Which access control model uses attributes such as user role, resource type, and environmental conditions to grant access?

Attribute-Based Access Control makes decisions based on attributes of the user, the resource, and the environment. Policies describe what attributes must be present for access—such as the user’s role, the type of resource, the requested action, and environmental conditions like time or location—and the system grants or denies access by evaluating those attributes against the rules. This lets you implement fine-grained, context-aware access decisions, for example allowing a payroll report to be read only if the user is in the HR team, the resource is a payroll document, the action is read, and the access occurs during business hours from a trusted network. In contrast, other models focus more on ownership (discretionary), fixed security labels (mandatory), or granting access mainly by role, which is less flexible than ABAC.