Attribute-Based Access Control: Pros, Cons & Use Cases
Enterprise organizations must secure access to business-critical data based on layered security that also controls the scope of access permitted for legitimate users.
Attribute-based access control (ABAC) provides a prime solution for this challenge. ABAC uses granular characteristics, known as attributes, to evaluate access to sensitive data while minimizing its risk of exposure.
What is attribute-based access control?
Attribute-based access control is based on using the assigned attributes of a subject, user, or object as an authorization strategy to determine whether permissions should be granted or denied. Compared to other access control mechanisms, ABAC is dynamic and much more context-aware of the environmental conditions in which it operates.
In general, access control models determine who can access what information and when. Therefore, they also incorporate identity and access management (IAM) policies that regulate how users access data in a comprehensive framework.
For instance, role-based access control (RBAC) uses an entity’s job descriptions and task-related roles to determine access. Under these conditions, a developer will likely be granted read-write access to the organization’s software version control repository instead of, say, an accountant.
On the other hand, cloud-based access control ensures remote workers access corporate networks and cloud-based technologies securely.
However, unlike other authorization models, ABAC implementation is more sophisticated and is handled by its own language called the eXtensible Access Control Markup Language (XACML).
What are the main categories of attributes?
Attributes are the main differentiating factor for ABAC systems, so it’s vital to understand their various categorizations.
Here are the four main categories of ABAC attributes:
Subject/User Attributes: As its name indicates, this attribute category reflects the individual user requesting access. Common examples include username, user ID, Job title, employee ID, department, age, and security clearance.
ABAC can obtain this information from HR or via authentication tokens during the login process.
- Resource/Object Attributes: This is the resource, object, or asset the subject requesting permission wants to access. Examples of a resource include an application, file, server, or even an API. Resources have identifying characteristics like their filename, owner/author, the file’s creation date, data type, and data sensitivity.
- Environmental or Context Attributes: This attribute highlights the broader context and environmental conditions in which the requests exist and operate. Environmental factors include risk signals, the communication protocol used, the user’s device, and the time and location of the request.
- Action Attributes: The action regulates how the subject interacts and engages with the requested resource. Typical actions include VIEW, READ, WRITE, EDIT, COPY, TRANSFER, DELETE, or APPROVE.
How does attribute-based access control work?
ABAC uses application and system attributes to define rules and policies to control subjects’ behavior and the actions they can take on resources.
To implement a functional ABAC system, you must first evaluate how the attributes in the system (user/subject, resource/object, action, and environment) interact with the IT environment.
Secondly, rules are subsequently created against these attributes to govern their interactions.
System and infosec administrators create specific attributes in line with the company’s business needs and regulatory requirements. ABAC subsequently regulates access to system objects by evaluating the rules against access control lists — in this instance, the attributes of the entities.
When a request is made, the software tool implementing the attribute-based control scans the attributes of the subject to evaluate if they match the existing policies for the desired action.
Access is granted to a subject or user once certain rules or requirements are met. Hence, the system can grant or deny requests based on user and object attributes.
What is the difference between ABAC vs. RBAC?
ABAC arose because traditional access management proved inadequate to meet the challenges of the extended enterprise. Here are the differences that distinguish ABAC from RBAC:
|Entirely attribute-driven||Based on job-related, role-based permissions|
|Policies leverage XML-based natural language and attributes’ context||No programmatic construct; access only granted based on roles|
|Suited for large enterprises with many users||Ideal for small-to-medium-sized enterprises|
|Access control capabilities are deep, specific, and fine-grained||Broad access control policies|
|Best for a geographically dispersed workforce||Ideal for a centrally located workforce with few external users|
What are the use cases of attribute-based access control?
In general, one of the core uses of access control is to ensure legitimate users can access system resources. These are its most salient use cases:
- Securing data from unauthorized access in a granular, fine-grained manner.
- Protecting microservices and endpoints such as APIs.
- Facilitating the implementation of dynamic firewalls and policy controls on a per-user basis.
What are the benefits of attribute-based access control?
- Flexibility: ABAC’s flexibility lies in its attribute system that provides high context and granular access.
- Dynamic authorization: Since ABAC is attribute-based, it allows authorization for data or applications to be dynamically assigned or revoked in real time.
- Encapsulation: ABAC uses encapsulation to hide technical permissions in plain sight. Access decisions are changed just by modifying attribute values without the hassle of changing the underlying subject/object relationship.
- Smart access restriction: ABAC helps policymakers implement smart restrictions with intelligent context for privacy and security. In addition, it can ensure users or user groups have access to only certain kinds of resources or operations, depending on the application, location, or time of day.
- Regulatory compliance: ABAC’s granular permissions and controls make it easier to satisfy various regulatory mandates.
- Automation benefits of managing permissions: ABAC favors using automation to update access immediately and systematically.
Less administrative burden: ABAC requires less administrative onboarding. For instance, administrators don’t have to define roles for each hire or intentionally assign authorization to users or objects for them to access resources.
This also means that once a user’s attributes change, the system resources they can access also change automatically without requiring manual intervention.
- Automatic update of permissions: Since attributes are software-mediated, group or individual permissions can be modified or removed by simple updates without manual intervention.
- Extra security buffer: Besides typical security measures like encryption, ABAC provides cybersecurity professionals with another security buffer. For example, it makes it harder for users to access resources and important services on unknown devices.
The Disadvantages of Using ABAC
While ABAC provides organizations with immense benefits and pros, it also comes with several cons, so you must be aware of its limitations.
- Increased complexity: Administrators must deal with the heightened complexity of designing and implementing ABAC. It takes time and resources to manually define and assign the attributes, in addition to creating the accompanying policies engines.
- Challenges of scalability: Unfortunately, attribute management doesn’t scale easily. This is due to the aforementioned configuration challenges, its large digital footprint, and hundreds, perhaps thousands of users that must be managed.
- Auditing challenges: The proliferation of permissions makes it harder for the system to be comprehensively audited.
Fortra’s Digital Guardian Secure Collaboration Understands the Dynamic Environments
Fortra is equipped to handle the complexities of using ABAC to map authorization policies to govern secure access to data. Our products have digital rights management (DRM) and information rights management (IRM) features that facilitate real-time policy evaluation and dynamic authorization.
Watch this short video to learn more about how Digital Guardian Secure Collaboration can track, protect, and secure your sensitive data wherever it travels.