Inferensys

Glossary

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a dynamic security model that grants or denies access by evaluating policies against attributes of the user, resource, action, and environment.
ML engineer managing model versions on laptop, version history visible, technical Git-like workflow.
SEMANTIC DATA GOVERNANCE

What is Attribute-Based Access Control (ABAC)?

Attribute-Based Access Control (ABAC) is a dynamic, fine-grained authorization model that grants or denies access to resources based on the evaluation of attributes associated with the user, the resource, the action, and the environment.

Attribute-Based Access Control (ABAC) is a security model that evaluates access requests by applying policies to a set of attributes—characteristics of the user (subject), resource (object), action, and environment. Unlike static models like Role-Based Access Control (RBAC), ABAC uses Boolean logic within policies (e.g., "PERMIT IF user.department == resource.owner AND time.now < 17:00") to make dynamic, context-aware decisions. This enables highly granular, conditional access control without requiring predefined role assignments for every possible scenario.

The core components of an ABAC architecture are the Policy Decision Point (PDP), which evaluates policies against attribute values, and the Policy Enforcement Point (PEP), which intercepts requests and enforces the PDP's decision. Attributes are typically managed in external systems like LDAP directories or metadata repositories. ABAC is foundational for modern semantic data governance, as it allows policies to be expressed in terms of business concepts (e.g., data sensitivity labels, project affiliations) rather than technical identities, enabling scalable control over complex data landscapes like enterprise knowledge graphs.

ARCHITECTURAL BUILDING BLOCKS

Core Components of an ABAC System

Attribute-Based Access Control (ABAC) is a security model that grants or denies user requests based on a set of attributes (user, resource, environment, action) and defined policies. Its deterministic nature makes it ideal for governing access to semantic data within an Enterprise Knowledge Graph.

01

Policy Decision Point (PDP)

The Policy Decision Point (PDP) is the core reasoning engine of an ABAC system. It evaluates incoming access requests against the applicable policy set and attributes to render a definitive authorization decision (Permit or Deny).

  • Function: It retrieves relevant attributes from the Policy Information Point, applies logical rules defined in policies, and returns a decision to the Policy Enforcement Point.
  • Key Feature: Its decisions are based on Boolean logic (IF-THEN statements), ensuring deterministic and auditable outcomes, which is critical for semantic data governance.
  • Example: A PDP evaluates a request where user.department == "Legal" AND resource.classification == "Confidential" AND environment.location == "HQ_Office". If all conditions in the policy are met, it returns Permit.
02

Policy Enforcement Point (PEP)

The Policy Enforcement Point (PEP) is the system guard that intercepts every access request to a protected resource. It acts as the enforcement arm, implementing the decisions made by the PDP.

  • Function: It sits in the execution path (e.g., an API gateway, database proxy). Upon intercepting a request, it formulates an authorization query for the PDP, enforces the returned decision, and can also execute any associated obligations (e.g., logging).
  • Key Feature: The PEP is decoupled from policy logic; it only knows to "ask" the PDP and "enforce" the answer. This separation of concerns is a foundational ABAC principle.
  • Example: A user's query to a Knowledge Graph SPARQL endpoint is intercepted by the PEP. The PEP sends the user, query, and session attributes to the PDP. If the PDP returns Deny, the PEP blocks the query and returns an "Access Denied" error.
03

Policy Information Point (PIP)

The Policy Information Point (PIP) serves as the attribute broker for the ABAC system. It is responsible for retrieving, generating, or maintaining the dynamic attribute values needed by the PDP to evaluate a policy.

  • Function: The PDP queries one or more PIPs to gather current values for attributes referenced in a policy (e.g., user.role, resource.sensitivity, time.now).
  • Data Sources: PIPs connect to diverse enterprise systems like LDAP, HR databases, CMDBs, threat feeds, and crucially, the Enterprise Knowledge Graph itself to fetch semantic attributes about data entities.
  • Example: To evaluate a policy requiring resource.owner == user.manager, the PIP would query the Knowledge Graph to find the owner property of the requested data asset and the HR system to find the user's manager attribute.
04

Attributes (Subject, Resource, Action, Environment)

Attributes are named properties of the entities involved in an access request. They are the variables used in policy rules. The NIST ABAC model defines four core categories:

  • Subject Attributes: Characteristics of the user or system requesting access (e.g., department, clearance, jobTitle).
  • Resource Attributes: Characteristics of the object being accessed (e.g., data.classification, schema.type, provenance.origin). In a Knowledge Graph, these are often ontological classes and properties.
  • Action Attributes: The operation to be performed (e.g., read, write, query, infer).
  • Environment Attributes: Contextual, largely independent factors (e.g., time.of_day, device.secure, location.ip_range).

