Search code examples
authorizationcloudsoaxacmlabac

Attribute based vs. activity based access control

What's the difference between attribute based access control and activity based access control within cloud authorization context?

Solution

  • Attribute-based access control is an access control (or authorization) model defined by NIST and which promotes the use of attributes to define access control policies. It is an evolution from the role-based access control (RBAC) model which is prevalent today.

    Example:

    • a user with the role==manager can do the action==view on a resource of type==blog post if and only object.owner==user.id
    • In the sample rule above, role, action, type, owner, and id are all attributes used to define the scope of the authorization.

    implements ABAC.

    You can read more on at the NIST website.

    Activity-based access control is a term seldom used and seems to be an earlier version of attribute-based access control.