WOLF//SEC
← All Labs
LAB 4.5-D Tier 1: In-Browser Obj 4.5 · intermediate · ~15min

ABAC Policy Evaluator

Evaluate attribute-based access control policies across healthcare, financial services, and cloud infrastructure. For each request, determine the access decision AND identify which attributes are the deciding factors.

What You’ll Practice

  • Reading ABACAttribute-Based Access Control — Access decisions based on attributes (user, resource, environment) policies and evaluating them against a set of subject, resource, and environment attributes
  • Identifying which specific attributes cause an access decision — not just “allow or deny” but why
  • Understanding how environmental context (time, location, device, risk scores) changes access decisions
  • Seeing ABACAttribute-Based Access Control — Access decisions based on attributes (user, resource, environment) in action across industries: hospital data, bank transactions, and cloud IAMIdentity and Access Management — Framework for managing digital identities and permissions
  • Recognizing emergency overrides and conditional escalation policies

How the Exam Tests This

Objective 4.5 lists ABACAttribute-Based Access Control — Access decisions based on attributes (user, resource, environment) alongside RBACRole-Based Access Control — Permissions assigned to roles, users assigned to roles, DACDiscretionary Access Control — Resource owner controls access permissions, and MACMandatory Access Control — System-enforced access based on security labels. CompTIA tests whether you understand that ABACAttribute-Based Access Control — Access decisions based on attributes (user, resource, environment) evaluates combinations of attributes — not just roles or labels. Expect questions like “Which access control model can restrict access based on time of day and geographic location?” or scenario-based questions where the correct answer requires evaluating multiple attributes simultaneously.

Scoring

Each request is scored on two dimensions: correct access decision (allow/deny) and correct identification of deciding attributes. Both matter — getting the decision right by luck doesn’t demonstrate understanding.

MISSION

ABAC evaluates access by combining subject + resource + environment + action attributes against a policy. The same person making the same request can get a different answer depending on context.

For each request, you'll make two decisions:

  1. 1. Is the access allowed or denied?
  2. 2. Which attributes are the deciding factors?

SCENARIOS

Metro General Hospital
Healthcare3 requests
Pacific National Bank
Financial Services3 requests
CloudScale Infrastructure
Cloud / DevOps3 requests

ATTRIBUTE CATEGORIES

Subject— who is asking
Resource— what they want
Environment— context/conditions
Action— what operation
3 scenarios · 9 requests · ~15 minutes