...
EmpowerID’s PBAC Membership policies are a special type of policy that connects the world of attribute-based real-time dynamic access to the traditional model of granting permissions within applications and systems. For example, PBAC membership policies allow the flexible attribute and role-based assignment model to determine who should be a member of which groups or roles in EmpowerID.
In this article, we discuss the components of PBAC membership policies and how to create and use them.
Step 1 - Create PBAC Membership policies
PBAC Membership policies can be created in two different ways: They can be created on the View One pages of the roles, groups, and collections that are the target of the policy and they can be created globally on the Role Modeling Inbox page of EmpowerID. In the below example, we demonstrate how to create a policy on the Role Modeling Inbox page.
...
On the navbar, expand Role Management and select Role Modeling Inbox.
Select the Attribute-Based Membership Policies tab and then click the Add button on the grid header.
...
Enter the information appropriate for your situation and then click Save to create the policy.
Now that the policy is created, the next step is to define the conditions needed for users to be added to the policy target. You do this by adding rules to it.
Step 2 - Add Attribute Conditions to the policy
Locate the policy you just created in the Attribute-Based Membership Policies grid and click the Name link for it.
...
Expand the Attribute Conditions (Field Types) accordion and click the Add button on the grid header.
...
Enter the following information in the Dynamic Membership Rule form that appears:
...
Name – Name of the rule
...
Right – If the rule defines an application right that needs to be met, search for and select the appropriate right
...
Field Type (Attribute) – If the rule specifies an application field type that needs to be met, search for and select the appropriate attribute
...
...
Save the rule.
...
Repeat, adding as many rules as needed.
| Info |
|---|
When adding multiple rules to a policy you create an AND condition. In order to qualify for the target, users need to meet all conditions. If you want to create an OR condition where users only need to meet one of multiple conditions, you would need create a separate policy for each condition. |
After creating the policy, the system should compile it – and depending on the settings applied – will show matching records in either the Attribute-Based Membership Inbox accordion (when Enabled is set to True and Auto-Approve is set to True) or in the Preview Proposed Changes accordion.
...
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|