Attribute-Based Access Control

Descope allows you to implement Attribute-Based Access Control (ABAC), allowing you to define access permissions based on attributes associated with users, actions, and resources.

Understanding ABAC

By implementing a permissions model that grants or denies access to resources based on user attributes (such as department, clearance level), environment attributes (such as access time or location), and resource attributes (like classification level), developers can enable fine-grained access control that adapts to complex and changing environments, offering a more nuanced security strategy compared to RBAC.

Key Components of ABAC

• User Attributes: These are characteristics of the user requesting access. Examples include identity, department, job title, and security clearance.
• Resource Attributes: These refer to the properties of the resource being accessed. For instance, resources could be tagged with sensitivity levels, departments, or ownership details.
• Environmental Attributes: Conditions such as time of day, location of access, and the current risk level all fall under this category.
• Action Attributes: These define the type of operation the user is attempting to perform on the resource, such as read, write, delete, or modify.

When to Use ABAC

• Dynamic Environments: ABAC is ideal when access decisions must be made dynamically, based on a range of contextual factors including user attributes, environmental conditions, and resource attributes.
• Fine-Grained Access Control: If you need very detailed control over access, such as different permissions for users in the same role based on their location or the time of day, ABAC is the way to go.
• Highly Regulated Industries: In sectors where regulations require strict control over who can view or edit sensitive data, ABAC allows for compliance by aligning access rights with compliance mandates.
• Scalability Requirements: ABAC can more easily accommodate changes in the size or complexity of user bases and permissions without the need to reconfigure entire roles as in RBAC.

Example: Healthcare Records Access

Let's look at a practical example of ABAC in a healthcare application. In this scenario, we need to control access to patient medical records based on multiple attributes in addition to role.

How It Works

We want to allow access to patient records only when ALL of these conditions are met:

1. User Role: The user must be either a doctor or nurse
2. Department Match: The user's department must match the patient's department
3. License Status: The user's medical license must be active
4. Clearance Level: The user's clearance level must be equal to or higher than the record's sensitivity level
5. Time Restriction: Access is only allowed during working hours (8 AM to 6 PM)

Implementation

const checkAccess = async (loginId, recordId) => {
  const user = await descopeClient.management.user.load(loginId)
  if (!user.ok) {
    console.log("Failed to load user.")
  }
  const record = await getPatientRecord(recordId);
  
  // Check user role
  const hasValidRole = user.roleNames.some(role => ['doctor', 'nurse'].includes(role));
  
  // Check department match
  const departmentMatch = user.customAttributes.department === record.department;
  
  // Check license status
  const hasActiveLicense = user.customAttributes.licenseStatus === 'active';
  
  // Check clearance level
  const hasSufficientClearance = user.customAttributes.clearanceLevel >= record.sensitivityLevel;
  
  // Check time restriction
  const currentTime = new Date().toLocaleTimeString();
  const isWithinWorkingHours = currentTime >= '08:00' && currentTime <= '18:00';
  
  // All conditions must be met for access to be granted
  return hasValidRole && 
         departmentMatch && 
         hasActiveLicense && 
         hasSufficientClearance && 
         isWithinWorkingHours;
};

Next

Continue to learn about getting started with ABAC in Descope.