What is ABAC?

ABAC (Attribute Based Access Control) is an access control model where access to systems and data is determined based on attributes from four categories: the subject (user), the resource, the action, and the environment. The model is defined in NIST SP 800 162.

Instead of relying only on roles, as in RBAC, ABAC evaluates multiple factors at the same time. These can include who the user is, which device is being used, where the request is coming from, and what resource is being accessed. In practice, RBAC and ABAC are usually combined as a hybrid, where roles grant coarse access and attributes refine it.

This allows for more precise and dynamic access control, where decisions are made based on context.

A simple way to understand ABAC is to think of an access system that checks not just identity, but also time, location, device state, and which resource is being requested.

Sicra and ABAC

ABAC is relevant in modern identity and access management, especially in Zero Trust architectures. In the Microsoft stack, the model is realized concretely through conditions on role assignments in Azure (Azure ABAC) and, relatedly, through Conditional Access in Entra ID.

At Sicra, it is used when assessing how organizations can improve control over access and reduce risk related to excessive or misconfigured permissions.

This is particularly relevant in environments with cloud, distributed users, and complex access requirements.

Services

Read more about "Identity maturity assessment" here >

Read more about "Zero Trust maturity assessment" here >

Read more about "SASE architecture" here >

Read more about "SASE transformation" here >

Related terms: IAM (Identity and Access Management), Authorization, RBAC (Role Based Access Control), PBAC (Policy Based Access Control), NIST SP 800 162, Conditional Access, Identity security, Least privilege, Entra ID, Zero Trust.