Learning about Policy Based Access Control

July 29, 2020

Policy Based Access Control (PBAC) uses digital policies comprised of logical rules to maintain and evaluate user access dynamically.


As organizations embrace digital transformation and adopt Cloud-based services, access control models grow in importance to protect the firm’s intellectual property. Role Based Access Control has been a key component of most organization’s access management strategy; however, organizations struggle to implement roles in a manageable way. One of the primary reasons for this is that roles follow the Pareto Principle, where a small number of roles drive 80 percent of a user’s access; the remaining access is managed by either workflows or the help desk. The challenge is that organizations want to automate everything, so you wind up with “role explosion” where the number of roles is greater than the number of workers.  While Role Based Access Control has a place in the organization to handle standard access patterns, Policy Based Access Control offers a framework to handle more of the access control workload.

Policy Based Access Control (PBAC) uses digital policies comprised of logical rules to maintain and evaluate user access dynamically. PBAC is essentially a framework to evaluate a user’s access based on what is known about that user at any given point in time and it focuses on the authorization component in Access Management. This model follows the zero-trust approach that is the “trust no one” security principle that defines and enforces strict access controls within an organization. (Read more about the NIST Zero-Trust Architecture here).

[feature_box style="10" only_advanced="There%20are%20no%20title%20options%20for%20the%20choosen%20style" alignment="center"]

Before you continue reading, how about following us on LinkedIn?

lang: en_US

Idenhaus and PlainID presented “Learning about Policy Based Access Control” webinar, which evaluated business challenges with common access control methods and discussed how PBAC benefits organizations that are looking to evolve their access control models to the next level. Other access control models don’t have device and session context at the moment of authorization, so PBAC gives organizations much more control and is more aligned with a Zero Trust security model.

Here are a few key questions and answers from the lively discussion and Q&A session at the end of the webinar.

Can PBAC be scaled to support large, complex organizations?

Yes, the dynamic features of a PBAC service allow for a single policy to be leveraged across multiple use cases and resources.

What makes Policy Based Access Control more dynamic than other methods (RBAC/ABAC, ACLS, Groups)?

Most access control models use statically assigned rules that are based on the user’s attribute values at the time when the role was assigned and ignore session context or are unable to dynamically identify and enforce access patterns in a unified policy. PBAC combines real-time session information in the evaluation of access control decisions. The PBAC model allows you to centralize and evaluate user attributes, mapped entitlements, session attributes, and data attributes that are evaluated in one policy. The policies can be very complex, but they operate very efficiently when centralized at the enterprise level.

PBAC supports continuous authorization vs supporting request-response authorization. Can you talk about how that benefits the business?

In this case, the user has been successfully authenticated and the authorization layer can look at the attributes and what may have changed about the user or the data and make a decision about whether to prevent or continue to grant access. Any variable that changes drives the dynamic access subject to the evaluation of policy, which is the control. There are a lot of dynamic attributes that should be associated to run-time access, which supports continuous authentication. In data-sensitive environments, such as healthcare, access to patient data can be much more tightly controlled.

For a deeper dive into Policy Based Access Control, watch the 45-minute webinar On-Demand now.


This post was written by Prajna Priyadarshini, Cybersecurity Analyst at Idenhaus Consulting. 


Follow @Idenhaus on Twitter and subscribe to our Identity Management biweekly or our healthcare IT biweekly newsletter.


Learn how Identity and Access Management can help secure your organization in our book, Reimagining Identity Management: How To Design, Choose And Implement The Right IAM Solution For Your Business.

forbes technology council

Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us



More News