InfoSec Notes
Understanding ABAC policies that evaluate multiple attributes of subjects, resources, actions, and environment for fine-grained access decisions.
Overview
ABAC makes access decisions based on attributes (properties) of the subject, resource, action, and environment. This provides the most flexible and granular access control model, capable of expressing complex policies that RBAC cannot handle.
ABAC Decision Process
========================
Request Attributes
Subject: {role: "doctor", department: "cardiology", license: "active"}
Resource: {type: "patient_record", department: "cardiology", sensitivity: "high"}
Action: {type: "read"}
Environment: {time: "14:00", location: "hospital_network", device: "workstation"}
Policy: "Doctors can read patient records in their department during work hours from hospital network"
Evaluation
subject.role == "doctor" ✓
subject.department == resource.department ✓
subject.license == "active" ✓
environment.time between 08:00-18:00 ✓
environment.location == "hospital_network" ✓
→ ACCESS GRANTED
ABAC Components
| Component | Attributes | Example |
|---|---|---|
| Subject | Role, department, clearance, location | user.department = "finance" |
| Resource | Type, owner, sensitivity, classification | file.sensitivity = "high" |
| Action | Read, write, delete, approve | action.type = "approve" |
| Environment | Time, date, IP, device type, threat level | env.time = "business_hours" |
Python ABAC Implementation
ABAC vs RBAC Comparison
| Feature | RBAC | ABAC |
|---|---|---|
| Granularity | Role-level | Attribute-level (very fine) |
| Flexibility | Static role assignments | Dynamic attribute evaluation |
| Complexity | Low-medium | High |
| Scalability | Role explosion problem | Scales with attributes |
| Context-aware | No (or limited) | Yes (time, location, etc.) |
| Standards | NIST RBAC | XACML, ALFA |
| Best for | Stable organizations | Dynamic, complex requirements |
Interview Questions
- When would you choose ABAC over RBAC?
- When access decisions depend on context (time, location, device), when you need fine-grained per-resource policies, when role explosion becomes unmanageable, or when policies need to consider relationships between subject and resource attributes.
- What is XACML and how does it relate to ABAC?
- XACML (eXtensible Access Control Markup Language) is the standard language for expressing ABAC policies. It defines a reference architecture with Policy Decision Point (PDP), Policy Enforcement Point (PEP), Policy Information Point (PIP), and Policy Administration Point (PAP).
- What are the challenges of implementing ABAC?
- Complex policy management, performance overhead of evaluating multiple attributes, difficulty in policy auditing/testing, attribute accuracy and freshness requirements, and higher initial implementation cost compared to RBAC.
- How can RBAC and ABAC be combined?
- Use RBAC for basic role assignment and ABAC for additional constraints on those roles. Example: Role "Manager" grants base permissions, ABAC adds constraints like "only during business hours" or "only for their department's data."
- Give an example of a policy that ABAC can express but RBAC cannot.
- "Employees can access documents only from their own department, during business hours, from a company-managed device, and only if the document's sensitivity level doesn't exceed their clearance." This requires evaluating multiple attributes simultaneously.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for Attribute-Based Access Control (ABAC).
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Information Security topic.
Search Terms
information-security, information security, information, security, access, control, attribute, based
Related Information Security Topics