Purpose-Based Access Control (PBAC) Architecture

Overview

Purpose-Based Access Control (PBAC) extends traditional access control models (RBAC, ABAC) by adding purpose as a mandatory dimension in every access decision. Under PBAC, data access is granted only when the requester can demonstrate a valid, pre-authorized purpose that aligns with the basis under which the data was collected. This directly implements GDPR Article 5(1)(b) purpose limitation, CCPA purpose restrictions, and similar requirements across global privacy regulations.

PBAC vs Traditional Access Control

Dimension	RBAC	ABAC	PBAC
Access decision based on	Role membership	Attributes (user, resource, environment)	Purpose + attributes
Answers the question	"Who can access?"	"Under what conditions?"	"Why is this access needed?"
Purpose enforcement	None (implicit)	Possible as attribute	Core requirement
Audit trail	Who accessed what	Who, what, when, where	Who, what, when, where, WHY
Privacy alignment	Low	Medium	High
Consent integration	None	Possible	Native

purpose-based-access

Purpose-Based Access Control (PBAC) Architecture

Overview

PBAC vs Traditional Access Control

Purpose Ontology

More from mukul975/privacy-data-protection-skills

thailand-pdpa

privacy-record-linkage

ai-dpia

ai-transparency-reqs

apec-cbpr-cert

42-cfr-part-2