That’s a really helpful way to frame it — especially the distinction between RBAC and ARP.
I agree that RBAC works well when job roles and attributes are clearly defined from the HR source. It definitely makes access more structured and easier to govern.
At the same time, I’ve seen cases where roles don’t fully capture all access needs, especially for exceptions or application-specific requirements, which is where ARP becomes important.
In your experience, how do you usually handle situations where RBAC starts becoming difficult to maintain due to frequent role changes or exceptions? Do you lean more towards refining roles or increasing reliance on ARP in those cases?
Thanks for sharing your perspective!