Home > Glossary > Certified Information Systems Security Professional > Attribute-Based Access Control (ABAC)

📖 What is Attribute-Based Access Control (ABAC)?

Attribute-Based Access Control (ABAC) is a flexible access control model that grants access based on a combination of attributes. These attributes can include user characteristics, resource properties, and environmental conditions like time of day or location. It provides more granular control than RBAC.

🥋 Sensei Says:

"Think of ABAC as the most 'intelligent' or 'context-aware' model. It is the logical evolution from RBAC for complex, dynamic environments."

📚 Certification: Certified Information Systems Security Professional (CISSP)

🔑 What are the Key Concepts of Attribute-Based Access Control (ABAC)?

▸ Subject attributes include user-specific characteristics such as job title, security clearance, department, and certification level used to determine access rights.
▸ Object attributes describe the resource being accessed, such as file classification, project ownership, or the sensitivity level of the data.
▸ Environmental attributes provide context-aware security by evaluating conditions like the user's current IP address, time of access, or geographic location.
▸ Policy-based logic uses Boolean expressions to combine these attributes, allowing for highly granular 'if-then' rules that govern access decisions dynamically.
▸ ABAC prevents 'role explosion' by eliminating the need to create countless unique roles for every possible combination of user permissions.

🎯 How does Attribute-Based Access Control (ABAC) appear on the CISSP Exam?

You may be asked to identify the best access control model for a global organization that needs to restrict access based on the user's current country and the time of day.

A scenario might describe a system where access is granted only if the user is a manager, the document is marked 'Internal', and the connection is via a secure VPN; identify this as ABAC.

❓ Frequently Asked Questions

How does ABAC specifically address the problem of role explosion in RBAC?

In RBAC, adding a new condition often requires a new role. ABAC uses attributes instead; a single policy can evaluate multiple attributes dynamically, removing the need to create thousands of static roles.

Can ABAC be used in conjunction with other access control models?

Yes, many organizations implement a hybrid approach. They may use RBAC for broad organizational roles and layer ABAC on top to provide fine-grained, context-aware restrictions for highly sensitive data.

Related Terms from Certified Information Systems Security Professional

Network Segmentation Standard Procedure Zero-Day Exploit Data Custodian System Hardening

📝 Related Study Guides

Study Guide 10 min read

How to Pass the CISSP Exam: A Realistic 2026 Study Plan

To pass the CISSP, you must transition from a technical mindset to a managerial one, focusing on risk management and policy over implementation. Success requires a 3-6 month study plan covering all eight domains, using adaptive practice exams to identify gaps and mastering the "mile wide, inch deep" breadth of the CBK.

Career Guide 10 min read

CISSP Experience Requirements: How to Get Your Waiver in 2026

To earn the CISSP, you need five years of cumulative, paid work experience in two or more of the eight CISSP domains. You can obtain a one-year waiver through a four-year college degree or approved professional certifications. Those lacking full experience can become an Associate of ISC2 after passing the exam.

Deep Dive 8 min read

Kerberos Authentication Explained for the CISSP Exam

Kerberos is a ticket-based authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It utilizes a trusted third party called the Key Distribution Center (KDC) to issue tickets, enabling Single Sign-On (SSO) and preventing replay attacks through the use of synchronized timestamps.