Home | Community Forum | Blog

A Guide to the Relationship Between Policy Based Access Control (PBAC) and Attribute Based Access Control (ABAC)

With next-generation technologies such as attribute based access control (ABAC) on the rise, it’s important to understand the different frameworks to ensure you are using the best method for your organization. In this article, we’ll be covering the relationship between Policy Based Access Control (PBAC) and Attribute Based Access Control (ABAC), along with how ABAC can be used to extend Role-Based Access Control (RBAC)

What is PBAC?

Policy-Based Access Control is a method of controlling user access to one or more systems, where access privileges are determined by combining the business responsibilities of the user with policies. Instead of auditing and modifying roles across the entire organization, PBAC lets you quickly adjust entitlements in response to changes in requirements, ensuring that assets are secured through set rules or policies. PBAC is an adaptable authorization solution because it can support a variety of access points by automating security controls in applications and on data. When implemented with Attribute-Based Access Control (ABAC), the approach combines roles and attributes to produce flexible, dynamic control parameters.

What is ABAC?

According to NIST, ABAC is defined as “an access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.”

Attribute Based Access Control (ABAC) provides access to users based on who they are rather than what they do: for example, the business unit they work in and how they were hired. Attributes allow for an easier control structure because permissions can be based on the user’s type, location, department and so on, mirroring the physical aspects of the business. By looking at a user’s attributes—information that is already known and often stored in an HR system—ABAC permits you to express a rich, complex access control policy more simply. For example, if a user named Margret Smyth is promoted from the Marketing to management, her access permissions will be updated because her business attributes changed, not because someone remembered that she had admin permissions and took the time to update a configuration file somewhere.

How are PBAC and ABAC Related?

PBAC is an overarching term that includes any approach where policies are used to determine access. This can include both ABAC and role-based access control (RBAC).

How Can ABAC Extend RBAC?

ABAC allows an enterprise to extend existing roles using attributes and policies. By adding context, authorization decisions can be made based not only on a user’s role, but also by taking into account who or what that user is related to, what that user needs access to, where that user needs access from, when that user needs access, and how that user is accessing the requested information. ABAC does this by using policies built upon the individual attributes using natural language. For example, a policy may be written as follows: “Doctors can view medical records of any patient in their department and update any patient record that is directly assigned to them, during working hours, and from an approved device.” 

By creating a policy that is easy to understand, with context around a user and what s/he should have access to, access control becomes far more robust. This functionality expands the scope of RBAC significantly. We no longer need hundreds of overloaded roles, and administrators can add, remove, or reorganize departments and other attributes without having to rewrite the policy. At the end of the day, fewer roles mean simpler role management and easier identity management. Moreover, ABAC enables the execution of business initiatives not previously possible via RBAC alone.

What Makes PBAC with ABAC Important?

  • Flexibility: PBAC with ABAC is a flexible approach to access control that can be adapted to different environments and situations. Administrators can define policies that are specific to their organization’s needs, which makes it suitable for use in complex and dynamic environments. 
  • Compliance: PBAC with ABAC can help organizations comply with regulatory requirements and industry standards by providing a framework for managing access to sensitive data and systems. It enables administrators to define policies that ensure compliance with data protection regulations such as GDPR and HIPAA. 
  • Scalability: PBAC with ABAC can be used to manage access to resources across different systems and applications. This makes it suitable for use in large and complex organizations where multiple systems need to be secured. 

Key Takeaways

Policy-Based Access Control (PBAC) includes any approach that uses policies to determine access to resources. It can be implemented with either Role-based Access Control (RBAC) or Attribute-based Access Control (ABAC). 

PBAC with ABAC provides a flexible and fine-grained approach to access control, which is essential for larger and more complex organizations. ABAC enables administrators to define policies that are tailored to specific situations and requirements, which makes it easier to manage access to resources in dynamic environments. ABAC also provides more detailed and accurate access control decisions, which reduces the risk of unauthorized access to sensitive data and systems.

To learn more about PBAC and ABAC, check out our What is PBAC? article or our Definitive Guide to ABAC.

To comment on this post
Login to NextLabs Community

NextLabs seeks to provide helpful resources and easy to digest information on data-centric security related topics. To discuss and share insights on this resource with peers in the data security field, join the NextLabs community.