Policy-Based Access Control (PBAC) is an advanced access control model that enables organizations to create and enforce security policies that dictate who can access specific resources and under what circumstances.
PBAC focuses on the dynamic evaluation of policies and attributes to determine access permissions. Unlike simpler models such as Role-Based Access Control (RBAC), PBAC enables fine-grained, context-aware decisions based on multiple factors.
PBAC allows organizations to manage access to resources by defining policies that consider:
Unlike traditional governance approaches that document policies in prose, PBAC implements governance as executable code. Policies are machine-readable, automatically enforced, and produce auditable decision records. This transforms governance from a compliance exercise into an operational capability.
PBAC enables organizations to create fine-grained access control policies considering various attributes. This level of control minimizes the risk of unauthorized access and reduces the attack surface.
PBAC simplifies access control management by centralizing policy enforcement and administration. Organizations can manage access permissions from a single location, reducing complexity.
PBAC is highly scalable and can accommodate organizational growth without requiring significant changes to the underlying infrastructure.
By centralizing access control policy management and providing detailed audit trails, PBAC enables organizations to demonstrate compliance with various industry standards and regulations (GDPR, HIPAA, SOX).
The Policy Decision Point is responsible for evaluating access control policies and making access decisions. It processes requests and evaluates them against defined policies.
In the Manetu PolicyEngine, the PDP is the core engine that:
The Policy Enforcement Point intercepts access requests, gathers relevant attributes, and forwards requests to the PDP for evaluation. Based on the PDP's decision, the PEP either grants or denies access.
Examples of PEPs:
The Policy Administration Point manages access control policies, including their creation, modification, and deletion. It allows administrators to define and update policies in a centralized location.
In the Manetu PolicyEngine, policies are defined using PolicyDomain YAML files and the mpe CLI for building and validation. The deployment model differs by offering:
Community Edition: Policies are deployed directly using the mpe CLI or Go API.
Premium Offering: A centralized PAP service orchestrates policy configuration across distributed PDPs, including stand-alone PolicyEngine services and operator-managed sidecars in Kubernetes environments.
| Model | Description | Limitations |
|---|---|---|
| DAC | Discretionary - owner controls access | No central control |
| MAC | Mandatory - system enforces levels | Rigid, hard to change |
| RBAC | Role-Based - roles grant permissions | Role explosion, no context |
| ABAC | Attribute-Based - attributes determine access | Complex attribute management |
| PBAC | Policy-Based - policies make decisions | Requires policy expertise |
:::tip PBAC combines the best aspects of RBAC and ABAC while adding the flexibility of programmable policies. :::
The Manetu PolicyEngine implements PBAC using:
Can you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |