ABAC stands for Attribute-Based Access Control. It is an access control model that uses attributes about users, resources, actions, and the environment to decide whether a specific access request should be allowed or denied.
Core meaning
In ABAC, policies are written using attributes instead of only fixed roles or user lists. An access decision typically evaluates a combination of:
- Subject attributes: who is requesting access (for example job function, clearance level, employer, certifications, training status).
- Resource attributes: what is being accessed (for example document classification, program name, part family, ITAR-controlled flag, revision, system type).
- Action attributes: what is being done (for example read, write, approve, export, print, change status).
- Environmental attributes: context of the request (for example time of day, location, network zone, device trust level).
Policies are evaluated by a policy decision point (PDP) that checks these attributes and returns an allow or deny decision to the system enforcing access (the policy enforcement point).
Use in industrial and regulated operations
In manufacturing, aerospace, and other regulated environments, ABAC commonly refers to access control applied across MES, ERP, PLM, QMS, document control, and MRO systems, where fine-grained rules are needed. Examples include:
- Restricting access to export-controlled technical data based on attributes such as citizenship, project assignment, and ITAR training completion.
- Limiting who can edit or approve work instructions, travelers, inspection plans, or maintenance records, based on role, qualification, or segregation-of-duties attributes.
- Allowing shop floor operators to view only current, released revisions of instructions for their work center, part family, or program.
- Controlling who can perform actions such as reconfigure, download, or disable on OT assets based on job role, shift, and location.
ABAC is often integrated with identity and access management (IAM) systems so that user attributes and group memberships are maintained centrally, while MES, PLM, MRO, and document systems apply ABAC policies at the application level.
Relation to RBAC and other models
ABAC is frequently used together with Role-Based Access Control (RBAC):
- RBAC typically controls broad entitlements via roles (for example engineer, inspector, planner).
- ABAC adds attribute-based rules on top of or alongside those roles (for example engineer on Program X with ITAR training can export certain drawings; inspector with calibration training can approve gage records).
In regulated environments, ABAC is commonly used to implement need-to-know restrictions, segregation of duties, and policy-driven controls around export regulations and data classifications.
Common confusion
- ABAC vs RBAC: RBAC centers on roles; ABAC centers on attributes and policies. Many real systems use a hybrid, where roles themselves are one set of attributes within ABAC policies.
- ABAC vs simple permission lists: Traditional access lists hard-code which users or groups can access each object. ABAC instead evaluates dynamic policies, which can scale better across many programs, plants, and document types.
Context from aerospace maintenance and technical data
In aerospace maintenance and MRO, ABAC is often used to enforce access to maintenance manuals, service bulletins, configuration data, and as-built records based on attributes like operator qualifications, airline or customer, aircraft tail number, program, and export-control status. It is typically one layer in a broader control stack that may also include RBAC, workflow approvals, read-only versus authoring separation, and detailed audit trails across MES, MRO, PLM, and document systems.