There is an ongoing discussion about terms such as RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control). However, is it really about either-or? Or isn’t it that most role concepts take other attributes such as the Organizational Unit into account, while the role is a major attribute for most ABAC concepts? Shouldn’t the discussion be more about the question on how to make the shift from Static Access Management, based on pre-determined ACLs (Access Control Lists) etc., towards Dynamic Access Management and especially Dynamic Authorization Management, where applications ask at runtime for authorization decisions? But how to make that shift, how to convince application architects and developers? The panelists will talk about both RBAC and ABAC and how to make Dynamic Authorization Management a success, based on their experience.