...
In Figure 1 below, we have a PBAC policy that grants the Read, Edit, Print, and Delete permissions to the Doctors’ role members but with some ABAC style constraints. These constraints or policy conditions are that the company cannot be in “Emergency Mode,” the user must be accessing information from the “internal” network, and using strong MFA authentication. The main difference between this PBAC policy and ABAC is that the policy is assigned to the Doctor role. This assignment would typically be represented in a relation or graph database giving auditors a clear picture of who granted the assignment and a least a partial answer concerning what permissions members of the Doctor have been granted. The assignment is visible, tangible, and can be recertified periodically. Furthermore, it could also be added to a self-service workflow process where end-users could request it.
What is PBAC?
...
Figure 1: Information Technology – Next Generation Access Control – Functional Architecture (NGAC-FA)
...