Skip to main content

PBAC (Policy-Based Access Control) FAQ

What is PBAC and how does it differ from RBAC?

Policy-Based Access Control (PBAC) is a dynamic and flexible approach to authorization that goes beyond the traditional Role-Based Access Control (RBAC). While RBAC relies on static roles and permissions, PBAC uses policies to define access rules based on a combination of attributes and conditions, such as user properties, resource properties, environmental factors, and even real-time data.

Comparison of PBAC and RBAC

FeaturePBAC - Policy-Based Access ControlRBAC - Role-Based Access Control
FlexibilityHigh - policies adapt to changing contextsLimited - relies on static roles
GranularityFine-grained control based on various attributesCoarse-grained, based on roles
ComplexityMore complex to implement and manageEasier to implement and manage
AuditabilityCan be challenging due to dynamic policiesEasier to audit due to static roles

Example:

  • RBAC: A user with the "Manager" role has access to all employee data.
  • PBAC: A user can only access employee data if they are the employee's manager and the data is related to performance reviews.
What are the benefits of using a PBAC approach?

PBAC provides several advantages over traditional access control methods:

  • Increased Flexibility: Policies can be easily modified to adapt to evolving business needs and security requirements.
  • Fine-grained Control: Enables granular access control based on a wide range of attributes and conditions, resulting in precise authorization decisions.
  • Contextual Awareness: Policies can account for real-time information, such as device location, time of day, or risk scores, for more informed authorization decisions.
  • Improved Security Posture: Enforcing stricter, dynamic access rules reduces the risk of unauthorized access and data breaches.
  • Better Compliance: Offers a clear and auditable trail of authorization decisions, aiding regulatory compliance.
What is an "Approval Right" in the context of PBAC?

An Approval Right in PBAC is a specific right that defines who has the authority to approve access requests or assignments. Unlike traditional models that rely on external groups or roles, PBAC allows the definition of Approval Rights within the application itself.

How it Works:

  1. An Approval Right is created as a standard right within the PBAC system.
  2. Users or groups are granted this Approval Right, forming a virtual approval group.
  3. When an access request requires approval, the system checks for the designated Approval Right holders and routes the request to them.

This approach simplifies approval management by integrating it within the application's permission model.

How does "Split by Value for Approval" work in PBAC?

The Split by Value for Approval feature enables granular control over approval processes when access requests involve multiple values for a specific field type or scope.

Example: A user requests access to "Edit Videos" for two categories: "Compliance" and "Marketing."

How It Works:

  • The system splits the request into separate business request items: one for "Compliance" and one for "Marketing."
  • Each item may have its own approval workflow, routing to different approvers based on the category.
  • Independent approval decisions can be made, allowing for one category to be approved while the other is rejected.

This feature is useful when different values require distinct approval authorities or levels of scrutiny.

What are "Person Relative" or "Assignee Relative" field types?

Person Relative or Assignee Relative field types are attributes associated with the resource being accessed, where the access decision depends on the assignee's attributes. These field types are evaluated in real-time based on the assignee's profile, rather than being statically assigned.

Example:

  • Resource: Videos
  • Assignee Relative Field Type: "Allowed Video Ratings" (e.g., G, PG, R)
  • A user can view a video only if their profile allows them to view that video rating, dynamically evaluated at the time of access.
How can assignees manage their "Person Relative" field type values?

Assignees can manage their Person Relative field type values through self-service features within the application. The process typically involves:

  1. Creating a Dummy Right: A special right is created for managing Person Relative attributes, with no direct effect on access.
  2. Linking Field Types: The Person Relative field types are linked to this dummy right.
  3. Request and Approval: Users request changes to their Person Relative attributes, which go through an approval workflow.
  4. Fulfillment: Upon approval, the fulfillment process updates the assignee's profile with the new attribute values.

This process ensures proper authorization and control over the management of Person Relative attributes.

What is "Projection" in PBAC and why is it important?

Projection in PBAC extends PBAC policies to systems that do not natively support PBAC concepts, like external applications or cloud platforms (e.g., Azure). It allows centralized PBAC management, even for systems that rely on traditional roles or groups.

How Projection Works:

  • Fulfillment Groups: External groups are designated as Fulfillment Groups and mapped to specific PBAC rights or roles.
  • PBAC Assignments: When a user is assigned a PBAC right or role linked to a Fulfillment Group, the system verifies the user's group membership.
  • Dynamic Group Membership: The projection engine automatically adds or removes users from the Fulfillment Group as needed, aligning external system access with PBAC policies.

This ensures consistent and centralized access control management across disparate systems.

What is the benefit of a unified PBAC data model?

A unified PBAC data model is crucial for effective access management across diverse systems. By standardizing permissions, roles, and attributes into a common structure, it:

  • Provides a Single Source of Truth: Centralizes management and analysis of access rights from all sources.
  • Simplifies Risk Assessment: Facilitates the identification and mitigation of potential vulnerabilities.
  • Enables Cross-System Reporting: Generates comprehensive reports detailing access across all connected systems.
  • Streamlines Access Certification: Simplifies the process of access review and recertification, ensuring ongoing security and compliance.
  • Promotes Consistency: Applies uniform access control policies and practices across all platforms and applications.

This unified approach is essential for comprehensive and effective access governance in complex IT environments.