Attribute-Based Access Control (ABAC)
ABAC is an access control model where access decisions are based on attributes of the user, the resource, and the context of the request. Instead of assigning permissions to roles, ABAC evaluates the user's attributes and environment to determine whether access is allowed.
# WHAT TEAMS RUN INTO
- —
ABAC policies become complex and hard to reason about. Policy rules can reference dozens of attributes, and conflicting rules create scenarios where nobody can predict whether access will be allowed.
- —
ABAC enforcement is slower than RBAC because every access decision requires evaluating multiple attributes and rules. Organizations end up caching ABAC decisions, and cached decisions become stale.
- —
Auditing ABAC decisions is harder than auditing RBAC. An RBAC decision is 'this user has this role,' which is binary and easy to verify. An ABAC decision depends on current attribute values, which change over time, making historical audits difficult.
# WHY IT MATTERS
ABAC is more flexible than RBAC because it can express richer access policies. But flexibility comes at a cost — complexity. ABAC only works if policies are clearly written, consistently applied, and actively audited. When ABAC policies become too complex, they become invisible to the people managing them, and access control stops being intentional.