What is ABAC and how attribute-based access differs from a simple allow-list

authorizationaccess-controloidcci-cdsecurity

Learn what ABAC is, how attribute-based access differs from an allow-list, and where it shows up in OIDC, APIs, and CI/CD

Hook

ABAC sounds more complicated than it is. At its core, it answers a simple question: should the system allow access if it looks not only at who is asking, but also at what they want, where the request comes from, and under which conditions it happens?

ABAC stands for attribute-based access control.

A simple example

Imagine an internal admin panel where production settings are available only when:

  • the user belongs to the platform team;
  • the resource is tagged environment=production;
  • the request comes from the corporate network;
  • the action happens during working hours or after extra confirmation.

That is ABAC: the decision comes from a set of conditions, not from one fixed list of allowed users.

How ABAC differs from an allow-list

An allow-list answers the question “who is allowed in?” It is a simple list of permitted people, services, or IP addresses.

ABAC answers the question “under which conditions is access allowed?” The same user can be allowed in one scenario and blocked in another.

That matters when access needs to change with context. For example:

  • the same token may be valid for staging but not for production;
  • the same employee may edit their own project but not someone else’s;
  • the same service may read data only for a specific tenant.

Where you see this in practice

ABAC often shows up anywhere you have:

  • OIDC claims that carry user or session attributes;
  • API authorization, where the decision depends on role, tenant, scope, or resource owner;
  • CI/CD, where access to secrets or deployment actions depends on environment and context;
  • internal admin tools, where rules use department, region, or resource type.

Where RBAC fits

RBAC, short for role-based access control, is still useful. But it is a different model.

  • RBAC groups permissions into roles.
  • ABAC evaluates attributes and conditions.

In practice, teams often combine them. A role can provide the baseline access, while ABAC adds extra conditions for sensitive operations.

Common mistakes

  • Trying to express every rule as an allow-list.
  • Adding too many attributes that nobody can maintain.
  • Not checking whether the attributes come from a trusted source.
  • Making the policy so complex that nobody reviews it.
  • Forgetting an explicit deny for critical cases.

Quick checklist

  • Confirm which attributes the policy engine can see.
  • Check whether the decision uses user, resource, and context.
  • Decide whether ABAC is needed or whether a simple allow-list or RBAC is enough.
  • Make sure the attribute sources are reliable and predictable.
  • Test a few allow and deny scenarios.

Bottom line

ABAC is an access model where decisions depend on attributes, not just on a list of allowed names. It is useful when access should change based on context, resource, and request conditions.

In short: an allow-list asks “who is on the list?” while ABAC asks “does this request fit the rules right now?”

Quick checklist

  • Check which attributes the policy engine actually receives.
  • Confirm that the decision uses user, resource, and context data.
  • Decide whether you need ABAC, a simple allow-list, or RBAC instead.
  • Make sure the attribute sources are trustworthy and predictable.
  • Run a few test cases for both allow and deny outcomes.

Prompt Pack: explain ABAC to a beginner

Explain ABAC to someone who already knows about allow-lists, scopes, or role-based access, but does not yet understand attribute-based access. Need to: - start with a simple model based on user, resource, and context attributes; - briefly compare ABAC with an allow-list and mention where RBAC fits; - show where it appears in OIDC claims, APIs, CI/CD, and internal admin tools; - name common mistakes when writing policies; - end with a short checklist for reviewing an access policy.