In attribute based access control, access to resources is based on the attributes of a user, not from the resource owner specifically granting access to that user. The user proves their claim based on attributes associated with them rather than having joined a group and/or a role.
A great example is that printer down the hall from you. You really don’t want to have to grant access to everyone on your floor or even manage an Active Directory security group of everyone who should be able to print on it. You know that everyone on the third floor of the Peoria office should have access to print on it.
But somehow that printer needs to know that you work on the third floor of the Peoria office. Enter Active Directory. It knows this stuff, your office location is a central important piece of identity information. So you just create a dynamic security group that places everyone on the 3rd floor of the Peoria office as a member. A new employee…automatically a member. Of course, Active Directory doesn’t come with dynamic security groups out of the box, but Imanami makes it pretty easy.
There are times when Active Directory doesn’t have the correct identity information. For example, only sales reps above quota should be allowed to print to that printer. Just add a database condition to that query that says location = Peoria AND %toquota (from your ERP) > 100. Boom, attribute based access control, without your end user having to prove that claim in any way. Just be a member of the correct dynamic Active Directory security group!
And, that poor rep sitting in the Peoria office not making quota? Handwritten proposals!