Show Menu

Attribute-Based Access Control (ABAC) Cheat Sheet (DRAFT) by [deleted]

Simplifying Security Management

This is a draft cheat sheet. It is a work in progress and is not finished yet.


ABAC is “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, enviro­nmental condit­ions, and a set of policies that are specified in terms of those attributes and condit­ions. ”

These policies can be repres­ented as a set of relati­onships or rules; however, at a minimum, they must reflect the allowable set of operations the subject may perform upon the object if, and only if, the subject’s attributes and the enviro­nmental conditions meet those required for author­ization given the object’s attributes

Principles for attrib­ute­-based access control

Establish a business case for implem­ent­ation
Understand the operat­ional requir­ements and overall enterprise archit­ecture.
Create or refine business processes to support ABAC
Develop and acquire an intero­perable set of capabi­lities
Operate with effici­ency.


Resources may receive their attributes either directly from their creator or as a result of automated scanning tools. The object owner creates an access control rule to govern the set of allowable operat­ions; for example, all nurse practi­tioners in the cardiology department can view the medical records of heart patients. By making the process more flexible, attributes and their values may then be modified throughout the lifecycle of subjects, objects and attributes without modifying every subjec­t-o­bject relati­onship. NIST says this process provides a more dynamic access control capability because access decisions can change between requests when attribute values change.

ABAC enables admini­str­ators to apply access control policy without prior knowledge of a specific subject and for an unlimited number of subjects that might require access.

Attribute Access Based Control

Management Support Functions

The enterprise must support management functions for enterprise policy develo­pment and distri­bution; enterprise identity and subject attrib­utes; subject attribute sharing; enterprise object attrib­utes; authen­tic­ation; and access control mechanism deployment and distri­bution. The develo­pment and deployment of these capabi­lities require the careful consid­eration of a number of factors that will influence the design, security and intero­per­ability of an enterprise ABAC solution.