Attribute-Based Access Control (ABAC) is an access control model that grants or denies access based on a combination of attributes: attributes of the user (department, clearance level, employment type), attributes of the data (sensitivity classification, geographic region, PII flag), and contextual attributes (time of day, query purpose). ABAC extends RBAC with far more expressive, dynamic, and fine-grained access policies.
ABAC vs. RBAC
RBAC is role-centric: a user with the "analyst" role gets all permissions granted to analysts. This is simple to manage but inflexible. ABAC is policy-centric: access is determined by evaluating rules like "allow SELECT if user.department='finance' AND column.sensitivity != 'PII' AND user.region = data.region." This enables row-level security (only show US users US data), column-level masking (mask SSN columns for non-HR users), and time-based restrictions without creating hundreds of granular roles.
ABAC in the Iceberg Lakehouse
Implementing ABAC in an Iceberg lakehouse requires enforcement at the query layer, not at the storage layer. The query engine (like Dremio) evaluates user attributes from the identity provider at query time and injects row filters and column masking policies into the query plan before execution. This means the Parquet files in S3 are never modified; the access control is applied transparently during query processing. Apache Polaris supports tag-based access control policies that align closely with ABAC principles for multi-engine catalog governance.
