Attribute Based Access Control

Overview

In the PeopleFinder Quickstart, we used RBAC (Role Based Access Control) to control access to the PeopleFinder application's endpoints. In this section, we'll explore the concept of Attribute Based Access Control and see how it can provide us with a more granular and dynamic authorization model.

Unlike RBAC, which categorizes users into a distinct set of roles, ABAC allows us to use any number of attributes or properties a user may have to determine if they have access to a particular resource. While roles give us a sense of what the user's job is in an organization, attributes give us a sense of who the user is and what properties are particular to them.

For example, some of these attributes could be a user's location, their IP address, the type of device they're using, their current department, the project they're working on, etc. Defining rules based on attributes that can change over time gives this authorization model a dynamic quality: the authorization decision will depend on the user's attributes' value at runtime.

With ABAC, we can define fine-grained rules that may include multiple user properties. For example, we may want to allow a user to access a resource if they are a member of a specific department while working on a specific project and during a specific time period.

As we'll see in this example, the dynamic behavior we can achieve with ABAC could be used to support a wide variety of use cases that couldn't be satisfied using RBAC alone. That said, we have to use ABAC judiciously, since it can increase the complexity of our authorization model and make it more difficult to maintain.