What ABAC does
ABAC moves beyond traditional Role-Based Access Control (RBAC) by evaluating a combination of attributes to determine access rights. Instead of assigning roles, ABAC considers factors like a user’s department, job title, the resource’s sensitivity level, the time of day, and the user’s location. This allows for much more granular and contextual access control. The system dynamically assesses these attributes at the point of access request, resulting in a decision to permit or deny access.
ABAC in Australian tenants today
While RBAC remains sufficient for many AU mid-market organisations, ABAC principles are increasingly relevant. Azure Storage RBAC conditions offer a basic form of ABAC, enabling access based on attributes. Microsoft’s Conditional Access, which enforces policies based on device health, location, and application, functions as a practical ABAC implementation for authentication. Furthermore, Purview’s label-driven access controls leverage attribute-based logic. Compliance frameworks like APRA CPS 234 and the OAIC’s guidance under the Privacy Act 2024 increasingly emphasise granular data access controls, aligning with the principles of ABAC.