Attribute-based access control uses attributes and policy rules, not just role membership, to decide whether access should be granted.
Attribute-based access control, often called ABAC, is an authorization model that uses attributes and policy rules to decide whether access should be granted. In plain language, the system looks at facts about the user, the resource, the device, the environment, or the action itself instead of relying only on a fixed role.
ABAC matters because real access decisions are often more contextual than a job title alone can capture. A person may be allowed to view a record only from a managed device, only while assigned to a certain project, or only when located in an approved region.
It also matters because modern cloud and zero-trust environments often need more dynamic policies. ABAC can express conditions that would be awkward or impossible to represent cleanly with roles alone.
ABAC appears in cloud policy engines, zero-trust access decisions, sensitive data platforms, API authorization, and applications that must consider context such as classification level, environment, or device posture. Teams often use ABAC when they want access decisions to adapt to more than static identity membership.
Security architects also evaluate ABAC when role models become too coarse. If RBAC starts producing many exception cases, ABAC may offer a better way to represent the rules the business actually wants to enforce.
A company allows engineers to access production logs only if they belong to the engineering department, are on an approved on-call rotation, use a managed device, and connect from the corporate access broker. That access decision depends on several attributes, not only on one role assignment.
ABAC is not automatically better than Role-Based Access Control. It is more flexible, but it can also become harder to reason about if the policies are poorly designed or weakly documented.
It is also still a form of Authorization, not a replacement for authentication. The system still needs trustworthy identity and reliable attribute sources before its policies can be applied safely.