Glossary>Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC)

Access control method that evaluates user/resource/environment attributes against policies to make dynamic authorization decisions.

NIST SP 800-162 ABAC GuideGartner ABAC ResearchUsed in Government, Healthcare

What is Attribute-Based Access Control (ABAC)?

Attribute-Based Access Control (ABAC) is an access control method that grants or denies access based on policies that evaluate attributes of the user, resource, and environment.

Types of attributes in ABAC:

  • User attributes: Role, department, clearance level, location, age
  • Resource attributes: Owner, classification level, creation date, department
  • Environment attributes: Time of day, location, device type, threat level
  • Action attributes: Read, write, delete, approve

ABAC evaluates Boolean rules (XACML or ALFA policies) that combine these attributes. Unlike RBAC (which uses roles), ABAC can express complex, context-aware policies without creating countless roles.

Analogy

Think of ABAC like a smart building access system. Instead of just checking if you have a 'Manager' badge (RBAC), it checks: (1) Is your badge active? (user attribute), (2) Is this your home floor? (resource attribute), (3) Is it business hours? (environment attribute). All must be true to grant access.

Types and Use Cases

  • Government: Allow access only if clearance=TopSecret AND location=SecureFacility AND time=businessHours
  • Healthcare: Allow doctors to view records only if department=Cardiology AND patient belongs to their ward
  • Enterprise: Allow document access if user.department=document.department AND time=09:00-17:00
  • CIAM: Allow profile editing if user.id=resource.ownerId AND device=trusted

How it Works

1
User attempts to access a resource (e.g., view document)
2
ABAC system collects attributes: user (role, department), resource (owner, classification), environment (time, location)
3
Policy engine evaluates attributes against defined policies (XACML/ALFA)
4
If policy evaluates to true, access is granted; if false, access is denied
5
Audit log records the decision and attributes used for compliance
terminal
<!-- XACML Policy Example -->
<Policy>
  <Rule Effect="Permit">
    <Target>
      <AnyOf>
        <AllOf>
          <Match MatchId="string-equal">
            <AttributeValue>doctor</AttributeValue>
            <AttributeDesignator Category="user" AttributeId="role"/>
          </Match>
          <Match MatchId="string-equal">
            <AttributeValue>cardiology</AttributeValue>
            <AttributeDesignator Category="user" AttributeId="department"/>
          </Match>
        </AllOf>
      </AnyOf>
    </Target>
  </Rule>
  <Rule Effect="Deny"/>
</Policy>
```

```javascript
// ABAC Policy Evaluation (Simplified)
function canAccess(user, resource, action, environment) {
  // Policy: Allow if user.department === resource.department AND environment.time is business hours
  const isBusinessHours = environment.time >= 9 && environment.time <= 17;
  const sameDepartment = user.department === resource.department;
  
  return isBusinessHours && sameDepartment;
}

Attribute-Based Access Control (ABAC) vs Role-Based Access Control (RBAC)

Attribute-Based Access Control (ABAC)
Role-Based Access Control (RBAC)

ABAC uses attributes (department, time, location) to make decisions

RBAC uses roles (admin, user)

ABAC is more flexible (complex policies)

RBAC is simpler to manage (fewer roles)

ABAC can express context-aware rules

RBAC is static (role assignment doesn't change dynamically)

Best Practices for Attribute-Based Access Control (ABAC)

  • Start with RBAC: Use RBAC as base, add ABAC for complex scenarios (don't start with pure ABAC)
  • Define clear attributes: Standardize attribute names and values across your organization
  • Keep policies readable: Use ALFA or high-level policy languages, avoid complex nested XACML

How LoginRadius Powers Attribute-Based Access Control (ABAC)

LoginRadius CIAM platform supports Attribute-Based Access Control through custom user attributes, policy-based authorization engine, and RBAC+ABAC hybrid models. Our platform allows defining unlimited user/resource attributes, creating attribute-based policies for API and feature access, and provides detailed audit logs of all attribute-based authorization decisions. LoginRadius also offers policy templates for common ABAC scenarios (time-based, location-based, department-based access).

Resources

Documentation

View Security Docs

Blog

RBAC Vs ABAC

FAQs

RBAC (Role-Based) assigns permissions to roles (admin, user). ABAC (Attribute-Based) evaluates user/resource/environment attributes against policies. RBAC is simpler (fewer roles), ABAC is more flexible (can express complex policies like 'allow if department=Sales AND time=business hours'). Many organizations use RBAC as base + ABAC for exceptions.

Use ABAC when: (1) Policies are context-dependent (time, location, device), (2) Dynamic conditions (temporary access, project-based), (3) Fine-grained control (user.department must match resource.department). For simple scenarios (admin vs. user), RBAC is sufficient and easier to manage.

LoginRadius provides ABAC capabilities through: (1) Custom user attributes - define any attributes (department, clearance, etc.), (2) Policy engine - evaluate attributes against custom authorization rules, (3) RBAC + ABAC - combine role-based and attribute-based access control, (4) API policies - enforce attribute-based rules on API endpoints, (5) Audit logs - record all attribute-based decisions for compliance.

Related Terms

role based access controlauthorizationfine grained authorization

Customer Identity, Simplified.

No Complexity. No Limits.
Thousands of businesses trust LoginRadius for reliable customer identity. Easy to integrate, effortless to scale.

See how simple identity management can be. Start today!
Free Trial
Contact Sales