Updated July 1, 2023

According to National Institute of Standards and Technology (NIST), Attribute-Based Access Control (ABAC) is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.” ABAC is an improvement from simple access control lists and role-based access control, and has been increasing in popularity over the last decade because of its ability to serve as a type of logical access control.

The goal of Attribute-Based Access Control (ABAC) is to secure items like data, network devices, and IT resources from unauthorized users and actions that violate an organization’s security regulations. ABAC is an authorization mechanism that determines access by evaluating attributes (or traits) rather than roles. With ABAC, the attributes of the subject, resource, action, and environment involved in an access event are used to enforce access restrictions. The characteristics or values of a component involved in an access event are known as attributes. Attribute-Based Access Control compares these components’ characteristics against policies, which specify what attribute combinations are authorized for the subject to complete an action successfully. 

NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations significantly impacted the conversation on ABAC when it was published because it provided a structured and authoritative framework for implementing this access control model.

One of the major contributions of SP 800-162 was the standardization and clarity it brought to the field. Before this publication, the concepts and implementations of ABAC varied widely across different organizations. By offering a standardized set of definitions and guidelines, SP 800-162 helped unify the understanding and application of ABAC, making it easier for organizations to adopt and implement this advanced access control model. To learn more, read the NIST paper, co-authored by NextLabs, here.

Why ABAC?

ABAC enables fine-grained access control and resolves many key cybersecurity issues that growing enterprises typically face. One of which is role explosion, which occurs when roles get increasingly complex through continuous expansion and contraction, as well as outsourcing of their workforce. By using ABAC, businesses can reduce the number of roles they have to create and manage. You could, for instance, grant an auditor access to specified finance data across the company without having to give them access to other finance information. With this, access is granted on a need-to-know basis, ensuring business-critical data remains secure.  

ABAC serves as a powerful core technology that provides:  

  • Flexibility and extensibility: solutions and capabilities can be implemented on a component-by-component basis, or as a whole, without the need for constant costly modifications.  
  • Users receive access on a need-to-know basis and ensure that only the right people have access to data or resources  
  • Efficient policy management and consistent enforcement: organizations are able to close security gaps and reduce errors to improve regulatory compliance.  
  • Compliance enforcement with privacy policies. 

Benefits of ABAC

With ABAC, data is safeguarded to the highest possible degree while still being accessible to users who need access. In real-time, you can regulate who can do what, when, how, why, from where, and with what device. Compared to Role-Based Access Control (RBAC) which is a role-based access control model that grants access based on a user’s position within their business. ABAC gathers contextual characteristics and dynamically reviews access requests based on many more attributes other than a user’s role. Further, ABAC maintains data integrity, ensuring that sensitive data can only be accessed securely by the appropriate users under the appropriate conditions and that the application’s data complies with the necessary business standards. 

Due to its ability to keep businesses agile and secure, ABAC is widely accepted as the authorization model of choice for organizations. ABAC allows organizations to create an even more secure environment where only authorized users have access to certain data or systems. This will help keep organizations safe from malicious attacks as it protects access of core data assets from unintended users while reducing the capabilities required to create and maintain policies. 

For more information about ABAC, you may refer to The Definitive Guide to ABAC.