Attribute-based access control (ABAC) is an authentication and authorization model under the identity management umbrella that uses attributes, rather than roles, to grant user access. With ABAC, access decisions are made based on attributes (characteristics) about the subject or user making the access request, the resource being requested, what the user will do with the resource, and the environment (geolocation, network, etc.) or context of the of the request.

ABAC was derived from role-based access control (RBAC), which provides access based on user roles. But while RBAC covers broad access, ABAC can control access on a more detailed level.

How does ABAC work?  

ABAC examines characteristics (attributes), in order to make access decisions. These attributes can be broken up into four main categories:

  • Subject/user attributes are what describes the individual trying to gain access. Examples include username, ID, age, job title, job role, organization, department, security clearance, etc.
  • Resources/object attributes are what describes the resource being accessed.  
  • Action is what the user will do with the resource. Examples include view, read, transfer, delete, etc.
  • Environmental attributes describe the context of the access attempt. Examples include time, location, device, etc.

ABAC systems intelligently study how attributes interact in an environment and develop a set of rules that will establish which attributes are warranted access based on whether specific conditions are met.

In other words, the ABAC system establishes policies to define which combinations of user/subject/environmental attributes are needed to perform an action with an object/resource. They use these policies to grant and deny access.

For example, if you don’t want the entire sales organization to view data on potential leads, ABAC can place limitations so only sales reps in the west coast region of the United States can view the information.

Here’s how it works in action: Whenever an access request is triggered, the ABAC tool will scan attributes to see if they match established policies. If they do, the user will gain access. In this case, it would be a sales rep who works on the west coast, and who’s trying to view sales prospect information.

Advantages of ABAC. 

There are many advantages to an ABAC system that help foster security benefits for your organization.

Targeted approach to security.

Unlike role-based access control which grants access based on roles, ABAC grants access based on attributes, which allows for highly targeted approach to data security. It ensures an extra layer of safety that RBAC can’t provide, given that ABAC looks at many variables while establishing access.

For example, with RBAC, access is role-based, so in the scenario above, a sales rep will always have access to sales prospect data if given access. In an ABAC scenario, their access could be restricted based on certain attributes, i.e., location, time of day, and actions (viewing, editing, deleting data). ABAC allows for user admins to hone in on many different attributes as indicators of access, which in turn increases the level of security at each access point.

Dynamic access control.

Unlike RBAC which establishes access based on roles, ABAC establishes access based on attributes. So, rather than establishing roles for every individual who may enter the system, ABAC can take one policy and dynamically apply it to many roles. This is because ABAC looks at variety of attributes when granting access, not just a role.

Let’s look at the example from the beginning. In a role-based access scenario, RBAC systems must create individual roles for each sales rep to access specific data. With ABAC systems, you can set a single role that gives all sales reps access to the data (resource/object). While on the surface this might not seem secure, its actually safer than traditional RBAC. This is because ABAC uses many attributes to define policies. A user admin can set a rule such that only sales reps within a specific region, or who’ve closed a certain number of deals can view the data. This type of authentication based on attributes tightens access points by considering multiple factors when granting access and adhering to the principle of least privilege. All the while, it lessens the burden on IT to creating so many user roles.

Disadvantages of ABAC. 

Once ABAC is implemented, it’s easy to scale it and apply it to your data security program. However, it’s quite complicated to implement. It can require defining hundreds of thousands of attributes, establishing rules and policies, and performing implementation. It requires a lot of time and resources. However, once established, ABAC is highly scalable and secure.

Attribute-Based Access Control vs. Role-Based Access Control. 

RBAC authenticates user access based on roles, while ABAC is based on attributes. Both can be effective, but ABAC is much more scalable than RBAC. 


The primary advantage with RBAC systems is that provisioning and deprovisioning is determined based on roles, rather than on an individual basis. This is great for a smaller organization, but as your business scales, creating hundreds of thousands of roles is not scalable.


The primary advantage of ABAC is that it establishes access based on attributes. This allows for higher levels of access security, beyond provisioning access based on roles. The one downside as mentioned before is its complexity. But once implemented, its robust benefits outweigh the costs.

Final thoughts. 

Authentication is an important component of identity security—but also just one aspect of managing access under the identity governance and administration (IGA) umbrella.

Implement AI-driven security with SailPoint’s Access Modeling. It uses AI and Machine learning to create and implement role models that align with your business needs. Learn how it works.

Take control of your cloud platform.

Learn more about SailPoint and Access Modeling.

Get Started Today