specific action with a certain object or resource. The system uses these policies to grant or deny access.

Here is how the process typically works:

  1. An access request is triggered
  2. The ABAC tool scans attributes to determine if they match existing policies. 
  3. If the attributes match a policy, the system grants access to the user.

Related content: Read our guide to ABAC security


RBAC and ABAC are access management methods. RBAC grants access to roles, whereas ABAC uses attributes-based policies to grant or deny access.

What is RBAC

RBAC was formalized by the NIST in 1992 and quickly became the standard for SMBs with over 500 employees. It was implemented in user provisioning systems to streamline the joiners, movers, and leavers (JML) human resources (HR) process. It  enables organizations to manage access control by roles instead of the individual user ID or each employee. It involves grouping users and entitlements according to business functions or activities, called roles. 

Organizations can now use RBAC to create flat or hierarchical roles and also include inheritance. The key benefit is using roles as an extra level of abstraction. Roles act as a set of entitlements or permissions. It significantly simplifies access management, enabling organizations to assign one role to hundreds of users, a big advantage while scaling up fast.

How ABAC differs from RBAC

ABAC enables organizations to extend existing roles via attributes and policies. It offers the context needed to make intelligent authorization decisions. Instead of granting access only by roles, ABAC systems account for the role, the relevant actions and resources for the job, the location, time, and how the request is made. 

ABAC policies are based on individual attributes, consist of natural language, and include context. It eliminates the need for hundreds of overloaded roles, enabling administrators to add, remove, and reorganize attributes without rewriting the policy. It requires significantly fewer roles. As a result, it offers simpler identity management.

Related: RBAC vs ABAC

ABAC Model: Pros and Cons

Here are the pros of ABAC:

  • Granular and flexible policies—ABAC limits policies only to attributes and the conditions the computational language can express. It lets the maximum number of users access the maximum available resources without requiring administrators to specify relationships between each user and object. 
  • Compatibility with new users—ABAC enables administrators and object owners to create policies that allow new users to access resources. Once new users get assigned the attributes required to access certain objects, there is no need to modify existing object attributes or rules. As a result, organizations can flexibly onboard new staff and enable external partners.
  • Stringent security and privacy—ABAC enables policy-makers to control situational variables and secure access granularly. It lets administrators implement smart access restrictions that provide context for intelligent security, privacy, and compliance decisions. For example, ABAC can provide the accountant with access to banking information and the payroll administrator with salary information.

The main challenge of ABAC is its scope. It requires mapping authorization policies to create a comprehensive policy set to govern access, a worthwhile investment for organizations with complex requirements, but those with little or no sensitive data should not consider ABAC.

ABAC in the Cloud

ABAC is one of the access models offered by leading cloud providers. Here is how the two leading providers – Amazon Web Services (AWS) and Microsoft Azure have implemented ABAC.


Amazon Web Services (AWS) is a cloud computing vendor that offers ABAC as part of its identity access management (IAM) service. Here is how AWS ABAC works:

  • Use attributes as tags and attach them to IAM resources and IAM entities like roles and users. 
  • Create one or a set of ABAC policies for IAM principals. 
  • Configure AWS ABAC policies to allow operations when a principal’s tag matches a resource tag. 

ABAC is ideal for rapidly-growing environments and complex policy management scenarios. AWS ABAC enables organizations to control access to AWS resources, helping teams and resources grow with little changes to AWS policies. It lets you pass session tags when assuming a role or federating a user and then define policies that use tag condition keys to grant permissions to principals. 

Organizations using a SAML-based identity provider (IdP) can use SAML attributes to set up fine-grained access control within the AWS cloud. SAML attributes include user email addresses, cost center identifiers, project assignments, and department classifications. Passing these attributes as session tags enables you to use them to control access to AWS.

Azure ABAC

Microsoft Azure is a cloud computing vendor that offers various access control management options, including RBAC and ABAC. Azure RBAC is an authorization system for managing access to Azure resources via role definitions and role assignments. Azure ABAC builds on Azure RBAC, adding attributes-based role assignment conditions in context to specific actions. 

A role assignment condition serves as an additional check you can add to a role assignment for granular access control. A condition can filter permissions granted for a role definition and a role assignment. It lets you add a condition that requires a certain object to have a specific tag in order to read this object. However, it does not let you use conditions to explicitly deny access to specific resources.

Azure ABAC enables you to significantly reduce the number of role assignments. Currently, Azure subscriptions have a role assignment limit. In some cases, it can require thousands of role assignments that you also need to manage. You can add conditions to reduce the number of role assignments.

Template for Deploying an ABAC Solution

Here is a template of key factors to consider before deploying an ABAC solution, based on the NIST guidelines.

You can use this template to fill in your organization’s unique considerations for implementing an ABAC solution.

Establish the Business Case for ABAC Implementation

  • Define costs of developing or acquiring new capabilities and transitioning away from legacy technology
  • List the benefits provided by ABAC
  • Map any new risks introduced by ABAC, if any
  • Understand the governance structures required to manage shared capabilities and policy documentation
  • List all datasets, applications, networks, and systems that require ABAC capabilities

Understand the Operational Requirements and Overall Enterprise Architecture

  • Define the management, monitoring, and validation processes of privileges for compliance
  • Determine interfaces and objects to expose for information sharing
  • Choose the relevant ACM
  • Define sharing and management processes and tools for subject and object attributes
  • Specify access control rules, including how to capture, evaluate, and enforce these controls

Establish or Refine Business Processes to Support ABAC

  • Determine whether access rules and policies are fully understood and documented
  • Specify how to identify and assign attributes
  • Define how to handle access failures
  • Specify the parties allowed to create new policies
  • Define how to share and manage common policies

Develop and Acquire an Interoperable Set of Capabilities

  • Determine how to achieve interoperability
  • Define how to integrate subject attributes from identity management integrated into ABAC
  • Determine how to handle unique identities
  • Define how to share and manage subject attributes across enterprise entities
  • Assess centralization tradeoffs in comparison to distributed authentication, attribute management, authorization, and enforcement
  • Specify how to use environment conditions in access decisions
  • Define how to measure confidence, quality, and accuracy for access decisions
  • Specify how to map attributes between organizations

Evaluate Performance

  • Define how to manage subject attributes for disconnected connections, limited bandwidth, or resource-limited users
  • Specify how to measure and enforce the quality and timeliness of changes to attributes
  • Determine measures that indicate adequate overall system and end-to-end performance

ABAC for SaaS Applications with Frontegg

SaaS app usage is becoming more and more unpredictable, with multiplying usage patterns and use cases. TBusinesses need a versatile solution that’s self-served and plug-and-play in nature, enabling engineering teams to focus more on core technology development and customers to enjoy more in-app independence with less friction points. Enter Frontegg.

Frontegg’s SaaS-as-a-Service infrastructure takes user management to the next level by providing users with maximum flexibility when it comes to implementation and adoption for complex use cases and requirements.

Start For Free

See Additional Guides on Key Access Management Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.





Looking to take your User Management to the next level?

Sign up. It's free