...
PBAC and NGAC are similar and, for this paper and examining our model, we will use the more common term PBAC. In Figure 29 below, we have a PBAC policy that grants the Read, Edit, Print, and Delete permissions to the Doctors’ role members but with some ABAC style constraints. Our constraints or policy conditions are that the company cannot be in ‘Emergency Mode,’ the user must be accessing from the ‘internal’ network, and with strong MFA authentication (LoA/MFA ‘≥ 2’). The main difference between this PBAC policy and ABAC is that the policy is assigned to the Doctor role. This assignment would typically be represented in a relation or graph database giving auditors a clear picture of who granted the assignment and a least a partial answer concerning which permissions the Doctor role members have themselves been granted. The assignment is visible, tangible, and can be recertified periodically. Furthermore, it could also be added to a self-service workflow process where end-users could request it.
What is PBAC?
...
Figure 1: Information Technology – Next Generation Access Control – Functional Architecture (NGAC-FA)
...