I am studying about various types of access control models. So far I have come across MAC, ABAC, and RBAC where RBAC and ABAC are the popular ones. But none of them fit as a complete solution for all real life scenarios.
That is why many times a hybrid model of RBAC and ABAC has been proposed. I am still not able to understand this hybrid model and how this model overcomes the drawbacks of RBAC and ABAC.
ABAC in itself is alone since it can be used to implement RBAC policies. When people refer to a hybrid RBAC/ABAC model they mean that roles and permissions are still managed in an identity management system e.g. an LDAP but that you now rely on policies (e.g. XACML) to drive the actual authorization.
Apps can still use the roles directly but would likely rely on a PEP for authorization decisions.
Not an easy question to answer. Drawbacks are in the eye of the holder. But, there are some commonly held beliefs as to the limitations of RBAC. For example, the 'role explosion' problem. This article, written by me, describes the problem, and how it was solved in the Apache Fortress RBAC solution. Disclaimer, I'm a contributor to the Apache Fortress project.
https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/
