LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the three main access control models (ABAC, RBAC, PBAC)?

RBAC grants access by a user's role, ABAC by attributes of user/resource/environment, and PBAC by rich written policies — increasing in flexibility and complexity in that order.

RBAC (roles, simple), ABAC (attributes, flexible), PBAC (policies, XACML) — increasing flexibility and complexity.

* RBAC vs ABAC vs PBAC — by what they decide on (roles / attributes / policies) and their growing flexibility and complexity. *

Model Basis Complexity Example
RBAC Roles Simple Admin, Editor, Viewer
ABAC Attributes Flexible "Dept X can access X docs during work hours"
PBAC Policies Complex XACML rule engine

RBAC (Role-Based): Users → Roles → Permissions

  • Most common, easy to understand
  • "Admins can do everything, viewers can only read"

ABAC (Attribute-Based): Decisions based on user/resource/environment attributes

  • Very fine-grained control
  • "User in HR dept + document classified HR + during business hours = allow"

PBAC (Policy-Based): Rules/policies determine access

  • Most flexible, most complex
  • Often uses XACML for policy definition

Tip: Most real systems combine these - e.g., RBAC for basic structure + ABAC for fine-grained rules.

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026