Unlike [[role-based access control]] (RBAC), which defines roles that carry a specific set of privileges associated with them and to which subjects are assigned, ABAC can express complex rule sets that can evaluate many different attributes. Through defining consistent subject and object attributes into security policies, ABAC eliminates the need for explicit authorizations to individuals’ subjects needed in a non-ABAC access method, reducing the complexity of managing access lists and groups.
Attribute values can be set-valued or atomic-valued. Set-valued attributes contain more than one atomic value. Examples are ''role'' and ''project''. Atomic-valued attributes contain only one atomic value. Examples are ''clearance'' and ''sensitivity''. Attributes can be compared to static values or to one another, thus enabling relation-based access control.<ref>{{CiteCitation webneeded|lastdate=Mestci|first=Hazal|title=ABAC Patterns: What is Attribute Based Access Control|url=https://www.osohq.com/learn/what-is-attribute-based-access-control-abac?utm_source=ppc&utm_medium=google&utm_campaign=DynamicSearch&utm_content=179698179487&gad_source=1&gad_campaignid=22311018434&gbraid=0AAAAArFMvLU3qD1f16LmkNJJMT2D4xpNm&gclid=Cj0KCQjwm93DBhD_ARIsADR_DjFSKGz2mKg_6BT99YaI0o5V8QoX4F6Wk1uhnsYdcALQbrP_Xww--QwaAlLEEALw_wcB#:~:text=ABAC%20is%20a%20broad%20pattern%20that%20is%20a%20superset%20of%20many%20other%20authorization%20patterns%2C%20like%20role%2Dbased%20access%20control%20(RBAC)%20and%20relationship%2Dbased%20access%20control%20(ReBAC).%20Both%20RBAC%20roles%20and%20ReBAC%20relationships%20can%20be%20thought%20of%20as%20attributes%20of%20the%20actor%20and%20the%20subjectSeptember 2023}}</ref>
Although the concept itself existed for many years, ABAC is considered a "next generation" authorization model because it provides dynamic, context-aware and risk-intelligent access control to resources allowing access control policies that include specific attributes from many different information systems to be defined to resolve an authorization and achieve an efficient regulatory compliance, allowing enterprises flexibility in their implementations based on their existing infrastructures.
Line 18:
* Policy-based access control
* Fine-grained authorization
Fine-grained authorization refers to authorization logic that incorporates elements of multiple authorization models, providing highly targeted permissions under narrowly defined conditions. Unlike coarse-grained models that provide broad access (such as "administrator" or "user" roles), fine-grained authorization allows different users to have different types of access to the same resource based on multiple factors including roles, relationships, attributes, and environmental context.<ref>{{Cite web|last=Mestci|first=Hazal|title=What is Fine-Grained Authorization?|url=https://www.osohq.com/learn/what-is-fine-grained-authorization?utm_source=ppc&utm_medium=google&utm_campaign=DynamicSearch&utm_content=179698179487&gad_source=1&gad_campaignid=22311018434&gbraid=0AAAAArFMvLU3qD1f16LmkNJJMT2D4xpNm&gclid=Cj0KCQjwm93DBhD_ARIsADR_DjGJfD3mUrgQI4DNGN8DmuJZx7r1ykAK13HXs1UfyKH0zJhi86HvCRoaAiBOEALw_wcB#:~:text=Fine%2Dgrained%20authorization%20refers,roles%2C%20relationships%2C%20attributes%2C%20etc }}</ref> For example, a fine-grained policy might allow a customer service representative to access customer data only during business hours, only for customers in their assigned region, and only when handling an active support ticket.
