In EmpowerID, PBAC membership policies are policies we create to specify the conditions under which an EmpowerID actor, such as a person or a business role and location can be added to or potentially added to management roles, groups, business roles and locations, or query-based collections. PBAC membership policies are comprised of attribute-based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy.
When the PBAC engine builds PBAC Membership policies, it checks to see whether any EmpowerID actors have the policy's characteristics and adds them to the policy's target if they do.
In this article, we discuss the components of PBAC membership policies and how to create and use them.
Step 1 - Create PBAC Membership policies
PBAC Membership policies can be created in two different ways: They can be created on the View One pages of the roles, groups, and collections that are the target of the policy and they can be created globally on the Role Modeling Inbox page of EmpowerID. In the below example, we demonstrate how to create a policy on the Role Modeling Inbox page.
...
Now that the policy is created, the next step is to define the conditions needed for users to be added to the policy target. You do this by adding rules to it.
Step 2 - Add Attribute Conditions to the policy
Locate the policy you just created in the Attribute-Based Membership Policies grid and click the Name link for it.
This directs you to the Policy Details (View One) page for the policy.
The page contains a General pane and four accordions for viewing information about the policy and configuring it as needed.Insert excerpt IL:Attribute-Based Policy Details Page Controls IL:Attribute-Based Policy Details Page Controls nopanel true Expand the Attribute Conditions (Field Types) accordion and click the Add button on the grid header.
Enter the following information in the Dynamic Membership Rule form that appears:
Name – Name of the rule
Right – If the rule defines an application right that needs to be met, search for and select the appropriate right
Field Type (Attribute) – If the rule specifies an application field type that needs to be met, search for and select the appropriate attribute
Field Values Constraints on Right Assignment – If the field type can have multiple values, select the values needed
In the below example, the rule specifies that users need the Data Access right to the Customer field type for Intu.
Save the rule.
Repeat, adding as many rules as needed.
...