Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) has emerged as the next-gen technology to secure business-critical data. The complexities of today’s IT landscape – think cloud apps, data silos, mobile, IoT, Big Data – has exposed the limitations of role-based access control (RBAC) solutions, leaving organizations vulnerable on the data security front. As part of a consortium tasked with creating a reference architecture for ABAC, NextLabs was selected by the National Institute of Standards and Technology (NIST) to help define the core capabilities and benefits of ABAC.

What is ABAC?

According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”

With ABAC solutions, instead of being role-based, access to business-critical data is determined by attributes. These attributes are characteristics about the user, the data, or the environment, such as group, department, employee status, citizenship, position, device type, IP address, or any other factors which could affect the authorization outcome. Attributes can be sourced from protected applications and systems and can also be retrieved from any other data source, such as employee information from an internal HR system or customer information from Salesforce, databases, LDAP servers, or even from a business partner for federated identities.

The applications and data users can access, the transactions they can submit, and the operations they can perform automatically change based on these contextual factors. The net effect is that organizations utilizing ABAC can make smarter decisions based on real-time information.

ABAC Examples

  • An engineer that is reassigned to a different project can automatically access information related to the new project but not their previous one
  • An account executive that is reassigned to a new territory is automatically able to see accounts and products in their new territory but can no longer access anything from their old territory
  • A finance manager can only download docs when he or she is physically in the US.