What is Attribute-Based Control (ABAC)?Link to this section
There are a growing number of authorization models used to keep data, networks, and resources protected from unauthorized users.
Attribute-based access control (ABAC) grants access to users based on their set of characteristics. This model bases authorization on whether a user’s certain attributes match an organization’s defined set of rules and policies.
While ABAC can be complex in its design and implementation, once applied it offers many benefits for organizations looking to have a flexible yet granular way of granting users permissions while also providing enhanced security.
Attribute-based control (ABAC) definedLink to this section
ABAC is an identity management authentication system that grants authorization based on attributes instead of roles.
In short, ABAC gives users access based on who they are instead of what they do. This allows for the right information to be accessed by the right people at the right time.
The goal of ABAC is to protect an organization’s data, IT resources, and network infrastructure from unauthorized users who don’t meet the characteristic standards defined by the organization’s security policy.
The main elements of ABACLink to this section
ABAC systems are created by establishing a set of rules which determine which attributes are allowed to be granted access. Attributes are broken up into four major categories: subject, resource, action, and environment.
SubjectLink to this section
Subjects are the users attempting to request access to a resource to perform an activity. User profiles contain the subjects’ characteristics and attributes which can include job roles, ID, group membership, department membership, security clearance, and other identifiable characteristics.
ResourceLink to this section
A resource is an object or asset (such as a server, application, or file) that the subject wants access to. Identifying attributes of a file (like its name, type, creation date, and ownership) are seen as resource attributes.
ActionLink to this section
This element captures what a user wants to do with a particular resource. This typically involves things like viewing, reading, writing, editing, transferring, copying, approving, or deleting a file.
In some cases, an action can have multiple attributes like when you’re transferring money via your mobile banking app. In this case, there are two attributes: the action type which is a transfer of money, and the desired amount of money.
EnvironmentLink to this section
The environment is the context in which access is being requested. This typically includes characteristics like the time and place access is being requested from and the subject’s device.
The environment also provides contextual attributes that relate to any risks or threats established by the organization, such as how many requests were made in the last 24 hours, the user’s regular behavior patterns, and authentication strength.
How ABAC worksLink to this section
The ABAC system makes access decisions in two ways. The ABAC system evaluates how attributes interact in an environment and enforces rules and relationships.
With ABAC, admins have far more nuanced control and can grant access based on various sets of attributes that work together.
- Subjects: which user needs to perform an action?
- Object: what resource or file does the user need to perform an action with?
- Operation: what action does the user perform with the resource?
The ABAC system examines attributes against a set of defined rules. These rules set out which combinations of attributes can be used to grant access to a user so they can perform an action with an object. This process involves these steps:
- The user requests access.
- ABAC scans attributes to decide whether they match existing policies.
- If they match, the system grants access to the user.
The benefits of ABACLink to this section
ABAC offers organizations various benefits, particularly for larger organizations that are onboarding new users. This model gives organizations the ability to scale and grow their teams and business rapidly, without compromising their network’s level of security.
Plus, ABAC provides enhanced security by granting access based on attributes which also makes management simpler because fewer policies are required for different job functions.
Flexible policiesLink to this section
The main benefit of ABAC is its flexibility. Policy-making in ABAC is determined by the set of attributes that must be accounted for and that the computational language can convey.
ABAC allows for the maximum number of users to have access to the maximum number of resources without requiring admins to specify the relationship between each user and object.
Admins have the power to adjust attributes and access control policies to meet the needs of an organization. For example, admins can define new access policies and controls for external users like suppliers and contractors without making changes to each subject-object relationship.
Essentially, ABAC provides access to a bunch of different situations with minimal involvement from admins.
Compatibility with new usersLink to this section
Admins can use ABAC to define policies that give permission to new subjects to access objects. If new subjects are allotted with the needed attributes to access objects, admins don’t need to change existing rules or object attributes.
This makes it really simple to onboard new staff and permit external partners who need access to resources.
Rigorous security and privacyLink to this section
ABAC allows policy-makers to have direct control over situational variables and secure access at a granular level. Since ABAC grants access based on attributes, it provides an additional layer of protection that you don’t see with role-based access control (RBAC).
With ABAC, admins can set access permissions and restrictions that account for contextual factors which provide for more rigorous security and privacy.
The drawbacks of ABACLink to this section
The benefits of ABAC exceed its limitations. However, as with all authentication systems, there are some drawbacks to be aware of.
Complexities in design and implementationLink to this section
The main drawback of ABAC is how complex it is to implement.
While ABAC is simple to use once it’s been set up, admins have to spend time manually determining attributes and assigning them to each component, and setting up a centralized policy that determines which characteristics provide access based on certain conditions.
This requires a lot of time and effort, which is why it’s not recommended for organizations with little or no complex and sensitive data. However, ABAC is a great long-term and financially sustainable payoff for organizations with complex demands.
Comparing RBAC vs ABACLink to this section
Role-based access control (or RBAC for short) grants access to users based on their role within an organization. In RBAC, roles are typically defined by characteristics like which department a user belongs to, their seniority level, work duties, and location.
The biggest advantage for RBAC is that granting and revoking access is based on roles rather than basing it on an individual level. For small to medium-sized organizations, RBAC is a simple substitute for ABAC. However, as your business grows, RBAC can be more complex to manage because it’s harder to oversee hundreds of roles.
Although ABAC is harder to implement, once it’s established, ABAC is far more efficient for larger organizations. Plus, it allows for elevated security levels and ABAC’s policies are simpler to apply when new users and external stakeholders are onboarded.
Which access control model is right for you?Link to this section
Both ABAC and RBAC have their set of benefits and drawbacks and they’re suited to different types of organizations based on their size and needs.
ABAC is preferable when:
- You’re a large organization with many users
- You have the time to invest in the ABAC model
- You want specific access to resources and have various external stakeholders that need access to resources
RBAC is preferable when:
- You’re a small to medium organization
- The number of external users needing access to resources is small
- Your organization’s roles are determined clearly
ABAC protects objects and resources from unauthorized users based on whether their characteristics match up with an approved set of rules.
While ABAC is complex in the design and implementation stage, once established, ABAC provides various benefits from flexible policies to enhanced security that make it the model of choice for larger companies and enterprises.