Which type of access control makes authorization decisions based on attributes of the subject, resource, and environment?

Correct answer: Attribute-Based Access Control (ABAC)

Option D is correct because Attribute-Based Access Control (ABAC) makes authorization decisions by evaluating policies against attributes of the subject (user), the resource being accessed, and environmental conditions (time, location, risk level), enabling highly flexible and fine-grained access decisions. Option A is wrong because Role-Based Access Control (RBAC) grants permissions based solely on assigned roles, not on dynamic subject, resource, or environmental attributes. Option B is wrong because Discretionary Access Control (DAC) allows resource owners to set access permissions at their discretion, based on identity or group membership, not on multi-dimensional attribute evaluation. Option C is wrong because Rule-Based Access Control applies a fixed set of administrator-defined rules (for example, firewall ACLs), which is less flexible than ABAC and does not dynamically evaluate subject or environment attributes.