What is ABAC (Attribute-Based Access Control)?

Turkish: ABAC

ABAC is an authorization model that evaluates user, resource, action, and environment attributes instead of relying only on roles.

What is ABAC?

ABAC (Attribute-Based Access Control) is an authorization model that decides access from multiple attributes rather than a role name alone. A policy can consider the user’s department, the resource’s sensitivity, the requested action, device posture, time of day, or location.

For example, “finance users may view approved invoices only from managed devices on the company network” is an ABAC-style rule. The role matters, but the resource state and request context are also part of the decision.

How It Works

In an ABAC architecture, the application sends an access request to a policy decision point. The policy engine reads user, resource, and environment attributes, then returns an allow or deny decision. Tools such as Open Policy Agent can keep that decision logic separate from application code.

Difference from RBAC

RBAC is simpler: users get roles, and roles get permissions. ABAC is more flexible, but it creates more policy design and testing work. It is useful in multi-tenant SaaS systems, sensitive document workflows, healthcare data, and enterprise applications with branch, country, or customer-specific rules.

ABAC aligns well with Zero Trust because each request is evaluated in context. Without auditable logs, policy versioning, and clear failure behavior, though, it can become hard to operate.