← All terms
Attribute-Based Access Control (ABAC)

What is Attribute-Based Access Control (ABAC)?

ABAC makes access decisions by evaluating attributes of the user, the resource, the action, and the context against policies at the moment of the request.

Last updated: 14 July 2026

How ABAC works

Attribute-based access control expresses authorization as policies over attributes rather than static assignments. A policy might state that a user may read a document if the user's department matches the document's owning department, the document's classification is at or below the user's clearance, and the request comes from a managed device during business hours.

At request time, a policy engine gathers attributes from identity providers, directories, and the resource itself, evaluates the applicable policies, and returns an allow or deny decision. Because the decision happens dynamically, access adapts automatically when attributes change — no one has to remember to update a grant when someone transfers departments.

ABAC underpins many modern patterns: conditional access rules in identity providers, tag-based policies in cloud platforms, and fine-grained authorization services are all attribute-driven at their core.

Why ABAC matters

Role models struggle when access depends on context. Expressing "engineers may access production data only from managed devices, and only for the projects they are assigned to" purely in roles would require an explosion of role variants. ABAC captures such requirements as a handful of policies.

ABAC is also a natural fit for zero trust architectures, where every request should be evaluated against current context rather than a standing entitlement. Signals such as device posture, network location, and risk score are attributes, and conditional access is essentially ABAC applied to authentication and session decisions.

The trade-off is auditability. Answering "who can access this resource?" under ABAC requires evaluating policies over all possible attribute combinations, which is harder for reviewers and auditors to reason about than a role membership list. Attribute quality is also critical: a policy is only as reliable as the directory data feeding it.

ABAC in practice

Few organizations run pure ABAC. The common pattern is hybrid: roles define baseline, reviewable access, while attribute-based policies add contextual conditions on top — restricting when, where, and from what device that access can be exercised.

A practical rollout starts by cleaning the attributes that policies will depend on, such as department, job title, and manager fields in the directory, then implements a small number of high-value policies: protecting sensitive applications with device and location conditions, or scoping data access by data classification.

In identity platforms this typically surfaces as conditional access; Monosign, for example, evaluates contextual conditions at sign-in as part of its conditional access policies.

Frequently asked questions

RBAC vs ABAC: which should we use?
Usually both. Roles give you a reviewable baseline that auditors understand; attribute policies handle context that roles cannot express, such as device, location, or data classification. Start with roles for entitlement management and layer ABAC-style conditions where contextual risk matters.
Is conditional access the same as ABAC?
Conditional access is ABAC applied to a specific decision point: authentication and session establishment. It evaluates attributes like device posture, location, and risk before granting a session. Full ABAC extends the same idea to fine-grained authorization inside applications and data platforms.
What is the hardest part of adopting ABAC?
Attribute quality. Policies depend on directory and HR data being accurate and current; stale department fields or missing device signals silently produce wrong decisions. Most failed ABAC projects trace back to unreliable attribute sources rather than the policy engine.