Policies are Boolean expressions that combine these attributes (e.g., PERMIT IF subject.clearance >= resource.classification AND action == 'read').

05

Policy (Rule Set & Combining Algorithms)

A Policy is a formal representation of an access control rule. It is a set of rules that are combined using a defined algorithm to produce a single authorization decision.

  • Rule Structure: Each rule contains a Target (which requests it applies to), a Condition (a Boolean expression using attributes), and an Effect (Permit or Deny).
  • Policy Combining Algorithms: These algorithms resolve decisions when multiple rules apply. Common algorithms include:
    • Deny-overrides: Any Deny decision results in a final Deny.
    • Permit-overrides: Any Permit decision results in a final Permit.
    • First-applicable: The effect of the first rule with a matching target and true condition is returned.
  • Standard: Policies are often written in standardized languages like XACML (eXtensible Access Control Markup Language) to ensure interoperability and clear semantics.
06

Policy Administration Point (PAP)

The Policy Administration Point (PAP) is the management interface where security administrators define, manage, store, and distribute the authorization policies and attribute definitions used by the PDP.

  • Function: It provides tools for authoring policies (often via visual or declarative languages), testing them against simulated requests, and deploying them to the PDP(s).
  • Lifecycle Management: The PAP manages the versioning, retirement, and audit trail of all policies, which is essential for compliance reporting in data governance.
  • Integration: In a semantic governance context, the PAP may integrate with ontology management tools to directly reference classes and properties defined in the Knowledge Graph as resource attributes, ensuring policy alignment with the data model.
ACCESS CONTROL MODELS

ABAC vs. RBAC: A Detailed Comparison

A technical comparison of Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC), two foundational security models for semantic data governance.

Feature / CharacteristicAttribute-Based Access Control (ABAC)Role-Based Access Control (RBAC)

Core Authorization Logic

Evaluates dynamic policies against attributes of the user, resource, action, and environment.

Checks if the user's assigned role has the static permission for the requested resource/action.

Policy Expression

Uses fine-grained, Boolean logic rules (e.g., IF user.department == 'HR' AND resource.classification == 'Confidential' AND time.window == '9-5' THEN PERMIT).

Defines permissions as static assignments (e.g., Role: 'Analyst' -> Permissions: ['read_dataset_A', 'write_report_B']).

Granularity & Context

Fine-grained, dynamic, and context-aware. Can incorporate environmental attributes (time, location, device).

Coarse to medium-grained, static, and context-agnostic. Permissions are based on job function, not situational context.

Administrative Overhead

Higher initial setup for policy definition and attribute management. Scalable policy management via rules.

Lower initial setup. Can lead to 'role explosion' and high overhead as organizational complexity grows.

Flexibility & Adaptability

Highly flexible. New resources or regulations can be addressed by updating policies, not re-engineering role structures.

Less flexible. Changes often require creating new roles or modifying complex permission assignments across many users.

Relationship to Semantic Data

Native alignment. Policies can directly reference semantic attributes (e.g., data sensitivity labels, ontology classes).

Indirect alignment. Roles must be mapped to semantic concepts, often requiring manual translation and maintenance.

Typical Enforcement Mechanism

Policy Decision Point (PDP) evaluates requests against a Policy Administration Point's (PAP) rules. Decouples logic from application code.

Access checks embedded in application logic or middleware, verifying role membership against a permission matrix.

Use Case Fit

Complex, data-centric environments with dynamic access needs (e.g., healthcare records, multi-tenant SaaS, regulatory compliance).

Stable environments with well-defined, static job functions (e.g., internal HR systems, traditional enterprise software).

SEMANTIC DATA GOVERNANCE

Common Use Cases for Attribute-Based Access Control

Attribute-Based Access Control (ABAC) enables dynamic, fine-grained authorization by evaluating policies against attributes of the user, resource, action, and environment. Its flexibility makes it essential for complex, data-centric security scenarios.

