What is Attribute Based Access Control (ABAC)?
Attribute-based access control (ABAC) is another approach to access control, in which access rights are granted through the use of policies made up of collaborative attributes. ABAC uses attributes as building blocks to define access control rules and access requirements. It does this through a structured language called eXtensible Access Control Markup Language (XACML), which is as easy to read or write as a natural language.
In an attribute-based access control system, all kinds of attributes such as user attributes and resource attributes are used to determine access. These attributes are compared with defined static values or even with other attributes, making them a relation-based access control. Attributes come in key-value pairs such as 'role = supervisor', which can be used to restrict access to a particular feature of a system. In this case, only users with the designation Supervisor or higher can have access to this feature or system.
In an ABAC system, rules are written using XACML. For example, a rule could contain:
'Allow managers to access financial data, provided it comes from the finance department.'
This allows users with the attributes Role = Manager and Department = Finance to access data with the attributes Category = Financial. This results in other types of users not even getting to the login screen and preventing certain types of attacks like brute force and library attacks.