What is Azure attribute-based access control (Azure ABAC)?

Attribute-based access control (ABAC) is an authorization system that defines access based on attributes associated with security principals, resources, and the environment of an access request. With ABAC, you can grant a security principal access to a resource based on attributes. Azure ABAC refers to the implementation of ABAC for Azure.

How ABAC Works

The diagram below illustrates how Azure ABAC works:

1. User Request: A user requests access to a resource.
2. RBAC Evaluation: The role assigned to the user is checked to determine if they are allowed to perform the requested action.
3. ABAC Condition Check: If the role permits the action, the system evaluates the conditions (such as user attributes or resource attributes).
4. Access Decision: If all conditions are met, access is granted.

The ABAC model ensures that even if a user has a role-based permission, they can only access a resource if their attributes meet the predefined conditions

Why use conditions?

There are three primary benefits for using role assignment conditions:

• Provide more fine-grained access control - A role assignment uses a role definition with actions and data actions to grant security principal permissions. You can write conditions to filter down those permissions for more fine-grained access control. You can also add conditions to specific actions. For example, you can grant John read access to blobs in your subscription only if the blobs are tagged as Project=Blue.
• Help reduce the number of role assignments - Each Azure subscription currently has a role assignment limit. There are scenarios that would require thousands of role assignments. All of those role assignments would have to be managed. In these scenarios, you could potentially add conditions to use significantly fewer role assignments.
• Use attributes that have specific business meaning - Conditions allow you to use attributes that have specific business meaning to you in access control. Some examples of attributes are project name, software development stage, and classification levels. The values of these resource attributes are dynamic and change as users move across teams and projects.

Example scenarios for conditions

There are several scenarios where you might want to add a condition to your role assignment. Here are some examples.

• Read access to blobs with the tag Project=Cascade
• New blobs must include the tag Project=Cascade
• Existing blobs must be tagged with at least one Project key or Program key
• Existing blobs must be tagged with a Project key and Cascade, Baker, or Skagit values
• Read, write, or delete blobs in containers named blobs-example-container
• Read access to blobs in containers named blobs-example-container with a path of readonly
• Write access to blobs in containers named Contosocorp with a path of uploads/contoso
• Read access to blobs with the tag Program=Alpine and a path of logs
• Read access to blobs with the tag Project=Baker and the user has a matching attribute Project=Baker
• Read access to blobs during a specific date/time range.
• Write access to blobs only over a private link or from a specific subnet.

Example Scenario: Granting Conditional Access with ABAC

Let's say your organization wants to allow users in the "Data Analyst" role to read data stored in specific regions for compliance purposes. Using ABAC, you can define a condition where only analysts accessing resources in their own department or specific geographic regions (such as the EU) are allowed access.

RBAC Example:

• A Data Analyst is given read access to all data storage resources by being assigned a "Data Reader" role.

ABAC Example:

• A Data Analyst is granted read access to storage resources only if the resource’s location attribute matches "EU" or the user's department matches "Finance."

Condition: 
  If: Resource.Location == 'EU' 
  AND User.Department == 'Finance'

        

In this case, ABAC adds the ability to check conditions at access time, making access decisions more dynamic.

Conclusion

Azure ABAC is a powerful tool for organizations looking to implement more precise, dynamic, and context-aware access control. While RBAC is still effective for many use cases, ABAC provides the flexibility needed for more complex access scenarios. By leveraging both models, organizations can ensure secure and compliant access control for all their resources.