Attribute-based access control (ABAC) is an access control method where consumer requests to access or perform operations on resources are granted or denied based on attributes of the consumer, attributes of the resource, environment conditions, and a set of policies that are specified in terms of those attributes and conditions. ABAC determines access or operations on resources by matching the current value of consumer attributes, resource attributes, and environment conditions with the requirements specified in the access control rules.
The ABAC mechanism is made up of a policy decision point that evaluates authorization of the consumer and a policy enforcement point that considers the decision point decision and executes the actual access if approved.
- Attributes are characteristics of the consumer, resource, or environment conditions.
- The consumer is a person or non-person entity (NPE), such as a service or device that requests resources or to perform operations on resources.
- A resource is a system resource for which access is managed by the ABAC system, including devices, files, records, tables, processes, programs, networks, or domains containing or receiving information. It can be anything on which an operation may be performed by a consumer, including data, applications, services, devices, and networks.
- Policy is the representation of rules and relationships for determining if a requested access should be allowed, given the values of the attributes of the consumer, provider, and environmental conditions.
- Environmental conditions are the operational or situational context in which access requests occur. They are independent of the consumer and resource, and as an example can be the current time, day of the week, location of a consumer, or the current threat level.
Figure 1 - An example of a basic ABAC architecture.
The following steps are involved in ABAC, as shown in Figure 1:
- The consumer requests access to the resource. The consumer must prove possession of an authentication token, which is not shown. Refer to the Cloud Resource Access Control pattern.
- The ABAC mechanism evaluates (a) rules, (b) access policy, (c) consumer and resource attributes, and (d) environmental conditions, and renders an access decision.
- If authorized, the consumer is given access to the resource by the policy enforcement point.
In its most complete form, ABAC relies on the evaluation of attributes of the consumer, attributes of the resource, environment conditions, and the formal relationship, access control rule or policy defining the allowable operations for subject-object attribute combinations. Lesser combinations of the components of the architecture can be used as required. When policy is used, this architecture can also be referred to as policy-based access control.