Introduction to ABAC, Attribute Based Access Control
 

ABAC is Attribute Based Access Control

Attribute based access control (ABAC) is an information technology and architecture for automated, externalized digital authorization, as described by NIST.
ABAC includes a policy decision service that evaluates digital policies against available data (attributes) and renders a decision to permit or deny access to the requested resource.

ABAC Supports Computable Policies

ABAC supports fine-grained policies that enable context-sensitive, dynamic security. Here are use case examples:
  • Show customer account information only to supervisors who have completed 15 hours of training and who make the request during business hours.

  • Permit system access only to users who are logging in from specific geographic locations.

  • If a supervisor tries to access a customer's account information five times during a single day, deny access and email an alert to the security manager.

ABAC Provides Externalized Authorization

The basic components of attribute based access control (ABAC) are:
Introduction to ABAC, attribute based access control

Policy Store

The policy store is a collection of logical rules and policies that guide access decisions.

Introduction to ABAC, attribute based access control

Policy Editor

The policy editor is a software tool that allows administrators to create and edit policies that are evaluated and enforced by the decision engine.

Introduction to ABAC, attribute based access control

Policy Information Point

The policy information point (PIP) encompasses enterprise data stores such as LDAP, MySQL, or Oracle that hold relevant details, or "attributes." Attributes are the data points used to evaluate a user's request against policy.

Introduction to ABAC, attribute based access control

Policy Decision Service

The policy decision service is an "engine" that evaluates user requests against relevant policies and attributes, renders a decision about access, and triggers appropriate system responses and actions.

Introduction to ABAC, attribute based access control

Policy Enforcement Point

The policy enforcement point (PEP) intercepts requests for access, and forwards them to the policy decision service for authorization.


Read more about ABAC.