Attribute-Based Access Control in Python — ELI5

Imagine going through airport security. Whether you get through doesn’t just depend on who you are (your passport). It also depends on where you’re going (domestic or international), when you’re traveling (is it past boarding time?), and what you’re carrying (any liquids over 100ml?).

Multiple facts combine to make one decision: let you through or not.

That’s Attribute-Based Access Control (ABAC). Instead of just checking your job title (like RBAC does), ABAC looks at a whole bunch of attributes — facts about you, the thing you’re trying to access, and the current situation.

For example, a hospital system might have a rule like:

“A doctor can view a patient’s medical records only if the doctor is assigned to that patient and it’s during working hours and the doctor is connecting from the hospital network.”

That’s four different checks happening at once:

• Your role (doctor)
• Your assignment (this specific patient)
• The time (working hours)
• Your location (hospital network)

Regular role-based systems can only handle the first one easily. ABAC handles all four.

Think of it as writing rules the way you’d explain permissions to a person: “Sure, you can access this, but only if these conditions are all true.” The system evaluates those conditions automatically every time someone tries to do something.

In Python, you write policies that combine these attributes into allow/deny decisions. Each request carries attributes about the user, the resource, and the environment, and the policy engine evaluates them together.

The one thing to remember: ABAC makes permission decisions by combining multiple facts — about the user, the resource, and the context — allowing rules like “only during business hours from the company network” that simple role checks can’t express.