Under what circumstances is ABAC preferred over RBAC for enforcing least privilege?

ABAC is preferred when access decisions must reflect contextual attributes of the user, the resource, and the environment. For least-privilege enforcement, you want nuanced control that can adapt to who is requesting, where they are, what device they’re on, and other factors. ABAC uses policies that evaluate these attributes—such as department, location, device trust level, time of day, and more—to grant access only when all conditions are met. This lets you express precise, context-aware permissions, like allowing payroll data access only for someone in HR, logging in from a corporate device, and within business hours. RBAC, by contrast, assigns permissions to static roles, which can be too coarse and rigid for dynamic contexts. It’s harder to maintain fine-grained least privilege when contexts change or when many attribute combinations are needed. The other statements don’t fit: ABAC doesn’t inherently require fewer attributes—it depends on the policy design—and RBAC isn’t always better in dynamic environments; ABAC handles context and nuance more effectively.