RBAC vs policy-based authorization in utilities: what changes?

TL;DR: Utility operators dealing with SCADA, contractors, auditors, and third-party vendors face growing friction when authorization is spread across roles, embedded app rules, and databases, according to Cerbos. The core issue is that static RBAC makes policy updates, onboarding, audit evidence, and contextual access harder to manage at enterprise scale.

NHIMG editorial — based on content published by Cerbos: policy-based authorization for utility environments

By the numbers:

• Utility Warehouse, a FTSE 250 multiservice energy provider, replaced a cumbersome in-house authorization system spanning 4,500 services with Cerbos.

Questions worth separating out

Q: How should utility companies centralize authorization without breaking operations?

A: Utility companies should centralize authorization in a policy layer that can be updated independently of application releases.

Q: Why do RBAC models become brittle in operational technology environments?

A: RBAC becomes brittle when access depends on context such as location, time, asset state, or temporary escalation.

Q: How do teams know if policy-based authorization is actually improving governance?

A: Teams should look for shorter change windows, fewer manual exceptions, clearer audit trails, and less dependency on developers for routine access updates.

Practitioner guidance

• Map authorization logic out of application code Inventory where role checks, embedded rules, and database permissions are currently enforced.
• Model contextual access conditions explicitly Identify which decisions depend on time, location, asset state, user type, or temporary operational escalation.
• Test policy changes before production rollout Use sample data and staged evaluation to verify that new authorization rules behave correctly for engineers, contractors, vendors, and auditors before they reach live systems.

What's in the full article

Cerbos' full engineering guide covers the operational detail this post intentionally leaves for the source:

• Step-by-step examples of how the RBAC and ABAC policies are written for SCADA and gas flow sensor access
• Change-management workflow details for rolling policy updates without downtime in production
• Policy migration guidance for onboarding a new application into a centralized authorization framework
• Audit and compliance examples showing how authorization logs are prepared for ISO27001 certification

👉 Read Cerbos' engineering guide on policy-based authorization for utility environments →

RBAC vs policy-based authorization in utilities: what changes?

Explore further

View Full Forum →  |  NHI Foundation Course →