IT Glossary

Policy-Based Access Control (PBAC)

Policy-Based Access Control (PBAC) governs access through central policies that blend roles and attributes. Learn how PBAC works and compares to RBAC.

July 3, 2026

What is Policy-Based Access Control (PBAC)?

Policy-Based Access Control (PBAC) is an access control approach where access decisions are governed by centrally defined policies that combine roles, attributes, and business rules. Often seen as an evolution that unifies RBAC and ABAC, PBAC expresses access logic as human-readable policies, which improves consistency, auditability, and adaptability across complex, multi-application environments.

How PBAC works

  • Access rules are written as central policies, not scattered settings.
  • Policies can reference both roles (RBAC) and attributes (ABAC).
  • A policy engine evaluates each request against the active policies.
  • Policies are versioned and auditable, which supports compliance.
  • Changing a policy updates access consistently everywhere it applies.

RBAC vs ABAC vs PBAC

The three models differ in what they are based on and where they shine. RBAC is based on roles and is simple and predictable. ABAC is based on attributes and context and is granular and dynamic. PBAC is based on central policies that blend both, and is consistent, auditable, and adaptable.

Examples and use cases

A multinational defines one policy: "Finance staff may approve invoices up to their grade limit, only from corporate devices, only in their region." That single policy blends role (finance), attribute (grade, region, device), and business rule (limit). PBAC keeps the logic in one auditable place rather than spread across each app, which is valuable when regulators ask how access decisions are made.

Related concepts

FAQ

Is PBAC the same as ABAC?

Not exactly. ABAC focuses on attributes, while PBAC centralizes access logic in policies that can use roles and attributes together, making it broader and more governance-oriented.

Why choose PBAC over RBAC?

PBAC suits complex environments where access depends on multiple factors and where a single, auditable source of access logic is important for compliance.

Does PBAC replace RBAC and ABAC?

It usually unifies them rather than replacing them. RBAC and ABAC become inputs to centrally managed policies.

Request a demo