Attribute Based Access Control (ABAC) is defined as “An access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”
“The policies that can be implemented in an ABAC model are limited only to the degree imposed by the computational language and the richness of the available attributes.” [2]
Essentially, the more decision data at your disposal at runtime, the more sophisticated your ABAC policies can be.
ABAC relies on user attributes for authorization decisions. ABAC policies are rules that evaluate access based upon the following four sets of attributes:
...
Figure 1: NIST SP 800-162 ABAC Definition
ABAC Benefits
The key advantage of ABAC is that it does not allow application developers to hardcode a static list of roles and oversimplify their authorization source code. Rather, ABAC forces them to centralize all authorization decisions and call out at make runtime calls for a decision based on the Subject, Resource, Action, and Environment request attributes. Another key benefit is ABAC’s sometimes simpler nature. This simplicity the simplicity of ABAC, which can make it easier to understand how a rule grants access to a resource when dealing with a small number of rules. In contrast, RBAC does seem foreign to many users, and, especially during the early phase of its adoption, the levels of abstraction can be challenging for an IT team.
One other added advantage of ABAC is its flexibility. With ABAC, as long as the necessary data is available, almost anything can be represented as a rule-based query. For example, a rule evaluated at runtime in a login session can use contextual information—even information passed in via SAML claims or JWT tokens. In contrast, when delivering the role membership for a user to the application, a standard RBAC engine would not evaluate this type of information.
ABAC Primary Benefits
ABAC enforces centralized management of authorization policies.
ABAC makes it easy to specify access rules as simple queries.
ABAC rules can be extraordinarily fine-grained and contextual.
ABAC rules can evaluate attributes of Subjects and Resources that are not inventoried by the authorization system.
ABAC rules need less maintenance and overhead because they do not require the creation or maintenance of the structure on which an RBAC model depends, e.g., roles and resource locations.
...
Figure 2: Elaborate ABAC policy showing the potential of ABAC
ABAC Weaknesses
The first challenge encountered with implementing policies like this is the information needs to be obtained and evaluated at runtime. In the above policy example, if we needed to know if the user’s nationality was Swiss, then this information would likely reside in either the corporate Active Directory or HR system (Figure 3). Moreover, if we needed to know if the company was in Emergency Mode or not, this essential information might be difficult to obtain in a live corporate environment. Likewise, if we needed to ascertain their out of office status, this would reside in a corporate email system such as Office 365. Furthermore, to attain information for network login sessions or the MFA status would require a query to an Identity Provider such as Ping Federate.
...
Figure 4: A Common Standard Auditor's Question
ABAC’s Primary Weaknesses
ABAC makes it extremely difficult to perform a “before the fact audit” and determine the permissions available to a specific user. To successfully determine access, not only might a considerable number of rules need to be executed, but they must also be done in the same order in which the system applies them. As a result, this could make it impossible to assess risk exposure for any given employee position.
In a comparable manner to how a “Role Explosion” can occur with RBAC, an explosion can also occur with ABAC where a system with N number of attributes would have 2N possible rule combinations.
Unless rules are kept extremely simple and do not access data from various source systems, ABAC systems with complex rules from multiple attribute sources can be unacceptably slow to answer authorization queries.
ABAC Challenges
...
Figure 5: The Who, What, and How of ABAC Challenges
...