Attribute-Based Access Control
Attribute-Based Access Control (ABAC) uses various security attributes to protect data objects from unauthorized access, sharing, or other operations.
If the subject requesting access meets the requirements in the policy, they are authorized to perform the requested operation. Otherwise, access is denied.
The following is a description of the ABAC attributes used to make the policy decision to approve or deny access:
- Subject attributes: The security attributes of the user or entity requesting access. Either individually or when combined, a user's security attributes comprise a unique identity that distinguishes them from others.
- Resource attributes: Obtained from the security label bound to the data object. These attributes define the data object’s sensitivity and can include classification, need-to-know, and releasability.
- Action attributes: All relevant information regarding the nature of the transaction. For example, viewing or accessing a file might only require a subset of the privileges required to create a file.
- Environmental attributes: Information about the conditions under which the transaction occurred. For example, access to a data object might be permitted during normal business hours but denied on weekends.
