Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
Policy-Based Access Control in Zero Trust Architecture (ZTA)
Baqi Bellah Usmani
Lecturer, Computer Science faculty, Benawa University, Kandahar, Afghanistan
ABSTRACT - The Zero Trust Architecture (ZTA) is an important change in cybersecurity, based on the principle "never trust, always verify." The basis of ZTA is Policy-Based Access Control (PBAC), which makes dynamic, context-aware access choices based on established security policies. The paper addresses the concept of PBAC within the Zero Trust framework, contrasting it with standard access control models, outlining its components and operational flow, and assessing its implementation problems and benefits. Realworld usecasesandtechniquesarealsopresented,providinga thorough grasp of PBAC in modern network security. As organizations increasinglymovetocloud and hybridsettings, PBAC offers a scalable and adaptive approach to access control that ensures security without sacrificing accessibility.
Key Words: (ZeroTrustArchitecture(ZTA),Cybersecurity, Policy-Based Access Control (PBAC), Dynamic access, Farmwork&Securitypolicies.
1.INTRODUCTION
Inthe moderndigitalera, the pervasiveuse of technology and the internet has greatly enhanced connectivity, communication, and data exchange across organizations However,as interconnectivityincreases,sodoesthecomplexity and sophistication of cyber threats. Traditional perimeterbased and host-based security models, which rely on the assumption that internal network entities are inherently trustworthy, have proven inadequate against today’s dynamic and evolving threat landscape.
Toaddresstheselimitations,theZeroTrustArchitecture(ZTA) has emerged as a comprehensive security model built on the principle of “ never trust, always verify ” Under this approach, noentity whether insideor outsidethenetwork isgranted automatic trust Instead, each access request is continuously authenticated, authorized, and validated according to contextual and behavioral factors
A critical enabler of this architecture is Policy-Based Access Control (PBAC), which replaces static, role-based access mechanisms with adaptive, policy-driven decision-making. PBAC evaluates access requests based on a combination of attributes, contextual information, and organizational policies,ensuringthat accessisgranted only whenthedefined security conditions are met
The purpose of this study is to examine PBAC’s role and function within the Zero Trust framework, detailing its
architecture, advantages, challenges, and potential areas for improvement By integrating PBAC into enterprise networks, organizations can redefine access management strategies, achieving a more proactive, resilient, and adaptive security posture suitable for cloud-based and hybrid environments
2. BACKGROUND AND RELATED WORK
Access control lies at the heart of information security, definingwhocanaccesscertainresourcesandunderwhat conditions As organizations continue to grow and their digital systems expand, choosing the right access control model has become increasingly important Over the years, several approaches have been developed, each addressing differentsecurityneedsandoperationalenvironments.The mostrecognizedmodelsinclude:MandatoryAccessControl (MAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC),andthemodernPolicy-BasedAccessControl(PBAC).
• MandatoryAccessControl(MAC):TheMandatory AccessControlmodelisoneoftheoldestandmost rigidformsofaccessmanagement.InMAC,acentral authoritystrictlydefineshowusersordevicescan interactwithresourcesbasedonpredefinedsecurity classifications or clearance levels. This model is commonlyusedinenvironmentswhereinformation sensitivity is extremely high, such as military, intelligence, or nuclear sectors. Because users cannot change permissions on their own, MAC providesstrongcontrolanddataprotection butat thecostofflexibility.
• Discretionary Access Control (DAC): In the Discretionary Access Control model, the owner or administratorofaresourcedecideswhocanaccess itandwhatactionstheyareallowedtoperform.This approach offers flexibility and user autonomy, making it suitable for smaller or less sensitive systems.However,DAC’sdecentralizednaturecan createsecurityinconsistenciesbecauseeveryuser can modify permissions. This lack of central oversightoftenleadstopolicymisconfigurationsand unauthorizeddatasharing
• Role-Based Access Control (RBAC): Role-Based AccessControlassignspermissionstousersbased on their job roles or responsibilities within an organization. For example, a manager may have broader access rights than a general employee. RBAC simplifies management and improves efficiency, especially in large organizations. However, because it relies on predefined roles, it
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
doesnoteasilyadapttochangingcontextssuchas device type, user location, or time of access. This rigiditymakesRBAClesseffective indynamicand cloud-basedenvironments.
• Attribute-Based Access Control (ABAC): Attribute-BasedAccessControltakesamoreflexible approach by making decisions based on multiple attributes,suchasuseridentity,department,device type,location,andtime.ABACenablesfine-grained andcontext-awareaccesscontrol,whichimproves securityandadaptability.However,asthenumberof attributes and conditions increases, the system becomesmorecomplextoconfigureandmaintain, often requiring advanced tools and automation to stayefficient.
