Attribute Based Access Control
Attribute based access control (ABAC) is a slightly more advanced (compared to RBAC) permissions model where each item (user, group, resource, etc) is assigned an attribute, from which, combined with a policy document, permissions are derived.
For example, if we wanted to grant a user permission to change a specific resource, an attribute assigned to the user might be
The policy engine would then be configured to say if there exists a
write-resource attribute for the user matching the resource’s ID, then the user can write to the resource.
Attribute based access control provides for much finer-grained and controlled permissions modeling than RBAC, but at the cost of maintaining a policy document and numerous attributes. ABAC can be used to model RBAC and other simpler permissions systems, but with an additional complexity cost around configuration and validation.