Deepak Gupta

Attribute-Based Access Control

ABAC.

An authorization model where access decisions are computed by evaluating policies against attributes of the subject, resource, action, and environment.

ABAC fits well when policy logic genuinely doesn't reduce to roles, the team has policy-authoring competence (security engineers, compliance team, dedicated authz reviewers), and the decision needs to consume context that role assignment can't capture. ABAC fits poorly when the use case is "Alice can edit Project X", that's relationships, not attribute logic, and ReBAC is the cleaner answer.

Common questions

When does ABAC make sense over RBAC?

Is OPA the same as ABAC?

What is XACML?

Related terms

In the guides

RBAC vs ABAC vs ReBAC: Choosing an Authorization Model
Three authorization models, Role-Based, Attribute-Based, and Relationship-Based Access Control, with concrete examples, scaling characteristics, and when each is the right answer.