Home | Products | CloudAz | Policy Based Access Control (PBAC) and Attribute Based Access Control (ABAC)​

Policy Based Access Control (PBAC) and Attribute Based Access Control (ABAC)​

With next-generation technologies such as dynamic authorization and fine-grained access control on the rise, it is important to understand the different frameworks to ensure organizations are using the best method for their needs. In this article, we will be covering the relationship between Policy Based Access Control (PBAC) and Attribute Based Access Control (ABAC), along with how PBAC can be used to implement ABAC and extend Role-Based Access Control (RBAC).

Attribute-Based Access Control (ABAC) and Policy-Based Access Control (PBAC) are complementary security models that can work together to provide a highly flexible, scalable, and dynamic approach to managing access in modern IT environments.

Policy-Based Access Control (PBAC)

PBAC, on the other hand, is a broader framework that focuses on policies to govern access control decisions. A PBAC system typically defines policies that specify the rules for granting or denying access to resources. These policies are often centralized and enforce access rules across an entire organization.

PBAC is flexible in that:

  • It allows administrators to define access policies that can span roles, users, resources, environments, and actions.
  • Policies can be defined for specific scenarios, such as role-based, attribute-based, or even context-based access control.

 

Attribute-Based Access Control (ABAC)

ABAC is an access control model that uses attributes (or characteristics) to define access policies. These attributes can apply to both users (e.g., job title, department, security clearance), resources (e.g., data classification, resource type), actions (e.g., read, write), and environmental factors (e.g., time of day, location).

In ABAC:

  • Access decisions are based on if-then rules that evaluate the combination of these attributes.
  • A policy might look like: “Allow access to financial data only if the user’s department is ‘Finance’ and they are accessing from an organization-approved device.”
  • ABAC provides very fine-grained control and is highly adaptable to dynamic environments.

How ABAC and PBAC Fit Together