IT Glossary
Attribute-Based Access Control (ABAC) grants access using attributes and context. Learn how ABAC works, ABAC vs RBAC, and when to use each model.
July 3, 2026
Attribute-Based Access Control (ABAC) is an access control model that grants or denies access based on attributes evaluated against policies. These attributes describe the user (role, department), the resource (sensitivity, owner), the action, and the environment (device, location, time). Instead of fixed roles, ABAC makes dynamic, context-aware decisions, for example allowing access only from a managed device during business hours.
Compared with RBAC, ABAC is fine-grained and conditional, is context-aware (device, time, location), takes more setup effort to design policies, and scales well when access depends on many variables. RBAC is coarser and role-based, is not context-aware, takes less setup effort, and scales well when roles are stable and clear.
A healthcare SaaS allows a clinician to view patient records only if they belong to the same care unit, are on a managed device, and are accessing during a shift. RBAC alone cannot express that, so ABAC evaluates the attributes in real time. The cost is policy complexity, which is why many organizations combine RBAC for the baseline and ABAC for sensitive exceptions.
Use ABAC when access decisions depend on context (device, location, time) or many variables that fixed roles cannot capture cleanly.
Generally yes. ABAC needs well-defined attributes and policies, but it removes role explosion and supports dynamic, zero-trust decisions.
Yes. A common pattern uses RBAC for baseline access and ABAC for fine-grained, context-sensitive rules on top.