Purpose-Based Access Control (PBAC) is a relatively new approach to access control. Unlike, for example, Role-Based Access Control (RBAC), where roles are set up for specific purposes, and users are assigned to those roles, Purpose-Based Access Control uses a more dynamic approach where both users and applications are assigned directly to purposes, which are created when an access request is made. A purpose may include generating reports, performing audits, creating new applications, and so on.
How Does Purpose-Based Access Control Differ from Other Access Control Mechanisms?
Previously, organizations would typically have a choice of one of three types of access control methods, which include;
Attribute-Based Access Control (ABAC)
ABAC is where access is granted/revoked according to the specific attributes of a given user. For example, if the user is an employee, and their department is HR, they will be granted access to the HR/Payroll system, and only during the hours relevant to the time zone of the company. ABAC is also sometimes referred to as policy-based access control, which is not very helpful.
Role-Based Access Control (RBAC)
RBAC is where roles are created, such as administrator, specialist user, or an end-user, and users are assigned to these roles. RBAC is perhaps the most common method of controlling access due to its simplicity, however, many security specialists are now arguing that purpose-based access control is a more viable method.
Policy-Based Access Control (also known as PBAC)
This type of access control method is thought of as a combination of ABAC and RBAC. Policies are setup to determine which roles, with which attributes, can access which systems and data.
Of these three access control methods, attribute-based access control (ABAC) is probably the closest method to purpose-based access control. Purpose-based access control also shares similarities to RBAC, however, as mentioned above, RBAC is no longer considered granular enough to adequately protect our data and comply with the relevant data privacy laws.
Not only that, but RBAC requires far too much manual input, which not only slows the process of granting/revoking permissions but also requires constant maintenance and is prone to error. It’s also worth noting that purpose-based access control can be combined with some or all of the above methods, if necessary.
Why is Purpose-Based Access Control Necessary?
Purpose-based access control is becoming increasingly popular, due to its simplicity and flexibility. PBAC can also help with complying with data privacy regulations such as GDPR and HIPAA. For example, the GDPR’s Purpose Limitation Principle states that “Personal data should only be collected and processed for a legitimate specific purpose”.
As such, having the ability for users and applications to issue access requests for a specific purpose, will ensure that they only have access to the systems and data they need at any given time. PBAC also helps with auditing, as each access request and approval can be logged and reviewed by the security team.