Quiz Entry - updated: 2026.07.14
What are the three main access control models (ABAC, RBAC, PBAC)?
RBAC grants access by a user's role, ABAC by attributes of user/resource/environment, and PBAC by rich written policies — increasing in flexibility and complexity in that order.
* RBAC vs ABAC vs PBAC — by what they decide on (roles / attributes / policies) and their growing flexibility and complexity. *
| Model | Basis | Complexity | Example |
|---|---|---|---|
| RBAC | Roles | Simple | Admin, Editor, Viewer |
| ABAC | Attributes | Flexible | "Dept X can access X docs during work hours" |
| PBAC | Policies | Complex | XACML rule engine |
RBAC (Role-Based): Users → Roles → Permissions
- Most common, easy to understand
- "Admins can do everything, viewers can only read"
ABAC (Attribute-Based): Decisions based on user/resource/environment attributes
- Very fine-grained control
- "User in HR dept + document classified HR + during business hours = allow"
PBAC (Policy-Based): Rules/policies determine access
- Most flexible, most complex
- Often uses XACML for policy definition
Tip: Most real systems combine these - e.g., RBAC for basic structure + ABAC for fine-grained rules.
Go deeper:
Role-based access control (Wikipedia) — role hierarchies, separation of duties, RBAC-vs-ABAC/ACL comparisons.
Attribute-based access control (Wikipedia) — how user/resource/environment attributes and policies drive fine-grained decisions.