Amongst the key challenges within IAM (Identity & Access Management) is access control and enforcement, the “access” part in the term. Enforcing the least privilege principle and restricting access following the need-to-know concept is challenging. Static entitlements are the common approach. These define per application who has access to what. They are stored at the application level for instance as ACLs (Access Control Lists). IAM tools can manage and change these entitlements. However, keeping track of changes and spotting locally made changes is challenging. Also, managing the entitlements is complex, with the entitlement structures within applications being complex and manifold, and the need for managing access for many users across many applications. RBAC (Role-Based Access Control) has emerged as a solution, but also comes with challenges and complexity. PBAM (Policy-Based Access Management), also known as PBAC (Policy-Based Access Control) provides a leaner approach to entitlement management by shifting away from static entitlements.

The PBAM market is diverse, with the vendors covered here are a wide range of different solutions for different PBAM use cases and with different capabilities. This makes it challenging for customers to identify the right solution. Organizations are well-advised in developing a PBAM strategy across use cases first, and then implementing PBAM in a multi-speed approach for the various use cases, also dependent on the maturity of solutions in the market and the innovation demonstrated by vendors.