Updated July 19, 2023

Policy-Based Access Control is a method of controlling user access to one or more systems, where access privileges are determined by combining the business responsibilities of the user with policies. Instead of auditing and modifying roles across the entire organization, PBAC lets you quickly adjust entitlements in response to changes in requirements, ensuring that assets are secured through set rules or policies. PBAC is an adaptable authorization solution because it can support a variety of access points by automating security controls in applications and on data. When implemented with Attribute-Based Access Control (ABAC), the approach combines roles and attributes to produce flexible, dynamic control parameters.

According to NIST SP 800-162, ABAC is a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.

ABAC provides access to users based on who they are rather than what they do: for example, the business unit they work in and how they were hired. Attributes allow for an easier control structure because permissions can be based on the user’s type, location, department and so on, mirroring the physical aspects of the business. By looking at a user’s attributes—information that is already known and often stored in an HR system—ABAC permits you to express a rich, complex access control policy more simply. For example, if a user named Margret Smyth is promoted from the Marketing to management, her access permissions will be updated because her business attributes changed, not because someone remembered that she had admin permissions and took the time to update a configuration file somewhere.

PBAC is an overarching term that includes any approach where policies are used to determine access. This can include both ABAC and role-based access control (RBAC).

ABAC allows an enterprise to extend existing roles using attributes and policies. By adding context, authorization decisions can be made based not only on a user’s role, but also by taking into account who or what that user is related to, what that user needs access to, where that user needs access from, when that user needs access, and how that user is accessing the requested information. ABAC does this by using policies built upon the individual attributes using natural language. For example, a policy may be written as follows: “Doctors can view medical records of any patient in their department and update any patient record that is directly assigned to them, during working hours, and from an approved device.” By creating a policy that is easy to understand, with context around a user and what s/he should have access to, access control becomes far more robust. This functionality expands the scope of RBAC significantly. We no longer need hundreds of overloaded roles, and administrators can add, remove, or reorganize departments and other attributes without having to rewrite the policy. At the end of the day, fewer roles mean simpler role management and easier identity management. Moreover, ABAC enables the execution of business initiatives not previously possible via RBAC alone.

• Flexibility: PBAC with ABAC is a flexible approach to access control that can be adapted to different environments and situations. Administrators can define policies that are specific to their organization’s needs, which makes it suitable for use in complex and dynamic environments.
• Compliance: PBAC with ABAC can help organizations comply with regulatory requirements and industry standards by providing a framework for managing access to sensitive data and systems. It enables administrators to define policies that ensure compliance with data protection regulations such as GDPR and HIPAA.
• Scalability: PBAC with ABAC can be used to manage access to resources across different systems and applications. This makes it suitable for use in large and complex organizations where multiple systems need to be secured.

Policy-Based Access Control (PBAC) includes any approach that uses policies to determine access to resources. It can be implemented with either Role-based Access Control (RBAC) or Attribute-based Access Control (ABAC).

PBAC with ABAC provides a flexible and fine-grained approach to access control, which is essential for larger and more complex organizations. ABAC enables administrators to define policies that are tailored to specific situations and requirements, which makes it easier to manage access to resources in dynamic environments. ABAC also provides more detailed and accurate access control decisions, which reduces the risk of unauthorized access to sensitive data and systems.

To learn more about PBAC and ABAC, check out our articles:

• What is PBAC?
• The Definitive Guide to ABAC