Attribute-Based Access Control (ABAC) grants access based on a combination of user attributes (department, clearance level), resource attributes (classification, sensitivity), and environmental attributes (time of day, device type, network location). ABAC evaluates policies against multiple attributes simultaneously to make fine-grained access decisions.
ABAC enables contextual access decisions impossible with simple role-based systems — for example, allowing access only if the user is in Finance, the document is classified Internal, the request comes from a company device, and it is during business hours.
CISSP Relevance
ABAC is covered in Domain 5 (Identity and Access Management) as an advanced access control model. CISSP candidates must understand ABAC alongside MAC, DAC, and RBAC, including the tradeoffs in complexity, flexibility, and administrative overhead.
External reference: NIST SP 800-162 Guide to Attribute Based Access Control
Related terms: Role-Based Access Control, Zero Trust