What is Attribute-Based Access Control? Explained
Harsh Sahu
CTO
April 2024 | 12 mins
Attribute-based access control is an authorization or access control model that grants access of data to users based on organization’s security policies, attributes of the user (such as name), the type of ownership of data by the user, and environmental conditions.
NIST defines Attribute-Based Access Control as, “An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”
Traditionally access control models has relied on identifying a user and their assigned roles or groups to determine their permissions, such as the ability to read a file. This method can be cumbersome due to the need to directly link capabilities to users or their roles.
Merely using identity, roles, and groups to dictate permissions often falls short in addressing real-world access scenarios. An alternative, known as Attribute-Based Access Control (ABAC), uses various attributes of the user, the object, and the environment to make more relevant and dynamic access decisions.
Attribute-Based Access Control (ABAC), also known as policy-based access control is highly adaptable and can be customized using a wide range of attributes. It serves as the go-to model for defining a strict access policy in distributed or rapidly changing business environments.
ABAC is based on four main components:
Subject attributes refers to the user that is requesting access to a resource. The subject is characterized by attributes that define its identity, such as user ID, job title, department, or security clearance. These attributes help in determining whether the subject should be granted access based on the policies in place.
Resource attribute is the target of the access request, typically a file, database, device, or network service. Resources are also defined by attributes which may include the type of resource, sensitivity level, owner, or location. These attributes are crucial in specifying access controls that are appropriate for the resource's level of confidentiality or integrity.
This component specifies what operation the subject(user) is attempting to perform on the resource. Actions can vary widely depending on the resource type and include operations like read, write, delete, or execute. The action component is vital for defining fine-grained access controls that ensure subjects can only perform authorized actions on resources.
This encompasses the situational context or conditions under which access is being requested. Environmental attributes might include the time of the day, the location of access, the current risk level, or the state of a system. For instance, access to certain resources might be restricted during off-hours or from external networks. Environmental conditions help in adapting access controls to dynamic contexts, enhancing security based on real-time assessments.
Let’s take an example of a subject, Nancy Smith (who is a Nurse Practitioner in the Cardiology Department), and who is assigned a set of subject attributes upon employment. She can view patient records in the Cardiology Department and this applicable during her work hours.
Now let’s use the four components of ABAC to see how ABAC actually works.
In this ABAC example, an access control rule is created using the attributes of the subject (Nancy Smith, Nurse Practitioner, Cardiology Department) and the resource (folder with Cardiology Medical Records).
This rule allows Nurse Practitioners in the Cardiology Department to view these specific medical records. If any attribute changes, such as a change in department or job role for Nancy, her access can be automatically updated or revoked based on the new attributes without redefining the relationship between her and the objects she accesses. This dynamic capability of ABAC ensures that access control remains relevant and secure with minimal maintenance.
ABAC allows administrators to set access controls without needing to know who specifically will need access. As new members join an organization, there's no need to modify existing rules or object attributes; as long as they have the necessary attributes, they can access the required resources. This ability to automatically accommodate new and unanticipated users without additional adjustments is a key advantage of using ABAC.
The advantages of Attribute-Based Access Control (ABAC) are numerous and contribute to its effectiveness in managing complex security requirements in diverse environments.
ABAC allows for highly specific access rules based on detailed attributes of users and resources. This precision ensures that individuals only access what they need to, enhancing security efficiency.
ABAC adjusts permissions in real-time based on the changing attributes of users, resources, and environmental conditions. This means access can be granted or denied based on situational context, such as the user's location or time of access.
Access decisions can be made based on the content within the resource itself, such as the type of sensitive data or labels, allowing for more nuanced security measures that are tailored to the content being accessed.
ABAC provides a continuous assessment of security policies, ensuring that permissions are always current and reflect the latest attribute values of all elements involved.
This approach focuses on the attributes of the resources (objects) and the conditions of the environment, rather than just the credentials of the user, making it more robust in securing assets across varied scenarios.
ABAC can govern access without needing to know the identity of the requester, focusing instead on the attributes associated with them. This is particularly useful in scenarios requiring privacy preservation and minimal disclosure of identity.
