Attribute-based access control: Difference between revisions

Data security typically goes one step further than database security and applies control directly to the data element. This is often referred to as [[data-centric security]]. On traditional relational databases, ABAC policies can control access to data at the table, column, field, cell and sub-cell using logical controls with filtering conditions and masking based on attributes. Attributes can be data, user, session or tools based to deliver the greatest level of flexibility in dynamically granting/denying access to a specific data element. On big data, and distributed file systems such as Hadoop, ABAC applied at the data layer control access to folder, sub-folder, file, sub-file and other granular.

As of Windows Server 2012, Microsoft has implemented an ABAC approach to controlling access to files and folders. This achieved through dynamic access control lists (DACL) and Security Descriptor Definition Language ([[SDDL]]). SDDL can be seen as an ABAC language as it uses metadata of the user (claims) and of the file / folder to control access.