Policy-based access control(PBAC) is a method for controlling user access to complex systems in which users' business roles are combined with certain well-defined policies to decide what access capabilities each role should have. These policies are called PBAC membership policies. Policy-based access control considers roles as well as attributes when determining access privileges.
Policies define the business meaning, and every consumer application receives the decision, regardless of its technical implementation. For example, in the banking domain, an example PBAC policy may be defined as “Basic profiles and bank accounts of clients who are in the same line of business and branch are accessible to branch managers."
PBAC membership policies are statements that combine attributes to describe what is permitted and what is not permitted. Policies can be local or global, and they can be formulated in such a way that they override other policies. Digital policies, which are made up of logical rules, are used to dynamically manage and assess user access. For example,
a) If the document is in the same department as the user, the user can see it.
b) If you are the document's owner and the document is in draft mode, you can edit it.
c) After 9 p.m. and before 9 a.m. deny access.
In EmpowerID, PBAC membership policies are policies we create to specify the conditions under which an EmpowerID actor, such as a person or a business role and location can be added to or potentially added to management roles, groups, business roles and locations, or query-based collections. PBAC membership policies are comprised of attribute-based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy.
...