What is policy-based access control (PBAC)?

Published by Alex Olivier on March 22, 2024
What is policy-based access control (PBAC)?

Policy-Based Access Control (PBAC) is a method of managing user access to one or more systems. With PBAC, the organizational role of the user is combined with access policies to determine exactly what privileges the user should be granted. Unlike RBAC, Policy-Based Access Control is an ever-evolving type of access control necessitated by ever-evolving data usage needs.

With PBAC identifying information along with contextual factors such as roles, attributes and policies are used to determine whether or not a user should be provided access to certain resources. This enables a more dynamic policy enforcement and, among other things, provides a business with the ability to adjust on the fly and stay current with changing business or legal dynamics.

How it works

PBAC is a method of providing access to typically sensitive business assets based on a set of policies. Policy-Based Access Control typically weighs four kinds of attributes to determine if a user should be allowed to access the requested resource, and if so, what permissions they will have in regard to the resource. Those four types of attributes are:

  • Subject attributes: These may include the user’s job title and/or their department.
  • Object attributes: These are the attributes of the resource the user wishes to access.
  • Action attributes: These are the actions the user wishes to execute (reading, editing, sharing etc…).
  • Contextual attributes: These include date, time, location and other details related to the context in which the request is being made.

Access is granted in PBAC by weighing these attributes against system policies - which typically use “if, then” logic to assess an access request - and evaluating whether the request is legitimate. Access is only granted if all the conditions are satisfied.

Why is policy-based access control popular?

PBAC offers myriad advantages over other methods of access control such as RBAC and ABAC. These advantages include:

  • Real-time data protection: By providing fine-grain policy control over sensitive resources PBAC ensures those resources stay within their established boundaries.
  • Security compliance: With PBAC, companies have greater flexibility when it comes to enforcing compliance with SOC2, ISO27001 and other data handling standards and regulations.
  • Cost savings: PBAC enables you to establish centralized control over policies that ensures consistent enforcement across multiple applications. As a result, authorization policies can be reviewed and updated across the enterprise, reducing the costs normally associated with such activities. Policies can also be adjusted to reflect new requirements in real-time.

Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team