01

Fine-Grained Data Access in Knowledge Graphs

ABAC is the foundational model for securing semantic data layers and enterprise knowledge graphs. Policies can evaluate complex relationships and entity attributes to enforce access.

  • Example: A policy could permit access to Medical Trial entities only if the user's department attribute is "Oncology Research" AND the trial's status attribute is "Active" AND the access occurs within a corporate IP address range.
  • This moves beyond simple table/row security to govern access based on the semantic context and properties of interconnected entities.
02

Dynamic Compliance & Regulatory Enforcement

ABAC automates enforcement of regulations like GDPR, HIPAA, and CCPA by encoding legal rules as machine-executable policies based on data classifications and user context.

  • Key Mechanism: Policies reference sensitive data labels (e.g., data_classification="PII" or data_category="PHI") and user consent attributes.
  • Real-world action: A policy could deny a export action on a CustomerRecord if the user_location attribute is outside a permitted geo_region OR if the record's consent_for_export attribute is false. This provides continuous, attribute-driven compliance.
03

Secure Multi-Tenancy in SaaS Applications

ABAC is the standard for isolating tenant data in cloud-native Software-as-a-Service (SaaS) platforms without requiring separate policy sets per tenant.

  • Core Pattern: A universal policy checks that the user.tenant_id attribute matches the resource.tenant_id attribute for any access request.
  • Advanced Control: Policies can incorporate user.subscription_tier to gate access to premium features or environment.system_load to dynamically adjust data retrieval limits. This creates a scalable, policy-centric security layer that adapts to each tenant's context.
04

Context-Aware API & Microservice Authorization

In microservices architectures, ABAC enables intelligent authorization at the API gateway and individual service level, using rich contextual attributes.

  • Request Context: Policies evaluate attributes like action: "POST", resource: "/api/v1/transactions", user.risk_score, device.certificate_status, and request.time_of_day.
  • Use Case: A financial service could deny a high-value transfer action if user.risk_score > 0.8 AND device.ip_country != user.home_country. This provides defense-in-depth beyond simple API tokens.
05

Attribute-Driven Data Masking & Redaction

ABAC policies can govern not just if data is accessed, but how it is presented, dynamically applying data masking, tokenization, or redaction based on attributes.

  • Policy Logic: PERMIT a query on a Patient table, but with the obligation to apply the maskSSN function if the user.role is "Nurse" and not "Attending Physician".
  • This extends access control to the presentation layer, ensuring sensitive fields like Social Security Numbers, financial data, or proprietary formulas are only fully exposed under specific, attribute-defined conditions.
06

Orchestrating Access in Multi-Agent Systems

For autonomous agent ecosystems, ABAC provides the policy framework to govern inter-agent communication and tool access based on the agents' runtime attributes and goals.

  • Agent Context: Policies evaluate attributes of the requesting agent (e.g., agent.id, agent.capabilities, agent.current_task), the target resource or tool (e.g., tool.sensitivity_level), and the environment (e.g., system.operational_mode).
  • Example: An AnalyticsAgent may be permitted to call the run_sql_query tool only if its assigned_project attribute matches the database's project_tag and the system.load is below a critical threshold. This enables secure, policy-driven agent orchestration.
SEMANTIC DATA GOVERNANCE

Frequently Asked Questions

Essential questions about Attribute-Based Access Control (ABAC), the dynamic security model that uses attributes to define granular access policies for enterprise data and systems.

Attribute-Based Access Control (ABAC) is a dynamic authorization model that grants or denies access to a resource by evaluating a set of attributes (characteristics) associated with the user, the resource, the action, and the environment against a set of defined policies. Unlike static models that check roles or identities alone, ABAC uses boolean logic (e.g., IF-THEN rules) within policies to make context-aware decisions, enabling fine-grained, adaptable security for complex systems like enterprise knowledge graphs and semantic data fabrics.

Key components include:

  • Attributes: Key-value pairs (e.g., user.department = 'Engineering', resource.classification = 'Confidential', action.type = 'write', environment.time = '09:00').
  • Policy: A rule that defines the conditions for access (e.g., PERMIT IF user.role == 'DataSteward' AND resource.sensitivity <= user.clearance).
  • Policy Decision Point (PDP): The system component that evaluates policies against attribute values.
  • Policy Enforcement Point (PEP): The component that intercepts requests, queries the PDP, and enforces the decision.
Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.