Attribute-Based Access Control (ABAC)

2 min read Application Security

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control provides fine-grained authorization by evaluating attributes of users, resources, actions, and environment. Unlike RBAC's predefined roles, ABAC makes authorization decisions based on policies that consider multiple attributes. This flexibility enables complex authorization scenarios that would be cumbersome with traditional role-based approaches.

// JavaScript example of ABAC policy evaluation
class ABACPolicyEngine {
    constructor() {
        this.policies = [];
    }
    
    addPolicy(policy) {
        this.policies.push(policy);
    }
    
    evaluate(subject, resource, action, environment) {
        for (const policy of this.policies) {
            if (this.matchesConditions(policy.conditions, subject, resource, action, environment)) {
                return policy.effect === 'allow';
            }
        }
        return false; // Deny by default
    }
    
    matchesConditions(conditions, subject, resource, action, environment) {
        return conditions.every(condition => {
            const attributeValue = this.getAttributeValue(
                condition.attribute, 
                { subject, resource, action, environment }
            );
            return this.evaluateCondition(attributeValue, condition.operator, condition.value);
        });
    }
}

// Example policy: Users can edit documents they own during business hours
const policy = {
    effect: 'allow',
    conditions: [
        { attribute: 'subject.id', operator: 'equals', value: 'resource.owner' },
        { attribute: 'action', operator: 'equals', value: 'edit' },
        { attribute: 'environment.time', operator: 'between', value: ['09:00', '17:00'] }
    ]
};

// Usage
const engine = new ABACPolicyEngine();
engine.addPolicy(policy);

const canEdit = engine.evaluate(
    { id: 'user123', department: 'sales' },
    { owner: 'user123', classification: 'confidential' },
    'edit',
    { time: '14:30', ip: '192.168.1.1' }
);

ABAC excels in scenarios requiring contextual authorization. Geographic restrictions, time-based access, device-specific permissions, and data classification levels are naturally expressed as ABAC policies. The ability to combine multiple attributes with complex logic enables precise access control that matches business requirements exactly.

Policy management becomes critical in ABAC systems. With great flexibility comes the risk of policy conflicts and complexity. Implement policy validation to detect conflicts and ensure completeness. Use policy templates for common scenarios to maintain consistency. Provide tools for policy testing and simulation to verify behavior before deployment.