I am studying about various types of access control models. So far I have come across MAC, ABAC, and RBAC where RBAC and ABAC are the popular ones. But none of them fit as a complete solution for all real life scenarios.
That is why many times a hybrid model of RBAC and ABAC has been proposed. I am still not able to understand this hybrid model and how this model overcomes the drawbacks of RBAC and ABAC.
ABAC in itself is alone since it can be used to implement RBAC policies. When people refer to a hybrid RBAC/ABAC model they mean that roles and permissions are still managed in an identity management system e.g. an LDAP but that you now rely on policies (e.g. XACML) to drive the actual authorization.
Apps can still use the roles directly but would likely rely on a PEP for authorization decisions.