ABAC – Attribute-based access control is an authorization system which defines access based on attributes associated with security principals, resources, and environment. ABAC builds on Azure RBAC by adding role assignment conditions based on attributes in the context of specific actions.
How does it differentiate from Azure RBAC:
Role-based access control – RBAC is an authorization system that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. But in cases you might want to fine grain the access management based on certain conditions or attributes. You might also want to break the RBAC hierarchy with more granular controls. ABAC on top of RBAC bring in a role assignment condition which is an additional check that you can optionally add to your role assignment to provide more fine-grained access control.
There are three primary benefits:
Provide more fine-grained access control – conditions to filter down those permissions for more fine-grained access control. You can also add conditions to specific actions. For example, you can grant John read access to blobs in your subscription only if the blobs are tagged as Project=Blue
Help reduce the number of role assignments – Potentially add conditions to use significantly fewer role assignments
Use attributes that have specific business meaning – Conditions allow you to use attributes that have specific business meaning to you in access control
How does the condition look and Implementation:
Considering an example – New blobs must include a tag
There are two permissions that allow you to create new blobs, so both must be targeted. You must add this condition to any role assignments that include one of the following permissions.
- /blobs/write (create or update)
- /blobs/add/action (create)
Currently, conditions can be added to built-in or custom role assignments that have storage blob data actions.