• Policy-BasedAccessControl(PBAC):Policy-Based Access Control represents the next step in the evolutionofaccessmanagement.Insteadofrelying onstaticrolesorattributesalone,PBACusespolicies as the core decision-making component. These policiesdefinetherulesandconditionsunderwhich usersordevicesaregrantedaccess.PBACseparates policy logic from application logic, allowing centralized and dynamic enforcement across the network.Itsreal-time,adaptive,andscalablenature makes it highly suitable for the Zero Trust Architecture (ZTA), where continuous verification andminimalimplicittrustareessential.
Model Who Controls Access Key Highlights
MAC Central Authority Enforcesstrict,layeredsecurity;usedin high-securitysectorslikemilitary.
DAC Resource Owner/Admin Accessdecidedbyresourceowner;simple butlackscentralizedcontrol.
RBAC System Administrators Basedonuserroles;easytomanagebut lackscontextsensitivity.
ABAC PolicyEngine Usesattributes(user,time,device,etc.); flexiblebutcomplex.
PBAC Admin+Policy Engine Dynamic,policy-drivencontrol;scalable andcentral,fitsZeroTrustenvironments
3. CORE COMPONENTS OF PBAC IN ZTA
• Policy Enforcement Point (PEP) The PEP intercepts user requests and passes them to the PolicyDecisionPoint(PDP)forevaluation.
• Policy Decision Point (PDP) The PDP evaluates access requests against a set of policies before makingadecisionandreportingbacktothePEP.It is the central component that performs logical
reasoningusingtheavailableinformationandaccess rules.
• PolicyAdministrationPoint(PAP) Creates,stores, andmanagespolicies.Ithastoolsforadministrators to define rules and permissions. A strong PAP containsversioncontrol,policytesting,andauditing mechanisms to assure policy integrity and traceability.
4. BENEFITS OF PBAC IN A ZERO TRUST MODEL
Asincomplicatednetworkstructures,andmanagingseveral users connected to corporate network, it is difficult to managetheiraccessandtheirpoliciesbecauseeachhasto access the network differently, the PBAC makes it easier, followingaresomebenefits:
• Fine-Grained Control: PBACallowsorganizations tomakehighlylimitedandneededaccessdecisions. Insteadofgivingbroadpermissions,itensuresthat users only access the exact data or systems they need.
• Smarter, Context-Aware Decisions: Access isn’t just about usernames and passwords anymore. PBACconsidersreal-timefactorslikewheretheuser is, what device they're using, and whether their behavior looks suspicious, it is all to make safer accessdecisionsforeachuser
• Simplifies Compliance and Audits: Meetingstrict regulationslikeGeneralDataProtectionRegulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry Data Security (PCI-DSS) becomes easier with PBAC. Organizations can build policies that directlyalignwiththeseframeworks,makingaudits lessstressfulandmoretransparentwhichthanno userdenies
• Built to Scale with Your Infrastructure: Whether your environment is on-prem, cloud, or a mix of
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
both,PBACadaptseasily.Itoffersaunifiedwayto manageaccesscontrolacrosscomplex,evolvingIT systems.
• Policies as Code = Faster and Smarter Security: PBACletssecurityteamsdefineandmanagepolicies usingcode.Thismakesiteasiertoautomate,track changes, and collaborate, it will reduce manual errorsandwillspeedupsecurityresponses.
5. CHALLENGES AND LIMITATIONS OF PBAC IN PRACTICE
Withallaccesscontrolmodels,previouslyusedorcurrently inusesuchasPolicy-BasedAccessControl(PBAC)theycome with its own set of limitations The following are some commonchallengesencounteredduringitsimplementation inpractice.
• Policies Can Get Complicated: Asyouaddmore rules and user attributes, things can quickly get messy Withoutawell-structuredapproach,policies maybecometoocomplextomanageortroubleshoot easily.
• SlowerPerformanceinReal-Time:there’sariskof added delays, especially in large or distributed environments,wherepoliciesaregettingnumerals
• Not Always Plug-and-Play: Many older (legacy) systems weren’t built with PBAC in mind. Integrating modern policy engines with these systems can be difficult, requiring extra effort or customsolutions
• Policy Conflicts Can Be Tricky: Sometimes different policies can overlap or contradict each other If not handled carefully, this can lead to unintendeddifficultiesitislikeblockinglegitimate usersorgivingtoomuchaccess
• PeopleNeedTimetoAdjust: ShiftingtoPBACisn’t just about tech and policies only, it’s also about people ITandsecurityteamsmayneednewskills and a fresh mindset to design, test, and maintain thesedynamicpolicieseffectively.
6. REAL-WORLD APPLICATIONS AND CASE STUDIES
• In theEnterprise:Protecting SensitiveFinancial Data: Itisnecessaryforlargeglobalbanktoprotect itsclients’personalandfinancialinformationdata Insteadofrelyingonlyonjobroles,theynowfactor inwhereanemployeeislogginginfrom,thehealth oftheirdevice,andevenwhattimeofdayitis Their policies are enforced using an OPA (Open Policy Agent)-based engine that works seamlessly with theirexistingidentitymanagementsystem.inresult stronger internal controls, fewer insider risks through which mostly attacks happens but now PBACprevents,andsmootheraudits
• In the Cloud: Smarter, Condition-Based Access: CloudplatformslikeAWS,Azure,andGoogleCloud
have embraced PBAC at their core. For instance, AWSIAMletsyoucreateaccessrulesthatdependon things like the user’s IP address, the time of the request, or whether multi-factor authentication (MFA)isenabled.Similarly,Microsoft’sAzurePolicy and RBAC work together to ensure that the right peoplehaveaccesstotherightresources.
