Access control is the process of defining and limiting which users are allowed access to which resources. Every organization typically has access control policies to protect files and directories; regulate access to tables, records, and fields; and protect information managed by applications such as time and attendance, payroll processing, and health benefits management.
Attribute-based access control (ABAC) is the latest development in a series of access control models going back more than 40 years. Early computing systems used simple access control lists (ACLs) of user IDs attached to each resource. As the number of resources and users multiplied into the tens or hundreds of thousands, setting up and managing ACLs became cumbersome and time-consuming. Role-based access control (RBAC) solved many of these problems by collecting permissions into roles that usually corresponded to user positions in an organization and permitting access only through roles. But RBAC's ease of management comes at a trade-off with the cost of initial setup, which many organizations found to be challenging and time-consuming.
ABAC, an alternative to RBAC, simplifies access management and reduces costs by granting or denying user requests based on attributes of the user and the object, and environment conditions. For example, building access may be granted only if a subject has a company badge and the current time is during working hours.
Until now, ABAC research has been documented in hundreds of research papers, but not consolidated in book form. This book explains ABAC's history and model, related standards, verification and assurance, applications, and deployment challenges. It is intended to three groups of readers: security professionals, technology managers, and users in industry, government, and military organizations; software developers for database systems, enterprise management, security and cryptographic products; and computer science and IT students and instructors.