To summarize, Role-based access will control authorization based on who you are (e.g., user, administrator, human resources manager).
Rule-based access will control authorization based on conditions other than who you are (e.g., time of day, location, type of device).
Here is a brief detail of both the types of Access Controls
Role-based Access Control (RBAC):
RBAC largely eliminates discretion when providing access to objects. Instead, administrators or automated systems place subjects into roles. Subjects receive only the rights and permissions assigned to those roles. RBAC uses a centrally administered set of controls to determine how subjects and objects interact. When an employee changes jobs, all previous access is removed, and the rights and permissions of the new role are assigned. RBAC enforces static constraints based on a user’s role. It is the best system for an organization that has high turnover.
Rules-based Access Control (RAC):
RAC takes into account the data affected, the identity attempting to perform a task, and other triggers governed by business rules. RAC uses specific rules that indicate what can and cannot happen between a subject and an object. A manager, for example, has the ability to approve his/her employees’ hours worked. However, when s/he attempts to approve his/her own hours, a rule built into the application compares the employee record and the user, sees they are the same, and temporarily removes approval privilege. It is not necessarily identity based. of the new role are assigned. RBAC enforces static constraints based on a user’s role. It is the best system for an organization that has high turnover.