Skip to content
Glossary Term

Policy-Based Access Control

What is Policy-based Access Control? 

The National Institute of Standards and Technology defines Policy-based Access Control (PBAC) as “a strategy for managing user access to one or more systems, where the business roles of users are combined with policies to determine what access privileges users of each role should have”. This allows administrators to define policies that dictate who is allowed to access which resources, and under what conditions. In policy-based access control, access to resources is granted or denied based on the policies that have been set by the administrator. This type of access control is often used in organizations where there is a need to control access to sensitive information or resources.

Policy-based Access Control Model 

A policy-based access control model is a method of controlling access to data. The model uses a set of predefined policies to determine who is allowed to access data and under what conditions. Policies are typically defined by data stewards and are based on the principle of least privilege, which means that users are granted the minimum level of access necessary to perform their job functions. This decision is made by assessing the user’s identity, the databases they are requesting access to, and the reason they are requesting access. Policies can be defined by a variety of criteria, such as user roles, time of day, location, and level of sensitivity. PBAC is largely considered one of the most flexible and efficient ways to control access to data because administrators are able to easily define & change access rules, allowing them to adapt to the changing needs of organizations. 


Policy-based access control and role-based access control are two different methods for controlling access to resources in a computer system. In general, policy-based access control is considered to be more flexible and powerful than role-based access control. This is because policy-based access control allows administrators to create fine-grained policies that specify exactly which users are allowed to access which resources, and under what conditions. With role-based access control, on the other hand, access is determined based on the roles that users have within the system, which can be less flexible and may not adequately reflect the specific needs of the organization. Additionally, policy-based access control allows for the creation of complex, nested policies that can be used to model complex organizational structures and access control requirements, whereas role-based access control is typically limited to simple, hierarchical models.

Policy-Based Access Control Use Cases 

In all cases, PBAC can be used to ensure that sensitive information is protected and that only authorized personnel have access to it, according to company policy. The key is that access and permissions change as the policies do. 

Banking: In the financial industry, PBAC can be used to control access to financial records and transactions. For example, PBAC can be used to limit access to account information to only authorized personnel and prevent PII from being exposed to unauthorized employees. This means that organizations can actually use financial data to predict sales cycles, enhance sales reporting, and create targeting campaign planning. 

Healthcare: In healthcare, PBAC controls access to medical records and patient information that is covered under HIPAA and classified as PII. This allows medical professionals to deliver the highest level of care, without exposing sensitive information or breaking regulatory requirements. 

Telecom: In telecom, PBAC is used to ensure that access to customer information and network resources are in line with policies. Safely accessing and collaborating on datasets greatly increases their chances to gain insight and create business opportunities, by using predictive analysis to keep and maintain customer relationships. 

Insurance: PBAC helps ensure that insurance companies stay current on regulations while still accessing data to enable the safe sharing, transfer, and collaboration on data. In the insurance industry, this means using data to offer appropriate plans, premiums, and options, while ensuring that only the authorized personnel have access. 

Velotix Logo

Gain Data Visibility & Control

Discover and secure your data so only
the right people have access.