There are several places where you could find a "formal" definition of abac. One such place is NIST, the National Institute of Standards and Technology. They have a dedicated site on ABAC.
Their definition is as follows:
ABAC is a logical access control model that is distinguishable because it controls access to objects by evaluating rules against the attributes of the entities (subject and object) actions and the environment relevant to a request. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies upon the evaluation of attributes of the subject, attributes of the object, environment conditions, and a formal relationship or access control rule defining the allowable operations for subject-object attribute and environment condition combinations.
In fact, ABAC uses two fundamental building blocks:
- attributes (key-value pairs)
- policies (or rules)
Like the definition says, attributes can be about anything (users, objects, environment, context, and more). Generally attributes relate to the grammatical function they play in a sentence e.g.
Managers can view documents they own
Translated, it becomes
A user with role == "manager" can do action == "view" on object of type == "document" if user.name == document.owner
The standard implementation for ABAC is xacml & ALFA. There are several open-source implementations (AuthZForce) as well as commercial (Axiomatics - which is where I work)
Attributes can be typed (string, integer...) and multi-valued (e.g. you can have multiple roles). XACML / ALFA define the policy language to express ABAC. XACML also defines a REST/JSON profile to POST authorization requests and receive responses back.
David
