Attribute-Based Access Control (ABAC) is an access control model in which the decision to grant or deny access is made based on attributes that describe the user, resource, action, and operational context. Unlike models based solely on roles, ABAC does not stop at assigning a user to a group or job function. Instead, it evaluates a set of access policy rules, for example whether the operator is a member of the compliance team, is working from a workstation on the internal network, has permission to review evidence, and whether the material belongs to a specific case or has a particular retention status.
Attribute-Based Access Control (ABAC): Definition
ABAC is formally described in NIST publications, most notably in NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations from 2014. NIST defines ABAC as an access control method in which authorization is determined by evaluating subject, object, operation, and environment attributes against policies. In practice, this means the system does not ask only “who are you?” but also “what are you trying to access?”, “what do you want to do?”, and “under what conditions?”
In the context of photo and video anonymization, ABAC has direct operational value. Source material before faces or license plates are blurred contains personal data. Access to that material should be more restrictive than access to a version that has already been anonymized. ABAC therefore makes it possible to separate permissions across different stages of file handling, including import, review of raw footage, launching detection, manual mask correction, export, and deletion of temporary files.
In a video and image anonymization system, an ABAC policy can take into account not only the user, but also the material class, legal basis for processing, jurisdiction, case stage, and environment location. This is particularly important in on-premises deployments, where the organization is responsible for implementing technical and organizational security measures in line with Articles 24, 25, and 32 of the GDPR.
The Role of ABAC in Photo and Video Anonymization
The ABAC model is especially useful where the same video file passes through multiple processing stages and should be visible to a different group of people at each stage. This applies in particular to CCTV footage, body-worn camera recordings, inspection documentation, training materials, and content prepared for publication.
In such a scenario, ABAC can enforce precise access restrictions:
- for raw footage - only for individuals with a legitimate business need, such as a case operator or a person serving as a Data Protection Officer, where justified by their scope of duties,
- for automatic detection features - for users authorized to run face detection and license plate detection,
- for manual editing - for operators responsible for correcting areas the system does not detect automatically, such as documents or content displayed on monitors,
- for export of the anonymized version - for users publishing the material or passing it on,
- for deletion of source files - for the retention administrator or the person approving case closure.
In practice, this reduces the risk of excessive access to personal data. It is consistent with the principles of data minimization, integrity, and confidentiality under Article 5(1)(c) and (f) of the GDPR.
ABAC Attributes and Policies in Anonymization Systems
The effectiveness of Attribute-Based Access Control depends on the quality of attributes and the precision of policies. Attributes must be current, measurable, and verifiable by the system. In environments that process images and video, several classes of attributes are typically used.
Attribute class | Examples | Use in anonymization
|
|---|---|---|
Subject | job role, department, certification, authorization level, employment status | determines who can view source material and who can export the result |
Object | file type, confidentiality classification, recording source, case ID, retention status | distinguishes, for example, evidence material from publication-ready material |
Operation | read, annotate, launch detection, edit, export, delete | makes it possible to grant access only to specific actions |
Environment | IP address, network segment, time of day, workstation, country of processing | limits operations to a secure on-premises environment |
An example policy could be as follows: access to raw CCTV footage is allowed only if the user has active employee status, belongs to the unit handling the case, uses a device managed by the organization, and is connected to the internal network. Export of the anonymized version may be allowed for a broader group, but without the right to download the source material.
The Technical Context of ABAC and Face Detection and License Plate Detection
In anonymization systems, the access decision and the detection process itself are two separate layers. ABAC is not used for facial recognition or license plate recognition. It is used to control who can launch and operate these features, and under what conditions. Face detection and license plate detection themselves are typically based on machine learning models, most often deep learning. The AI model is trained in advance on appropriate data and then used to locate objects in an image or across successive video frames that are to be blurred.
In practice, this means a clear separation of responsibilities:
- the AI layer is responsible for face detection and license plate detection,
- the ABAC policy layer is responsible for who can run detection, view the result, and approve export.
In Gallio PRO, it is important to define these boundaries correctly. The software automatically blurs faces and license plates, but it does not automatically detect logos, tattoos, name badges, documents, or content shown on monitor screens. These elements can be blurred manually in the editor. From an ABAC perspective, this means the policy can separate the permission for automatic anonymization from the permission for manual intervention in the material.
Key ABAC Parameters and Metrics
ABAC should be assessed not only in terms of security, but also performance and auditability. In systems that work with large video files, slow authorization can reduce process efficiency. For that reason, it is worth measuring the core operating parameters of access policies.
Parameter | Meaning | Practical significance
|
|---|---|---|
Decision latency | time required to evaluate an access policy | affects how smoothly files open and operations are performed |
Policy coverage | percentage of cases covered by a formal policy | shows whether there are access paths outside of control |
False allow / false deny | incorrectly granting or denying access | measures operational risk and the impact on team workflows |
Audit completeness | completeness of the audit trail | makes it possible to demonstrate who performed a given action |
Attribute freshness | how current the attributes are | reduces the risk of leaving access in place after a role or project change |
It is important to distinguish ABAC metrics from detection model metrics. The effectiveness of face detection or license plate detection is measured using different indicators, such as precision, recall, or intersection over union. ABAC does not improve detection quality, but it does limit data exposure before and after anonymization.
ABAC, GDPR Compliance, Data Security, and On-Premises Deployments
ABAC supports GDPR requirements, but it does not automatically create compliance on its own. It is a technical control that helps enforce access rules for materials containing facial images or license plates. This is especially important where an organization processes material locally, without transferring it to cloud services.
In an on-premises environment, ABAC can restrict access to source data to a very small group of users. This is particularly beneficial for high-risk materials such as intervention recordings, evidence files, or footage captured in public spaces. At the same time, the organization should ensure ABAC is aligned with identity management, retention management, and workstation security policy.
It is also worth remembering that the audit trail should document administrative and process-related operations, but should not itself become a dataset of personal data beyond the intended purpose. In the context of Gallio PRO, it is important that the software does not store face detection or license plate detection results in logs; however, the scope of logging may still include other operational data depending on the system configuration.
Challenges and Limitations of ABAC
ABAC offers a high degree of flexibility, but it requires a mature attribute management model. The more policies and exceptions there are, the greater the risk of configuration errors. Another common issue is inconsistency between attribute sources, for example when HR, the IAM system, and the case repository hold different data about the same user.
The most common limitations are as follows:
- policy complexity increases with the number of organizational exceptions,
- incorrect or outdated attributes lead to incorrect access decisions,
- it is difficult to test the full number of possible condition combinations,
- ABAC does not replace permission reviews, network segmentation, or data encryption,
- ABAC does not solve AI detection quality issues and does not replace manual review of anonymization results.
Standards References and Sources
The concept of ABAC and its practical use should be based on primary source documents and regulations governing processing security. For systems used to anonymize photos and video recordings, the following publications are particularly important:
- NIST SP 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, National Institute of Standards and Technology, 2014,
- Regulation (EU) 2016/679 of the European Parliament and of the Council - GDPR, in particular Articles 5, 24, 25, and 32,
- ISO/IEC 27001:2022 - requirements for an information security management system,
- ISO/IEC 27002:2022 - security controls, including access control and identity management.
If an organization uses Attribute-Based Access Control when processing materials containing facial images, it is good practice to document policy logic, attribute sources, permission review procedures, and the relationship between access to raw material and anonymized material. This makes it easier to demonstrate accountability and assess whether safeguards are appropriate.