PBAC Vs RBAC: Why Role Based Access Control Is Not Enough

Gal Helemski
February 28, 2023

Authorization, the process of determining who can access what, has been evolving steadily since the 1980s. Today, flexible, dynamic Policy Based Access Control (PBAC)  secures an ever increasing volume of data against ever evolving cyber-threats.

The Evolution of Authorization

Role Based Access Control (RBAC):

RBAC was introduced in 1992, to address inadequacies in computer security. RBAC creates roles for every organizational functionality, giving each role permission to access certain resources, and linking users to roles.

RBAC provided flexibility that ACL lacked. Changes to a role’s permissions automatically update permissions of each user with that role. If a user changes their role, their permissions change with them.

But RBAC still has many drawbacks, among them:

  • Coarse Grained and Static Access Decisions: RBAC limits authorization based only on a user’s role, ignoring attributes  and conditions that are bound to change, such as time, location, or device. It has fixed access rights, with no provision for temporary changes (e.g. an employee in one department temporarily assigned to another).

  • Role Explosion: As companies expand, many similar but slightly different roles are defined, often by the thousands or tens of thousands. It may be difficult to determine the granular permissions associated with specific roles. Also, it may be hard to track roles of users who experience changes in responsibilities or leave the business altogether. Unneeded permissions may not be revoked, creating a security risk and downstream  compliance and audit issues.

It is not quick and easy to update RBAC policies in response to unauthorized access and data breaches These problems create serious security issues, making compliance with GDPR and other security regulations difficult.

Policy Based Access Control (PBAC):


PBAC has the flexibility to be Fine-Grained or Coarse-Grained: PBAC supports environmental and contextual controls, so policies can be set to grant access to resources at certain times and from certain locations and even evaluate relationships between identities and resources. Groups of users can be added, removed, or amended with ease and obsolete permissions revoked with a click.

PBAC makes it easy to create and test policies: PlainID Policy Manager has easy to use GUI, for quick writing, reviewing, testing and implementing of even the most complex access policies. Unlike PBAC, for example, XACML, a standardized Attribute Based Access Control language, requires specific coding skills and can’t be used or understood by people who aren’t experienced developers.

PBAC gives transparency and visibility: Visualizing and mapping the relationship between the identities and the resources is the first step in setting a strong access management policy. PBAC gives administrators a clear view of who is authorized to do what, across all organizational assets. It also provides full and transparent visibility for compliance with GDPR and other relevant regulations. As a result of its many strengths, PBAC closes security gaps left by RBAC, enhances your cybersecurity and delivers a proactive response to Data and Privacy regulation compliance.

In summary:

Companies that haven’t solved for access control are not only putting themselves at risk -- they are also suboptimizing every dollar of their cybersecurity spend.” - Richard Bird, Forbes Technology Council

RBAC has dominated access control since the 1990’s, but it doesn’t suit the needs of today’s fast paced, diverse, cloud-based environments.

By contrast, PlainID’s Authorization Platform offers contextual, fine-grained access control, and full visibility, together with an easy to use UI for authoring and managing complex access policies, without code. PBAC offers a proactive approach to compliance and gives the best access control for cybersecurity needs. All this, without interrupting the workflow of legitimate users.

Want to know more? Download the Whitepaper: PBAC vs RBAC: The Truth





Most Popular Posts