Executive summary
*/BAC refers to the domain of attribute-based access control that enables organizations to meet a broad set of regulatory requirements using an access control where authorization is based on information dynamically evaluated at runtime.
Before the */BAC revolution, organizations statically assigned permissions and entitlements to users and stored them in a common, central catalogue, governance over the security information (who has access to what) was much easier as it was converged into a single attribute store, e.g., Microsoft Active Directory.
With */BAC, access rules deciding who has access to what and under what circumstances, is no longer pre-defined in a static assignment, such as adding a user to a security group. Instead, the access rules, or policies if you like, are based on attributes in different perspectives, typically “Subject”, “Resource”, “Action” and “Circumstance”.