What is ABAC (Attribute-based access control)?

Published by Alex Olivier on October 02, 2023
What is ABAC (Attribute-based access control)?

Attribute-Based Access Control, also referred to as ABAC, is a method of managing access to systems or resources based on the user’s attributes. Compared to traditional access control methods it is considered to be more flexible and dynamic. 

With Attribute-Based Access Control access is allowed or prohibited based on an evaluation of various attributes defined within the access policy. These attributes typically include, but are not limited to, an individual’s department, location, and user role along with the context in which the access request is made.

Key components of the ABAC access control system


Attributes are characteristics assigned to all the players in an access event that the system uses to determine whether access should be granted. Attributes typically take the form of information about the user, the resources the user is attempting to access and the context in which they are making their access request. So, for instance, access may be granted in one context but denied in a different context

Attributes can also be applied to the resources themselves, and can be based on a wide range of characteristics such as a file’s owner, its creation date, sensitivity of data and more.

Access request evaluations

Whenever a user requests access, the ABAC system evaluates that request by weighing the principal’s personal attributes along with which resources they are attempting to access and the context in which the request is being made.

Centralized policy management

More often than not, ABAC involves a centralized policy management system. The goal of such a system is to provide a uniform framework for defining and enforcing an organization’s access control policies.

Fine-grained access

When compared to more generalized access control models - typically referred to as "coarse-grained access" - the ABAC's fine grain-access model enables more nuanced control over who gains access to what. While this can make it somewhat more complex to devise and implement, many organizations relish the more sophisticated control.

Policies and access rules

Access rules are the main components that determine who can access resources and under what conditions. 

Policies are where these access rules live; they are collections of rules, intended as a way to organize and manage access control within an organization.


The fine-grained control provided by the ABAC model can be applied just as easily to mid-sized organizations as it can to multinational conglomerates.


Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team