Attribute-Based Access Control (ABAC) in Tucson & Phoenix

The Main Components of Attribute-Based Access Control

With ABAC, an organization’s access policies enforce access decisions based on the attributes of the subject, resource, action, and environment involved in an access event.

• Subject: The subject is the user requesting access to a resource to act. Subject attributes in a user profile include ID, job roles, group memberships, departmental and organizational memberships, management level, security clearance, and other identifying criteria. ABAC systems often obtain this data from an HR system or directory or otherwise collect this information from authentication tokens used during login.
• Resource: The resource is the asset or object (such as a file, application, server, or even API) that the subject wants to access. Resource attributes are all identifying characteristics, like a file’s creation date, its owner, file name and type, and data sensitivity. For example, when trying to access your online bank account, the resource involved would be “bank account.”
• Action: The action is what the user is trying to do with the resource. Common action attributes include “read,” “write,” “edit,” “copy,” and “delete.” In some cases, multiple attributes can describe an action. To continue with the online banking example, requesting a transfer may have the characteristics “action type = transfer” and “amount = $200.”
• Environment: The environment is the broader context of each access request. All environmental attributes speak to contextual factors like the time and location of an access attempt, the subject’s device, communication protocol, and encryption strength. Contextual information can also include risk signals that the organization has established, such as authentication strength and the subject’s normal behavior patterns.