Download your copy of our State of Authorization: Playbook Edition Get it now »

Policy-based Access Control (PBAC)

What makes PBAC more dynamic than static methods of authorization?

Unlike static forms of authorization, such as Role-based Access Control (RBAC), PBAC enables you to rapidly change entitlements based on new regulations or new corporate policies without auditing and changing roles throughout the organization. This ensures assets cannot be compromised and regulations are met.
Using policies to govern authorization also empowers business owners as they can ensure data, resources, etc, are securely used as a core asset. The Axiomatics Policy Server is the centralized hub for storing and enforcing access control policies.

What is the difference between PBAC and ABAC?

PBAC and ABAC are essentially interchangeable in that they enforce policies using attributes. The key difference in this sense is which “end” of access control model stack you look at: policies that inform the authorization engine what to do and attributes which inform the authorization engine how to do it.

Standardized vs non-standardized

Policy/Attribute Based Access Control from Axiomatics comes as standard with support for a standardized approach to expressing policies. Our ABAC solutions are developed in the standard-based language of XACML which has been approved by the organization for the Advancement of Structured Information.
Policy Based Access Control solutions that do incorporate the ABAC model – i.e., non-standardized solutions – can expose you to vendor lock-in for authorization management.

Can PBAC be used to support large and complex organizations?

Standards based PBAC is designed specifically to support organization that have complex authorization requirements. Typically, larger organizations have areas of their business where roles will not suffice as a secure method for securing sensitive data. Administrating roles becomes a major drain on resources while proving virtually impossible to ensure compliance.
Using policy based authorization simplifies and strengthens organization-wide access control for developers, auditors, business owners, and IT security teams.

Key considerations for PBAC

Policy Based Access Control is not a quick fix. It takes time and resources to get it right, but once deployed wil provide savings and deliver the data security you need.

Start small and expand

Unless you are starting from scratch, you will already have an advanced authorization solution in place. Ripping it all out and starting again is a major undertaking, and unrealistic for most. Identify those areas most in need of secure data sharing and deploy a solution here first. Then you can expand your dynamic authorization solution.

Don’t take shortcuts

PBAC is not a silver bullet. You can’t write a policy without identifying the attributes that will be used to enforce authorization. Map your authorization requirements thoroughly according to regulations and data sharing requirements.

Externalize PBAC

Keep policies in an externalized server, such as the Axiomatics Policy Server, rather than directly in an application. This will enable policies to be applied organization-wide, in databases and data lakes, APIs, microservices, basically wherever they are required.

Utilize automated reporting

Regulations change, business policies change, and so do authorization needs. When authorization policies are edited you want reports to be automatically generated, otherwise you will lose control of who has access to what. An automated reporting tool can also provide data on who is accessing or has access to which data and under what conditions, should a policy rewrite be required.

How to choose the right access control solution

No matter where your critical assets are stored or how complex or distributed your architecture is, we can help you safeguard and securely share them. Our team has experts in defining requirements and tailoring the Attribute-based Access Control solution from our dynamic authorization suite to meet your authorization needs.