What is Policy-Based Access Control?

TL;DR; Policy-based access control (PBAC) and attribute-based access control (ABAC) are exactly the same thing. They enable fine-grained access control or authorization.

Lately, customers have been asking me about the difference between externalized authorization, attribute-based access control (ABAC), and policy-based access control (PBAC). These are in fact all different ways of describing roughly the same thing: a better approach to tackling fine-grained authorization challenges in a way that is technology-neutral, i.e. that can be reused for APIs, data, and more.

Both ALFA, the abbreviated language for authorization, and XACML are the OASIS standard implementations for ABAC.

What is policy-based access control?

Also known as PBAC, policy-based access control is the exact same thing as attribute-based access control (ABAC). When one mentions PBAC, they tend to focus on the policy language rather than the attributes but in fact both policies and attributes are equally important. As a best practice, ABAC is the term that is most commonly used and is the one that NIST (the National Institute of Standards and Technology) uses.

What is attribute-based access control?

Also known as ABAC, attribute-based access control is the latest in the evolution of authorization. The predominant model, RBAC, has been around since 1992 but suffers from several issues such as role explosion, manageability, and lack of granularity. ABAC addresses these aspects by providing (a) an architecture, (b) a policy language, and (c) a request / response scheme.