Guide: Access Control

The ABAC Access Control Model

In today’s IT landscape, data continues to be a constant fuel source for new and emerging technologies, and it has the potential to make or break a business. If valuable data is processed and analyzed in the right manner, it can work wonders for any business. However, as new technologies and concepts continue to emerge with the passage of time, data security continues to be a pressing concern.

In most organizations, access control is a major issue that system and network administrators face problems with. For starters, existing access control methods, such as the Role-Based Access Control (RBAC) model, are not always delivering a complete solution to all requirements, and are sometimes not granular enough. There is an effective alternative that is slowly replacing RBAC and it’s called Attribute-Based Access Control, or ABAC.

In this guide, you will learn:

This is part of our access control guide.

What is the ABAC Access Control Model?

Attribute-Based Access Control (ABAC) is a type of authorization model that employs user attributes in place of roles to determine the access for each user in the organization. 

The main purpose of ABAC is to assign roles to employees properly and to protect data, network devices, and applications from unauthorized access, which may cause harm to the system, knowingly or unknowingly.

Not every user in an organization needs to have access to all the applications, bandwidth, or storage space that the company’s IT infrastructure has to offer. Moreover, if each employee is given full access, it might hinder other people in the organization from doing their jobs properly.

ABAC rose in prominence during the past decade, and it provided an upgraded and updated version of access control lists and Role-Based Access Control. It has also been endorsed by the Federal Chief Information Officers Council as a method to ensure that federal organizations employ more optimized access control methods.

Examples of Attribute-Based Access Control

Using the ABAC model, access to business-critical information can be determined by user attributes or characteristics, the data, or the environment, such as group, department, employee status, device type, IP address, or any other factors which could impact the authorization outcome. 

Some possible use-cases of ABAC are:

  • An engineer reassigned to a new project can automatically access data related to the new project but not the previous one.
  • An account executive reassigned to a new territory can automatically view and perform operations on accounts and products in the new territory but can no longer access anything from the old territory.
  • A finance manager can only download documents when they’re physically in the country.
  • An HR manager assigned to a business unit can only access the Personal Identifiable Information (PII) of the employees of the assigned business unit.

Components of ABAC

There are several components involved in Attribute-Based Access Control, which are common throughout each organization, regardless of the company structure or industry it belongs to.

1. Subject

In ABAC, the subject refers to the user requesting access to a resource for a task. Some of the user attributes of the subject include the subject ID, job roles, group memberships, organizational memberships, management level, and other unique factors. In an ABAC system, this information is obtained through an HR portal or employee directory.

2. Resource

The resource refers to the object, i.e. the file, document, application, network resource, or any other thing that the subject is requesting permission to access. The identifying characteristics of the resource include the creation date, owner, name, type, and data sensitivity.

3. Action

The action describes the intent of the subject, i.e. what they want to do with the resource being requested. Some of the common actions include ‘read, ‘write’, ‘copy’, ‘edit’, and ‘delete’. In most cases, users may ask for multiple actions, such as edit and copy, or read and edit.

4. Environment

The environment describes the entire landscape of the access request, and it contains information like the time and location of the access request, the subject’s device, communication protocol, encryption strength, etc.

The ABAC makes use of these attributes and components to develop access control policies, which also align with the rules. The rules also define the attribute combinations that can be paired together for a subject to perform the action with an object.

ABAC vs. RBAC

If you are familiar with access control methods and policies, you would also know about Role-Based Access Control, which is used to assign access levels to users based on their job roles and responsibilities. In an organization, each user that needs network or system resources must go through an authentication and authorization process before they can gain access.

As you already know, the system is vulnerable to data security concerns and breaches, which is why it is very important to determine which access control method works best for your organization and is the most efficient. 

For a complete guide, read our comprehensive comparison between ABAC and RBAC.

In simpler terms, Role-Based Access Control makes access decisions according to a person’s role in the organization. The administrator determines the parameters of each role, as well as which users are assigned the roles. In this method, one user can be assigned multiple roles, and this also makes it easier for new employees to be assigned relevant roles, without having to go through an extensive process.

Normally, RBAC serves as a predecessor for ABAC, with the latter being more advanced and having more processing capabilities. RBAC involves user roles for assigning permissions, whereas ABAC is used to provide access rights according to attributes, including user, environment, and resources. 

Therefore, it won’t be wrong to say that ABAC involves a fine-grained approach, whereas RBAC is used for access control across the organization.

Advantages of Attribute-Based Access Control

Now that you have a better idea of what ABAC is and how it works, let’s have a look at the advantages that it provides.

1. Flexibility in Policy-making

One of the biggest benefits of ABAC is that it is highly flexible, and it allows administrators and executives to determine which attributes are integral to the process. Therefore, they don’t have to define the relationship between each subject and object separately, and it helps them save time, while also ensuring efficient resource utilization.

2. Compatibility

Another great benefit of ABAC is that it allows organizations to easily bring new employees on board, while also allowing them to access objects that they need to do their job. The administrators can proactively define policies for new employees, as well as those who are going to leave the company. This way, the rules don’t have to be modified every time a new user joins or leaves.

3. Strong Security

The use of attributes in ABAC makes it much easier for decision-makers to control variables that ensure a fine-grained approach to access control. In RBAC, a team may have complete access to crucial business information, which can be counterproductive. On the other hand, ABAC allows administrators to implement smart access protocols, which means that the team will only gain access to the information at certain times, or when they can justify the need for it.

Conclusion

This brings us to the end of our guide on Attribute-Based Access Control. By now, you are able to understand how access controls work, and how crucial they are for the smooth operations and success of any organization. It is safe to say that RBAC serves as a stepping stone for ABAC, and you may only need the latter if you have a large organization with a large number of users.

ABAC Made Simple With Satori

Satori provides ABAC on your data access to your data stores, regardless of their native capabilities.

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.