# Attribute-Based Access Control (ABAC) One-sentence definition: Decisions use attributes of subject, object, action, and environment evaluated by policy. ## Key Facts - Flexible: time/device/location sensitivity, data classifications, risk score. - Components: PEP (enforce), PDP (decide), PIP (provide attributes), PAP (manage policy). - Supports fine-grained consent and least privilege at scale. - Requires good attribute quality, lifecycle, and governance. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Pick ABAC where context matters (e.g., off-network deny write). **Mnemonic:** “**A**ttributes **B**ecome **A**uthorization **C**laims.” ## Mini Scenario Q: Allow doctors to view only their patient records during shift hours. A: ABAC policy with role, patient relationship, and time attributes. ## Revision Checklist - Name S, O, A, E attributes. - PDP/PEP roles. - Data quality concern. ## Related [[Policy Languages and PDP PEP (XACML)]] · [[Access Control Models (DAC MAC RBAC ABAC PBAC)]] · [[Authorization in APIs (Scopes Claims Policy)]] · [[Identity Lifecycle (Joiner Mover Leaver)]] · [[Entitlement Management and SoD Conflicts]] · [[Domain 5 - Index]]