Policy-Based Access Control (PBAC) Isn’t as Great as You Think

Policy-Based Access Control (PBAC) offers flexibility and power in defining access policies through custom logic rather than predefined roles or attributes. However, it introduces complexity, performance issues, and challenges in readability, auditing, and incident response. Using domain-specific languages for policies can also limit understanding across teams. PBAC should be a fallback for complex policies rather than a starting point, as simpler models like RBAC or ABAC are often more suitable.