Attribute-based access control (ABAC) is an authorization model that evaluates attributes (or characteristics), rather than roles, to determine access. The purpose of ABAC is to protect objects such as data, network devices, and IT resources from unauthorized users and actions—those that don’t have “approved” characteristics as defined by an organization’s security policies. ABAC as a form of logical access control became prominent in the past decade, having evolved from simple access control lists and role-based access control (RBAC). As part of an initiative to help federal organizations improve their access control architectures, the Federal Chief Information Officers Council endorsed ABAC in 2011. They recommended ABAC as the model to adopt for organizations to safely share information. In this post, we explore how attribute-based access control works in greater depth and consider the ways that adopting ABAC could benefit your organization. What are the main components of attribute-based access control.