ABAC can incorporate multiple factors or attributes in the decision-making process, such as user role, location, device security status, and time, among others. This multi-faceted approach reduces the likelihood of unauthorized access.
ABAC's rules can be easily modified and extended without significant overhauls to the system, accommodating changes in business policies, regulatory requirements, and technological advancements.
ABAC has more benefits than any other access control model, when it comes to maintaining a robust data security posture.
But, it does have two limitations:
ABAC's reliance on a detailed set of attributes for users, resources, and environments can make the initial setup complex and resource-intensive. Defining and mapping out all relevant attributes and their interdependencies requires thorough planning and understanding of the organizational processes.
The dynamic nature of ABAC, with potentially millions of attribute combinations and conditions affecting access decisions, can make auditing a challenge. It can be difficult to track why certain decisions were made, especially when multiple attributes and complex policies are involved.
While the limitations can’t be ignored, it is a fact that ABAC as an authorization model can serve to a greater benefit, once it is off the ground.
Attribute-Based Access Control (ABAC) can be applied across a range of contexts to enhance security and access management. Few use cases for ABAC includes:
ABAC can manage access to data stored in a data lake by assigning attributes to data based on sensitivity, source, and type. Access can be dynamically adjusted based on the attributes of the user and the context, such as the user’s role, location, or time of access. This ensures that only authorized personnel can access sensitive data under the right conditions.
In firewall configurations, ABAC can dynamically allow or block traffic based on attributes of network traffic, such as IP addresses, protocols, applications, and the type of content being transmitted. This allows for more granular and context-sensitive network security policies.
ABAC can control user actions within applications based on their attributes, including role, department, or clearance level. This ensures that users can only perform actions that are necessary for their roles, enhancing both security and operational efficiency.
ABAC can be used to fine-tune access to databases by assigning attributes to database records. Access can then be controlled based on these attributes and the attributes of the accessing user, such as job role or department, ensuring that employees access only the data necessary for their functions.
ABAC can secure data across various storage mediums and platforms by enforcing access controls based on the sensitivity of the data and compliance requirements. It ensures that data access is compliant with legal and regulatory standards by dynamically adapting permissions.
In cloud environments, ABAC can manage access to resources based on user attributes and environmental conditions, such as device security status or location. This is particularly effective in multi-cloud environments where access needs to be rigorously controlled.
ABAC is ideal for healthcare settings to manage access to patient records and other sensitive health information. Access can be controlled based on the professional role of the healthcare provider, the relationship to the patient, and other relevant attributes.
ABAC helps organizations comply with various regulatory compliance requirements by enforcing access controls that are in line with laws like GDPR, HIPAA, or SOX. It allows for the creation of policies that automatically adapt to changes in regulatory landscapes.
According to Verizon’s 2022 Data Breach Incident Report, 82 percent of data breaches involved the human element, stemming from credential theft, phishing attacks, employee misuse or mistakes. Proper access control may have prevented many of these breaches.
On top of this, poor access management leads to “privilege creep.” The Verizon report found that business insiders carried out 20% of data breaches. These breaches are often associated with “privilege creep,” in which employees end up with more privileges than necessary, allowing them to access resources they no longer need.
Role-based access control is now the traditional approach to securing access as it considers only role of the user and never the “privilege creep”. While on the other hand, ABAC is much more advanced and recommended by organizations such as NIST.
To start your ABAC framework and implement it across your organization’s various structure and unstructured data, sign up for OptIQ Data Security Platform.
ABAC is a security model that grants or denies access to resources based on attributes associated with users, resources, and the operational environment. It evaluates rules and policies that use these attributes to make real-time access decisions, allowing for dynamic, flexible, and fine-grained control over who can see or use different types of information and services.
ABAC offers several key advantages including dynamic access control based on context, fine-grained security permissions, and the ability to handle complex access scenarios involving multiple users and resources. It is highly adaptable to changing conditions and can enforce security policies that consider a wide range of attributes, making it ideal for environments requiring rigorous data protection and regulatory compliance.
