Attribute-Based Access Control (ABAC)

Learn how to use policies to implement a pure attribute-based access control (ABAC) model in Fine-Grained Authorization (FGA).

Attribute-Based Access Control (ABAC) is an authorization model that grants access based on attributes of users, resources, environments, and other contextual factors.

FGA allows you to implement a pure ABAC model, where permissions rely solely on attributes without requiring warrant data. By centralizing authorization policies, FGA eliminates hardcoded access logic, making your system more scalable and maintainable.

Note: Starting with a pure ABAC model can be an effective way to remove hardcoded authorization logic while keeping policies flexible. As your needs evolve, you can seamlessly integrate Relationship-Based Access Control (ReBAC) to support permissions based on user-resource relationships, such as team memberships, delegated roles, or hierarchical access.

When to Use Pure ABAC?

ABAC is ideal when access rules are complex and depend on multiple dynamic factors such as:

Entitlements: feature access based on plan level

Feature flags: enabling experimental features for specific groups

Domain-specific data: security constraints based on specific resource data attributes

Role membership: access based on user roles or attributes that are not strictly hierarchical

Temporal data: granting temporary access based on time-based or location-based policies

Example Schema

 version 0.3

type user

type organization
  relation view_financial_records []
  inherit view_financial_records if
    policy is_finance_manager

  relation view_research_data []
  inherit view_research_data if
    all_of
      policy is_assigned_researcher
      policy is_within_working_hours

type document
  relation edit []
  inherit edit if
    all_of
      policy user_is_document_editor
      policy document_is_draft
      policy user_can_access_document

policy is_finance_manager(user_attributes map) {
  user_attributes.department == "finance" &&
  user_attributes.role == "manager"
}

policy is_assigned_researcher(user_attributes map, project_id string) {
  user_attributes.role == "manager" &&
  project_id in user_attributes.assigned_projects
}

policy is_within_working_hours(access_time_epoch_seconds integer) {
    let second_since_midnight = access_time_epoch_seconds % 86400;

    // 9 AM (32400s) to 5 PM (61200s)
    second_since_midnight >= 32400 && second_since_midnight <= 61200
}

policy user_is_document_editor(user_attributes map) {
    user_attributes.role == "document_editor"
}

policy document_is_draft(document_attributes map) {
    document_attributes.status == "draft"
}

policy user_can_access_document(document_attributes map, user_attributes map) {
    // Ensure the document belongs to the organization of the user
    document_attributes.organization_id == user_attributes.organization_id
}