An attribute-based access control (ABAC) system is a strategy for making runtime decisions about what features or data a user can access in an application, based on a combination of policies and data about both the user and transaction context.

Data about the user typically comes in the form of identity attributes -- things like the user's name, login ID, department, location, job role, etc. This data normally comes from an LDAP directory.

Data about transaction context includes what operation the user is attempting to perform, what data the user would access through this operation, the current time and date, the location of the user (e.g., IP address or similar), the type of device from which the user connected (e.g., web user agent or similar) and how the user authenticated.

Policy data links operations and data to identity and transaction data, to make runtime go/no-go decisions. There is an XML standard for expressing such policy decisions, called XACML. XACML stands for eXtensible Access Control Markup Language.

XACML is described at

Return to Identity Management Concepts