ABAC (Attribute-Based Access Control)
An access control model that evaluates policies against attributes of the user, resource, action, and environment to make authorization decisions.
Description
Attribute-Based Access Control (ABAC) is a flexible authorization model that makes access decisions by evaluating policies against attributes rather than static role assignments. Attributes can describe the subject (user department, clearance level, job title), the resource (classification, owner, creation date), the action (read, write, delete, approve), and the environment (time of day, IP address, device type). Policies combine these attributes using boolean logic to determine access.
ABAC excels in scenarios where RBAC's rigid role structure leads to role explosion. For example, a policy like 'allow doctors to view patient records in their own department during business hours from hospital network' combines subject attributes (role: doctor, department), resource attributes (record department), environment attributes (time, network), and action attributes (view) -- something that would require dozens of specific roles in RBAC. ABAC is defined in the XACML standard and follows the PDP (Policy Decision Point) / PEP (Policy Enforcement Point) architecture.
Implementing ABAC requires a policy engine that evaluates rules at runtime. Open-source options include Open Policy Agent (OPA) with Rego policies, Casbin, and Cedar (from AWS). The policy engine can run as a sidecar, embedded library, or centralized service. Attribute data is gathered from the request context, user directory, and resource metadata. While more powerful than RBAC, ABAC adds complexity in policy management, testing, and debugging -- thorough policy simulation and audit logging are essential.
Prompt Snippet
Implement ABAC using Open Policy Agent (OPA) as the policy decision point. Define Rego policies that evaluate user attributes (role, department, clearance), resource attributes (owner, classification), and environment context (time, IP range). Deploy OPA as a sidecar container alongside your API service. Create a middleware that sends authorization queries to OPA with the full attribute context and enforces the decision. Implement policy versioning, a simulation/dry-run endpoint for testing policies before deployment, and structured decision logging for audit compliance.
Tags
Related Terms
RBAC (Role-Based Access Control)
An access control model where permissions are assigned to roles, and users are granted roles, simplifying permission management at scale.
Scope-Based Permissions
A permission model where access tokens carry scope strings that define the specific actions and resources the token is authorized to access.
Claims-Based Identity
An identity model where user attributes and permissions are expressed as claims -- name-value pairs -- embedded in tokens or assertions, enabling decoupled and portable identity.
Auth Middleware / Guards
Reusable middleware or guard components that intercept requests to enforce authentication and authorization policies before they reach route handlers.
Privilege Escalation Prevention
Security measures that prevent users from gaining unauthorized access to resources or functions beyond their assigned permissions, whether by elevating their own role or accessing other users' data.