What is Policy-Based Access Control?

TL;DR; PBAC and ABAC are exactly the same thing.

Lately, I’ve been hearing customers ask about the difference between externalized authorization, attribute-based access control (ABAC), and policy-based access control (PBAC). These are in fact all different ways of describing roughly the same thing: a better approach to tackling fine-grained authorization challenges in a way that is technology-neutral, i.e. that can be reused for APIs, data, and more.

What is policy-based access control?

Also known as PBAC, policy-based access control is the exact same thing as attribute-based access control (ABAC). When one mentions PBAC, they tend to focus on the policy language rather than the attributes but in fact both policies and attributes are equally important. As a best practice, ABAC is the term that is most commonly used and is the one that NIST (the National Institute of Standards and Technology) uses.

What is attribute-based access control?

Also known as ABAC, attribute-based access control is the latest in the evolution of authorization. The predominant model, RBAC, has been around since 1992 but suffers from several issues such as role explosion, manageability, and lack of granularity. ABAC addresses these aspects by providing (a) an architecture, (b) a policy language, and (c) a request / response scheme.