Attribute-Based Access Control (ABAC)

---

Attribute-based access control (ABAC) is an access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

• most fine-grained type of access control model
• is based on the specific attributes of a person, resource, or environment
• makes access decisions based on:
  • a combination of subject and object attributes
  • plus any context-sensitive or system-wide attributes
• attributes can include:
  • group/role memberships
  • info about OS
  • IP address
  • presence of up-to-date patches and antimalware
• can:
  • monitor the number of events or alerts associated with a user account or with a resource
  • or track access requests to ensure they are consistent in terms of timing or geographic location
  • be programmed to implement policies such as M-of-N Control and separation of duties
• Implemented in infrastructure systems like networks and telecommunication environments

Subject attributes belong to an individual.

• E.g., must be this tall to ride roller coaster, CAPTCHAs

Environmental attributes are used to enable access controls based on environmental conditions.

• E.g., time controlled access
  • open during business hours