Myrsini wants to control access to an application in her organization based on a combination of staff member's job titles, the permissions each group of titles need for the application, and the time of day and location. What type of control scheme should she select?

Attributes used for ABAC often fall into one of four categories: subject attributes such as department or title; action attributes such as the ability to view, edit, or delete; object attributes that describe the object that can be impacted; and contextual attributes such as location, time, or elements. Discretionary access control would place these decisions in the hands of trusted subjects, MAC would enforce it at the operating system level, and role BAC would use only roles instead of the full set of criteria Myrsini wants to apply.