What is role and policy based access control?

For digital services, whether web service, shop or app, choosing the right access control strategy is critical to securing the technical resources and thus access to data and functions of an application.

Reading time: 3 minutes


What is role and policy based access control?

Role-based access control (RBAC) and policy or guideline based access control (PBAC) are two popular approaches. But do you know exactly what they are, what advantages they offer and for which use cases they are suitable? That’s what we’ll briefly introduce here.

RBAC: Role-based access control

With RBAC, roles are assigned to users. When an application is called up, these roles are then made available to the application. The application decides on the basis of the roles which functions and data are made available to the user.

The role thus abstracts an authorisation profile within the application. This simplifies the management and administration of permissions, as for example an administrator can easily assign or revoke predefined roles such as “manager” or “developer” to users.

Advantages & use cases:

  • Simplifies access management
  • Ideal for organisations with clearly defined roles
  • Works well in hierarchical structures
  • Evaluation of the role takes place in the application


PBAC: Policy based access control

PBAC is a more dynamic and flexible approach where access decisions are made based on policies that consider various properties of the digital identity, including assigned roles, location or timing of the request. PBAC is in this sense a combination of attribute-based access control (ABAC) and RBAC.

A crucial difference is that the evaluation of the policy does not happen in the application, but in the policy server. During the evaluation, a decision is made as to whether a user may access the requested resource in an application or not. This decision is transmitted to the application, which is then responsible for implementing it accordingly.

Moving the so-called Policy Decision Point (PDP) from the application to the server has the advantage that in the long term, change costs in the applications can be reduced. The reason for this is that changes to the permissions can be implemented centrally on the server side. Especially when using microservices, it may reduce the need for frequent changes. The Policy Enforcement Point (PEP) remains in the application.

Centralisation also increases IT security, as the evaluation of authorisations no longer takes place decentrally in the applications, but only at a central location. The number of potentially compromisable systems is thus reduced.

The open source software Keycloak, for example, offers the possibility to implement policy based access controls with the Authorisation Servies.

Advantages & use cases:

  • Provides fine-grained control
  • Easily adapts to changing business requirements
  • Reduces implementation and maintenance costs in applications
  • Increased IT security


RBAC vs. PBAC: Which approach is right?

Both approaches have their merits, but the choice between RBAC and PBAC depends on the specific needs of the organisation or products. RBAC is often better suited to organisations or products with clearly defined roles and a hierarchical structure. In contrast, PBAC offers greater flexibility and is better suited to organisations and products with complex access requirements or those that need to adapt to changing business conditions.

Weitere interessante Beiträge

Technical implementation by WordPress agency aceArt.