• InHealthcare:SafeguardingPatientInformation: HospitalsandclinicsusePBACtomakesureonlythe right medical staff can view or update electronic health records (EHRs) for best decision. These policies take into account the staff member’s role (likenurseordoctor),whetherthepatienthasgiven agreement, and the contextof treatment. This not only protects patient privacy and satisfies HIPAA requirements, but also keeps operations and the system of the hospitals running smoothly without unnecessaryaccessroadblocks.
7. FUTURE DIRECTIONS
As organizations remain to implement Zero Trust Architecture(ZTA),Policy-BasedAccessControl(PBAC)is expectedtobecomesmarterandmoreadaptable.Onemajor developmenttocurrentimplementationsistheadditionof artificialintelligence(AI)andmachinelearningfeaturesinto policycreation.Thesetechnologiescananalyzeuseractivity andaccesslogstosuggestorevengenerateaccesscontrol policies. It reducing the burden on network security administratorsandensuringpoliciesremainconsistentwith real-worldneed.Thisintelligentautomationcanalsohelpto preventhumanerrorsandkeeppoliciesrecentassystems change.
Anotherpromisingareaisresolvingtheconflictsinrepeated policiesandrestrictionswhichcouldbeachallengeinlarge environments.FuturePBACsystemsareexpectedtoinclude built-inconflictresolutionframeworks,eitherrule-basedor AI-powered, that will automatically identify and resolve overlapping or contradictory rules without manual intervention.
Finally, the demand for centralized and simplified management will drive the development of unified policy platformscapableofoperatingacrosshybrid,cloud,andonpremisesenvironments.TheseplatformswillhelpITteams managepoliciesconsistentlyandatscale.AutomatedZero Trust readiness tools will also benefit organizations by assessing current infrastructure, identifying gaps, and recommendingeffectivePBACintegrationstrategies.These advancements will not only improve security, but also simplifyoperationsandhastenZeroTrustadoptionacross industries.
8. CONCLUSION:
Policy-BasedAccessControl(PBAC)playsacentralrolein implementinganeffectiveZeroTrustArchitecture(ZTA).By enabling precise, context-aware access decisions, PBAC allows organizations to respond dynamically to changing threats,userbehaviors,andsystemconditions.Itprovides fine-grainedcontrol,supportscompliance withregulatory
International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395-0056
Volume: 12 Issue: 10 | Oct 2025 www.irjet.net p-ISSN: 2395-0072
standards, and scales across complex hybrid and cloud environments.
WhileimplementingPBACcanintroducechallenges such asmanagingpolicycomplexityandintegratingwithexisting systems its benefits in terms of security, operational efficiency, and adaptability outweigh these obstacles. The use of automation, policies-as-code, and advanced policy management platforms further enhances PBAC’s effectiveness,enablingorganizationstoenforceconsistent, real-timeaccesscontrolacrossdiversenetworks.
In summary, PBAC is not just a technical feature but a strategic enabler of modern cybersecurity. Its adoption within Zero Trust frameworks allows organizations to protect critical resources proactively, minimize risks, and maintain operational agility in an increasingly interconnectedandthreat-pronedigitallandscape.
REFERENCES
[1] AWS, Microsoft. 2023. Open Search. https://docs.aws.amazon.com/opensearchservice/latest/developerguide/fgac.html.
[2] Brazhuk,EduardoB FernándezandAndrei 2022 "A Critical Analysis ofZero Trust Architecture (Zta)." Researchgate.
[3] incent Hu (NIST), David Ferraiolo (NIST), Richard Kuhn (NIST), Adam Schnitzer (BAH), Kenneth Sandlin (MITRE), Robert Miller (MITRE), Karen Scarfone(ScarfoneCybersecurity) 2014."Guideto Attribute Based Access Control (ABAC) Definition andConsiderations."NIST.
[4] Lawrence Orans, John Watts, Neil MacDonald. 10 June 2021 "Best Practices for Implementing Zero TrustNetworkAccess."GartnerResearch.
[5] McCarthy, Maile 2025. "policy-based-accesscontrol" www.strongdm.com. March 27 https://www.strongdmcom/what-is/policy-basedaccess-control-pbac
[6] Microsoft.2025.MicrosoftAzure (2023) ZeroTrust Deployment Guide May 22. https://learn.microsoftcom/en-us/microsoft365/security/microsoft-365-zero-trust?view=o365worldwide
[7] Scott Rose, Oliver Borchert, Stu Mitchell and Sean Connelly August 2020. Zero Trust Architecture NIST