Skip to main content
Version: 2.0.0


What makes up an ABAC Policy?

With ABAC, organization access policies enforce access decisions based on the attributes of the subject, resource, action, and environment involved in an access event. We will go into detail of each one with a simple example.

Subject & Subject Attributes

The subject is the user requesting access to a resource in order to perform a certain action. Subject attributes in a user profile could include the employee ID, job role, group memberships, departmental and organizational memberships, management level, security clearance and other identifying criteria.

We can often get a lot of this data during the login procedure from an authentication token, or from an HR system or directory.


Jessica is an employee of company X. Her job role is a Product Manager. She belongs to several groups like marketing and community management. Jessica works Monday-Friday from 9am to 5pm. She is responsible for product-focused expenses and has access to the company credit card.

Resource & Resource Attributes

The resource is the asset or object (it could be a file, application, server, or even API) that the subject wants to access. Resource attributes are all identifying characteristics, like a file's creation date, its owner, file name and type, and data sensitivity.


A company credit card owned by company X with strict spending limits.


The action is what the user is trying to do with the resource. Common action attributes include "read", "write", "edit", "copy" and "delete". In some cases, multiple attributes can describe an action. Actions of course can get much more complex than the ones provided here.


Jessica want's to use the company credit card to subscribe to a membership plan, giving co-workers access to internal tools.


The environment is the broader context of each access request. All environmental attributes speak to contextual factors like the time and location of an access attempt, the subject's device, communication protocol and encryption strength.


Jessica can only use her company credit card to purchase a subscription during her working hours, and as long as she is in the USA and connected to the company secure network.