Access control

Guide to Attribute-Based Access Control (ABAC)

The basis of the attribute-based access control is about defining a set of attributes for the elements of your system.

5 min reading time

Managing user credentials on the Kisi dashboard

Updated on December 01, 2022

Written by Guest Post

Share this article

Attribute-Based Access Control (ABAC) #

Attribute-based access control is a model inspired by role-based access control. The basis of the attribute-based access control is about defining a set of attributes for the elements of your system. This model comprises of several components.

  • Attribute. This refers to the character of elements within the network. It is also used to refer to user characteristics such as clearance level, department, position or even IP address. It can refer to object characteristics such as creator, sensitivity, and type among other things. An attribute can also refer to the characteristics of the environment such as location, time and date.
  • Type of action. The action being performed on the network. For example: copying, pasting, deleting, reading or writing?
  • Subject. This is any person or resource that can perform actions within the network. The subject is also assigned attributes to determine their clearance level.
  • Object. An object is any data that is stored in the network. They are assigned attributes to enable description and identification. 
  • Policy. A set of rules used to govern all operations in the network.

In the ABAC model, you can make use of attributes that haven’t been registered but still, this will be visible in the work process. It is a model that can be used in organizations of different sizes but the best capacity is within a large organization.

Want to learn more about the technicalities?

Check out our Academy for lessons on access control.

ABAC requires plenty of time and effort when it comes to deployment and configuration. This is because all attributes of the system must be defined. This is done manually. Policies, too, have to be created so that they can be copied for every new user and resource. With ABAC model, attributes can be modified to suit the needs of a user without necessarily creating a new role for them. It is these attributes that make ABAC a more polished system than the Role-Based Access Control model (RBAC).

Attribute-Based Access Control vs Role-Based Access Control#

Data access is always evolving so as to meet the various challenges that businesses are facing in this age of unlimited data. Today’s standard is none other than ABAC. Its a model that ensures that information is retrieved when required and under the right circumstances.

RBAC Benefits and Limitations#

RBAC was once the most popular mode of restricting access to a secure space. Its main advantage is that there is no need for companies to authorize or revoke access individually. With this system users are brought together as per their roles. This makes work easier but setting up is not an easy task. 


  • Rules cannot be setup using unknown parameters
  • Permissions are only assigned to user roles
  • Access can be restricted to certain actions in the system but not to certain data

ABAC Benefits and Limitations#

The main benefit of the ABAC model is that access is granted not on the basis of the user but on the attributes of every component in the system. This means that every rule no matter how complex can be described. The attributes of subjects and resources not yet entered into the system can be evaluated.


  • Policies have to be specified and maintained making this type of system difficult to configure.
  • It is difficult to perform a fact audit prior to determining the permissions that will be availed to the end-user.
  • It could be almost impossible to measure the risk exposure for any given position.

How It All Comes Together#

This is a multi- dimensional access control system and with its attributes it ensures the following:

  • Increased scalability
  • Prevention of role explosion
  • Eliminates SoD conflicts
  • Eases authorization for management control

What all this means is that the authorization process is dynamic since it involves evaluating an entire context. The attributes of a particular scenario will come from several sources such as the application and the environment. The key attributes, in turn, trigger the policy and then the rules are evaluated. The next step is the collection of the required attributes by the authorization engine. This is the only way the decision process can be completed. 

In a Nutshell#

ABAC is not just for granting or denying access to data. There is also data masking to ensure the protection of sensitive information whilst permitting sharing. This means the redaction of sensitive data items. According to experts, 70% of companies will be using ABAC by 2020. And even though it might be a model that comes with its fair share of limitations such as the impossibility of measuring risk exposure, the making of policies gives the management the upper hand from the word go plus it checks on every attribute. Isn’t it just good to know you decide the kind of access users can have to your data?

Guest Post

Guest Writer

Save time. Enhance security.

Modernize your access control with remote management and useful integrations.