Home

PBAC

PBAC stands for Policy-Based Access Control. It is an access control paradigm that governs application and data resources by evaluating requests against a set of policies. Unlike models that rely primarily on the user’s identity or static roles, PBAC uses attributes of the subject, the resource, the action, and the environment to determine authorization. Policies specify conditions under which access is permitted, often including context such as time, location, or device state.

Core components typically include the policy administration point (PAP) for authoring and managing policies, the policy

PBAC is closely related to ABAC and is sometimes used interchangeably; in practice PBAC emphasizes policy-driven

Typical use cases include cloud and microservices access control, data protection and compliance, healthcare and finance,

decision
point
(PDP)
that
evaluates
requests
against
those
policies,
the
policy
enforcement
point
(PEP)
that
enforces
the
decision
at
the
resource,
and
the
policy
information
point
(PIP)
that
gathers
attribute
data
from
sources
such
as
identity
directories
or
external
services.
Policy
languages
commonly
used
with
PBAC
include
XACML
and
ALFA,
among
others.
decisions
using
attributes,
which
enables
fine-grained,
context-aware
access
control.
It
can
express
RBAC
concepts
by
treating
roles
as
attributes
but
is
not
limited
to
role-based
schemes.
and
any
environment
requiring
dynamic
authorization
with
auditable
decisions.
Challenges
include
policy
complexity
and
conflicts,
latency
or
performance
overhead,
and
ensuring
reliable
attribute
data
and
governance
over
policy
lifecycles.