Attribute based access control (ABAC) is a different approach to access control in which access rights are granted through the use of policies made up of attributes working together. ABAC uses attributes as the building blocks to define feature-rich access control rules and access requests. An example standard to do ABAC is the eXtensible Access Control Markup Language (XACML).
Unlike Role-Based Access Control (RBAC) (Wikipedia), which employs pre-defined roles that carry a specific set of privileges associated with them and to which subjects are assigned, the key difference with ABAC is the concept of policies that express a complex Boolean rule set that can evaluate many different attributes. Attribute values can be set-valued or atomic-valued. Set-valued attributes contain more than one atomic value. Examples are role and project. Atomic-valued attributes contain only one atomic value. Examples are clearance and sensitivity. Attributes can be compared to static values or to one another, thus enabling relation-based access control.
Risk-intelligent access control
Although the concept itself existed for many years, ABAC is considered “next generation” authorization model because it provides dynamic, context-aware and risk-intelligent access control to resources allowing access control policies that include specific attributes from many different information systems to be defined to resolve an authorization and achieve an efficient regulatory compliance, allowing enterprises flexibility in their implementations based on their existing infrastructures. Dynamic authorization using ABAC streamlines the management process by removing the need to deploy expensive and complex identity governance solutions. Hundreds of roles can be replaced by just a few policies. On the downside, ABAC rules (without the right tools) can be too hard to author, maintain, and test.
OpenPMF 4.0 supports ABAC
OpenPMF 4.0 Policy Management Platform supports Discretionary Access Control (DAC), Mandatory AccessControl (MAC), Role Based Access Control (RBAC), advanced Attribute Based Access Control (ABAC) and Proximity Based Access Control (PBAC). Which can make access control decisions not only on identities and roles, but also on the attributes used in the system.
OpenPMF 4.0 supports flexible decisions, policies define whether an analyst is allowed to see the data, learn that specific data exists but cannot be accessed without further authorization, does not see the data at all or whether the user get the traditional “access denied.”
OpenPMF 4.0 makes ABAC easy to author, maintain, test, audit, and document.
Let us know if you want to learn more about what ABAC can do for your organisation IT Access Control needs. Click here to contact us.
(Sources: Objectsecurity.com, Wikipedia.com, Technopedia.com)