Abstract

This paper examines the evolution and advancements in access control systems, with a focus on policy-driven and role-based authorization models. As modern computing environments—such as cloud, IoT, and distributed systems—become increasingly complex, traditional access control mechanisms, including Discretionary Access Control (DAC), are proving inadequate. Role-Based Access Control (RBAC) has long been the cornerstone of secure access management, but as systems evolve, the limitations of RBAC become evident. To address these challenges, Policy-Based Access Control (PBAC) has emerged, offering greater flexibility by incorporating contextual and attribute-based decision-making. This paper explores the principles, evolution, and integration of RBAC and PBAC, comparing their strengths and weaknesses, and also discusses hybrid models that combine both. It also analyzes key challenges such as scalability, policy conflicts, and compliance constraints, and introduces advanced models, including next-generation RBAC and policy-driven authorization engines like XACML and Open Policy Agent (OPA). The paper concludes by discussing practical implications for organizations and suggesting future research directions in areas such as AI-driven policy generation, dynamic trust scoring, and cross-domain federated authorization. The insights provided offer a roadmap for enhancing security, scalability, and compliance in modern access control systems.