PBAC Membership policies are policies you create to specify the conditions under which an EmpowerID actor, such as a person or a Business Role and Location combination, can be added to or potentially added to Management Roles, groups, Business Roles Role and LocationsLocation combinations, or and Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them. This article elucidates the components of PBAC Membership Policies and guides you on their creation and application.
Step 1 – Create the policy
There are two methods you can use to create PBAC Membership policies can be created in two different ways
Using the view one page of the roles, groups, and collections
Using the role modeling inbox page (global policy)
Method 1 - Create using the view one page of the roles, groups, and collections
PBAC Membership policies can be created on the view one page of the roles, groups, and collections that are the target of the policy. In the below example, we demonstrate how to create a policy using the view-one page of a group that is the target of the policy.
On the navbar, expand Identity Administration and select Groups.
Search for a group name.
Click on the group logon name hyperlink to open the group’s view-one page.
Select the Advanced tab and scroll down to select Attribute-Based Membership Policies.
Click on the + icon in the above image to create a new membership policy for this group. The below page will open. Enter the name of the policy, select a policy type. Check the IsEnable check box. Select the minute interval with 15 min and click on Save.
This will create the PBAC membership policy and queue it for compilation.
Method 2 - Create using the role modeling inbox page (global policy)
PBAC Membership policies can be created globally on the role modeling inbox page of EmpowerID. In the below example, we demonstrate how to create a policy using the role modeling inbox page. Policies:
You can create a policy on a role or group’s View page
You can create a policy on the Role Modeling Inbox page.
Create a policy using the View page
Use the global search to search for the role or group for which you want to create a PBAC Membership Policy. To do so, select the appropriate resource type and then search for the specific resource. For example, if you want to create a policy for a Management Role named “spmemgroup,” select Group as the resource type and then search for “spmemgroup.”
This action directs you to the View page for the selected resource, which in this case, is the View page for the “spmemgroup” group.
On the View page, select the Advanced tab, the Membership sub-tab, and then expand the Attribute-Based Membership accordion.
Click the Add [+] button in the Attribute-Based Membership Policies accordion.
This action opens the form for creating the policy.
Fill in the form with the appropriate information.
Field | Description | Action / Task |
|---|---|---|
Name | Name of the policy | Enter a name for the policy. |
Display Name | Display Name of the policy | Enter a display name for the policy. |
Policy Type | The policy type defines what happens as a result of policy matches. Results include:
| Select the desired policy type from the drop-down. |
Is Enabled | Setting that specifies whether the system compiles the policy and adds entries to the inbox to be processed. If this setting is not checked, the system generates proposals that allow you to view what would happen if the policy was enabled. | Check or uncheck. |
Auto-Approve | Setting that specifies whether the system auto-approves membership for all actors matching the policy. This setting only applies when Member is the selected policy type. | Check or uncheck. |
Job Schedule | Setting that specifies the start date the policy compiler can first compile the policy, when the date the compiler should stop compiling the policy, and the frequency of compilation. The default start date is the date of creation with an interval that compiles the policy once every 24 hours. | Select the Start and End dates for the policy and specify the interval as desired. |
Responsible Party | In the EmpowerID system, the term "responsible party" refers to a person designated to bear accountability for the security and audit aspects of various IT objects. | Select the person who is to be the responsible party for the policy. |
When ready, click Save to create the policy.
Create a policy using the Role Modeling Inbox page
On the navbar, expand Role Management and select Role Modeling Inbox.
Select the Attribute-Based Membership Policies tab and then click the Add button on the grid header.
...
This action opens the
...
form for creating the policy.
...
...
Fill in the form
...
Enter the information appropriate for your situation and then click Save to create the policy.
Now that the policy is created, the next step is to define the conditions needed for users to be added to the policy target. You do this by adding rules to it.
Step 2 - Add Attribute Conditions to the policy
Locate the policy you just created in the Attribute-Based Membership Policies grid and click the Name link for it.
...
Expand the Attribute Conditions (Field Types) accordion and click the Add button on the grid header.
...
...
Enter the following information in the Dynamic Membership Rule form that appears:
Name – Name of the rule
Right – If the rule defines an application right that needs to be met, search for and select the appropriate right
Field Type (Attribute) – If the rule specifies an application field type that needs to be met, search for and select the appropriate attribute
Field Values Constraints on Right Assignment – If the field type can have multiple values, select the values needed
In the below example, the rule specifies that users need the Data Access right to the Customer field type for Intu.
...
Save the rule.
...
Repeat, adding as many rules as needed.
| Info |
|---|
When adding multiple rules to a policy you create an AND condition. In order to qualify for the target, users need to meet all conditions. If you want to create an OR condition where users only need to meet one of multiple conditions, you would need create a separate policy for each condition. |
After creating the policy, the system should compile it – and depending on the settings applied – will show matching records in either the Attribute-Based Membership Inbox accordion (when Enabled is set to True and Auto-Approve is set to True) or in the Preview Proposed Changes accordion.
...
Related
...
with the appropriate information.
Field | Description | Action / Task |
|---|---|---|
Which Type of Assignee for this Policy? | Used to select the type of assignee the policy that is the target of the policy. | Select an assignee type. |
Name | Name of the policy | Enter a name for the policy. |
Display Name | Display Name of the policy | Enter a display name for the policy. |
Policy Type | The policy type defines what happens as a result of policy matches. Results include:
| Select the desired policy type from the drop-down. |
Is Enabled | This setting specifies whether the system compiles the policy and adds entries to the inbox to be processed. If this setting is not checked, the system generates proposals that allow you to view what would happen if the policy was enabled. | Check or uncheck. |
Auto-Approve | This setting specifies whether the system auto-approves membership for all actors matching the policy. This setting only applies when Member is the selected policy type. | Check or uncheck. |
Job Schedule | This setting specifies the start date the policy compiler can first compile the policy, when the date the compiler should stop compiling the policy, and the frequency of compilation. The default start date is the date of creation with an interval that compiles the policy once every 24 hours. | Select the Start and End dates for the policy and specify the interval as desired. |
Responsible Party | In the EmpowerID system, the term "responsible party" refers to a person designated to bear accountability for the security and audit aspects of various IT objects. | Select the person who is to be the responsible party for the policy. |
When ready, click Save to create the policy.
Results
EmpowerID creates the PBAC Membership Policy for the selected group, role, or Query-Based Collection. You can view the new policy in the Role Modeling Inbox.
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|