top of page

Attribute-Based Access Control

Attribute-based access control is a new topic for the April CISSP exam update. It is a more dynamic, flexible, context-aware and adaptive type of access control method.

When we are talking about access control methods we are talking about things like Role-Based Access Control, Discretionary Access Control or Mandatory Access Control. ABAC can actually work together with all these other access control models.

In role-based access control, users are given a role configured by a central administrator. The subject is only allowed to access the resources or objects assigned to this role.

In discretionary access control, every object must have an owner. It is the owner who decides the rules between subjects and objects. Not a central administrator.

In attribute-based access control subjects, objects and environmental attributes are checked by a Policy Decision Point and a Policy Enforcement Point against a policy.

Figure 1

In Figure 1, Lukman is a subject with the following attributes:

  • His official title, the Finance Director (Role based access control)

  • And his department which is Finance

The object he is trying to access has these attributes:

  • Read/Write/Delete

His environmental attributes are:

  • He’s in the New York office

  • During business hours

  • Hard-wired

  • In the local area network

And let’s say that there is an existing policy which states:

If a subject in the finance department with the role of Finance Director who is trying to read a finance folder during business hours and hooked into the local area network in the New York office, then they are permitted to read the folder.

In ABAC a “Policy Decision Point” and “Policy Enforcement Point”, are the deciding factors when it comes to permitting or denying the access request. I don’t think you’ll have to know those terms for the CISSP exam, but it might be good to know. It also helps to know when learning about XACML.

In this scenario, the decision engine checks to make sure

that if Lukman, the subject, has a subject attribute of being in the Finance Department, and the role of Finance Director,

and trying to access a folder to which he is only trying to read, not write, and located in his new York office hard wired to the network via Ethernet during business hours - if all that matches the policy,

then Lukman is permitted to access the folder.

Attribute-based access control will calculate and evaluate all these subject, object, and environmental attributes, as well as a pre-established policy, in order to permit or deny operations.

That is what we’re talking about when it comes to attribute-based access control for the new updated CISSP exam.

And did you catch how it can be used with role based access control?

Lukman was already assigned a role. The role of Finance Director.

Which means he only has access to the files and folders which is allowed to him by the role of being a finance director.

Then we can further apply a more granular level of security with ABAC, but making sure that not only does Lukman need to have the role of Finance Director, but he also has to satisfy a few other attributes as well.

That’s how attribute-based access control works with role-based access control, and that's how ABAC works in general.

I have an entire 30-minute video about ABAC in the member's section of the site. Click here if you're interested to join:

Thanks for reading.


bottom of page