Attribute-Based Access Control (ABAC)
Attribute-based access control (ABAC) is considered one of th emost generalized forms of access control as it can capture the salient features of discretionary access (DAC), mandatory access control (MAC) and role-based access control (RBAC) using appropriate attributes such as access control lists, security labels and roles respectively. 5
ABAC has been studied for a long time and many different formal models have been proposed.
ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of entities (subject and object), operations, and the environment relevant to a request.
As new subjects join the organization, rules and objects do not need to be modified. As long as the subject is assigned the attributes necessary for access to the required objects, no modifications to existing rules or object attributes are required.
There can be three types of attributes:
- Atomic-values or single valued attribute:
- Set-valued or multi-valued attribute:
- Structured Attribute:
Attributes can be either:
- Entity Attribute: a thing that can be distinctly identified.
- Non-entity Attribute: whose range is not defined on the set of entities in the system.
The range of an attribute is bounded or not:
- Finite Domain Attribute: Range of this attribute type is a finite set of attribute value.
- Infinite Domain Attribute: Range of this attribute type is a countably infinite set of attribute values.
Weaknesses
It is often claimed that attributes can express relationships, and indeed this is trivial for direct relationships. However, the use of indirect relations, also called multilevel or composite relations, is fundamental to ReBAC. It is hard to see how ABAC can express long chains of relationships. It has been suggested that ReBAC emerged to overcome this shortcoming of attributes.