Policy-Based Access Control (PBAC) is an authorization approach composed of using both attributes and roles to determine access rights. PBAC goes beyond even Attribute-Based Access Control (ABAC) to meet the fast, constantly changing, remote access needs of companies as they move increasingly towards cloud-based applications.
Why are RBAC and ABAC not enough?
Role-Based Access Control (RBAC) is a coarse-grained approach where access is static and granted based solely on job title. The permission levels are determined via combination of assigned roles and permissions. Management can then add and edit the roles when needed. However, this approach isn’t scalable, because as a company expands but, as the company expands it’s impossible to track the growing number of changing user roles, leading to ‘role explosion’.
Attribute-based Access Control (ABAC) is a more fine-grained approach to access control. ABAC grants access rights through a combination of attributes such as user, resource and environment. This is a much more fine grained approach to Authorization, but there is one major drawback. These rules must be written in eXtensible Access Control Markup Language (XACML) and can’t be coded in plain language, which creates a high dependency on IT Teams. If a manager needs to change a position now, they’re out of luck.
How a Strong PBAC Solution solves the problems of ABAC and RBAC
Policy-Based Access Control takes the best of ABAC and RBAC, but makes it accessible to everyone. Like, ABAC, PBAC is capable of supporting both roles and attributes. So you can restrict access to who (role) what (resource or asset) and when (time of day).
Best of breed PBAC providers, go even further, allowing policies to be coded in a plain language and are not reliant on XACML.
A PBAC approach would ideally use a Graphical User Interface (GUI), allowing complex policies to be written, edited and even implemented without the need for extensive IT knowledge, giving management the option of managing the decision-making process.
This is all the more important as more people work from home and require more flexible access to company resources. IT teams just don’t have the visibility they used to.
Policy Based Access Control Use Cases
Here are two scenarios where using a PBAC approach can dramatically impact a company’s business.
- Banking: Bank management can easily create a policy that states (ideally in plain language) that “Branch Managers can access the Client Basic Profile, Bank Accounts and Card Data of clients that belong to the same Line of Business (LoB) and same branch as themselves”. The genius of the GUI-based PBAC is that you don’t need to reference specific LoBs or bank profiles. Everything is simplified through the visual representation.
- Healthcare: Hospitals and healthcare companies handle very sensitive client information and need to protect doctor - patient confidentiality at all times. Access to patient medical files requires adherence to strict rules, focusing on “a need to know” basis. A PBAC policy would specify that “a doctor can view all medical records of a patient within his specialty.” PlainID’s Policy-Based Access Control solution would then be able to add layers of policies including other authorized users, from specific locations, during specific times.
Want to find out more about how PBAC can work for your business?
Click here to request a demo from a member of the PlainID Team today