ABAC

Attribute-Based Access Control. Access decisions are made by evaluating attributes of the subject, resource, action, and environment against policy. Flexible but harder to audit than RBAC. Often expressed in XACML or modern policy languages like Rego.