What is ABAC?
Attribute-based access control (ABAC) is a detailed approach to access control. It involves provisioning (adding and removing credentials) based on user characteristics like job role, user ID or membership.
- Subject attributes: User ID, job role, department membership and hierarchy level.
- Object or resource attributes: The object type, location and classification or sensitivity.
- Action attributes: Read, write, copy, edit, view, approve and delete.
- Environmental attributes: Communication protocol, encryption strength and other dynamic aspects of access control.
A successful access control system balances ease of use with security.
Security administrators use a range of access control models – Mandatory Access Control (MAC), Role-Based Access Control (RBAC) and Discretionary Access Control (DAC) – to streamline and protect their operations. However, there are limitations to these models. This is where attribute-based Access Control comes in.
ABAC offers several benefits to businesses of all types. A few unique benefits of attribute-based access control are:
- Providing user permissions based on what they are rather than what they do.
- Enabling an extra layer of safety through a targeted approach to data security.
- Allowing security admins to set granular yet flexible access policies.
This article explains how it differs from role-based access control.
5 Use Cases for ABAC
Enterprises, healthcare providers, commercial real estate teams, educational institutions and others can use attribute-based access control policies to enhance the physical security for their critical assets.
ABAC helps IT and security admins streamline access requests by:
- Granting seamless access to full-time employees who need access to several parts of the building to carry out their day-to-day duties except for the server room, board room and electricity room.
- Giving access permissions to customers, creditors and suppliers – exclusively to common areas, reception and conference rooms.
It also enables security admins to create an access control policy for external stakeholders by using the following attribute values:
- Indirect relationship with the enterprise
- Does not belong to the enterprise
- Not on the enterprise’s payroll
By using these attributes, security admins give visitors and guests access to specific areas around the workplace.
Security admins can use ABAC to create an authorization policy at healthcare centers.
For instance, they can create a security policy stating that anyone who is a radiology technician can access the radiology lab. This security policy will restrict employees from other departments, patients and other stakeholders of the hospital from accessing the radiology lab.
Likewise, an orthopedist responding to an active shooter event can ask the security admin to create an access control list to allow them to access the radiology lab based on the authentication of his credentials, medical specialization and employment status. Once this access list is created, all the orthopedists in the hospital are immediately granted access to the radiology lab based on the same rules to efficiently tackle the situation.
3. Commercial Real Estate
Property managers in charge of commercial real estate portfolios can use ABAC to assign different access permissions.
Let’s say there is a six-story building, where:
- Five floors (1 to 5) are occupied by five different companies.
- The sixth floor is a common area with a cafeteria, gym, and other amenities.
- Two basements are allotted for parking of tenants (their employees).
If the security team wants to use ABAC for all the tenants and visitors of this property, it may consider the following attributes to create access policies.
- Tenants: All tenants and their employees of this property may want to have seamless access to the sixth floor, their office floor and the parking garage allocated to them.
- First floor: The security admin can use the object attributes such as the sixth floor, first-floor main entrance, parking for the first floor and elevator lounges of all floors to create an access policy while assigning access credentials to tenants and their employees of the first floor.
- Second floor: The attributes for second-floor employees could be the sixth floor, second-floor main entrance, parking for the second floor and elevator lounges of all floors.
- Visitors: For visitors, the security admin can create a temporary access card by using access attributes such as the main gate, elevator lounges and the office floor where they want to go.
Many people, including students, professors and school administrators will filter through college and school campuses every day. Security guards may not be able to identify who among these have malicious intentions. To protect assets from people who have malicious intentions, educational institutions should restrict the entry of unauthorized users at various checkpoints, including the main gate and internal doors.
ABAC enhances the security of students and other vital assets at the campus. For example, security admins can use attributes such as the time and location of the access attempt to develop the access policy. They can use this policy to restrict the entry of users to high-risk areas like music rooms, computer labs, supply rooms and gym storage during unusual times.
5. Commercial Security
If you are using cloud-based access control that works with commercial security systems such as smart locks, electric gates, keyless entryways, video management systems and visitor management systems, you can implement ABAC to streamline employee access with a click of a button.
With the ABAC model, your security admins can assign access credentials to employees based on the attributes such as role, department, designation, hierarchy, the sensitivity of the location, time of access and more. This ensures all employees at the workplace have the least privilege (an authorization model of granting access to the only resources required to carry out their day-to-day activities) while eliminating the possibility of security breaches.
For instance, a finance manager may be permitted to open a closet desk, where financial planning documents of a project are kept, during office hours, but not after office hours.
ABAC vs. RBAC
|It provides access rights based on various attributes of the user, resource and environment.Enhanced security for your assets.Security admins may need to spend a lot of time analyzing organizational roles and attributes while creating access policies. The cost of implementation is high.No need to modify existing access policies when a new user joins the team.
|It provides access rights based on user roles. Limited security for your assets. Creating roles is much simpler and faster than assigning attributes to users. The cost of implementation for RBAC is relatively lower than ABAC. Security admins may need to create a new role whenever a new user joins the team.
Whether You Want ABAC or RBAC, Genea is Your Solution
While RBAC determines who has access to a resource, ABAC enhances the capability of RBAC by determining what they can do with the resource.
Consider implementing Genea Security for remote provisioning and monitoring. Whether you’re planning to assign access privileges based on role or attribute, Genea can accommodate. Book a demo to learn how ABAC can enhance your physical security.