IT Glossary
Policy-Based Access Control (PBAC) governs access through central policies that blend roles and attributes. Learn how PBAC works and compares to RBAC.
July 3, 2026
Policy-Based Access Control (PBAC) is an access control approach where access decisions are governed by centrally defined policies that combine roles, attributes, and business rules. Often seen as an evolution that unifies RBAC and ABAC, PBAC expresses access logic as human-readable policies, which improves consistency, auditability, and adaptability across complex, multi-application environments.
The three models differ in what they are based on and where they shine. RBAC is based on roles and is simple and predictable. ABAC is based on attributes and context and is granular and dynamic. PBAC is based on central policies that blend both, and is consistent, auditable, and adaptable.
A multinational defines one policy: "Finance staff may approve invoices up to their grade limit, only from corporate devices, only in their region." That single policy blends role (finance), attribute (grade, region, device), and business rule (limit). PBAC keeps the logic in one auditable place rather than spread across each app, which is valuable when regulators ask how access decisions are made.
Not exactly. ABAC focuses on attributes, while PBAC centralizes access logic in policies that can use roles and attributes together, making it broader and more governance-oriented.
PBAC suits complex environments where access depends on multiple factors and where a single, auditable source of access logic is important for compliance.
It usually unifies them rather than replacing them. RBAC and ABAC become inputs to centrally managed policies.