Attribute-based access control (ABAC) is an authorisation model that evaluates attributes (or characteristics), rather than roles, to determine access. The purpose of ABAC is to protect objects such as data, network devices, and IT resources from unauthorised users and actions—those that don’t have “approved” characteristics as defined by an organisation’s security policies. ABAC as a form of logical access control became prominent in the past decade, having evolved from simple access control lists and role-based access control (RBAC). As part of an initiative to help federal organisations improve their access control architectures, the Federal Chief Information Officers Council endorsed ABAC in 2011. They recommended ABAC as the model to adopt for organisations to safely share information. In this post, we explore how attribute-based access control works in greater depth and consider the ways that adopting ABAC could benefit your organisation. What are the main components of attribute-based access control.