PBAC Membership policies are policies you create to specify Policies define the conditions under which an EmpowerID actor, such actor—such as a person or a Business Role and Location can Location—can be added to or potentially added to considered for inclusion in Management Roles, groups, Business Roles and Locations, or Query-Based Collections. PBAC Membership These policies are comprised of built on Attribute-Based membership policies, which contain rules defining rules that specify the field types, field type values, and rights needed by required for users to qualify for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them. These policies leverage attribute-based rules to dynamically manage access, enhancing security and compliance across the organization. This article guides you through the process of creating PBAC Membership Policies, ensuring you can effectively establish robust access management tailored to your organizational needsmembership in the policy’s target.
By leveraging attribute-based rules, PBAC Membership Policies enable dynamic and automated access management, ensuring security and compliance while reducing administrative overhead. This article explains the core components of PBAC Membership Policies and provides step-by-step instructions for creating and applying them to meet your organization’s specific access management requirements.
| Info |
|---|
PBAC Membership policies Policies can be created directly on from the View One pages of the roles, groups, and or collections that they target, or more broadly on . Alternatively, they can be created and managed centrally from the Role Modeling Inbox page of in EmpowerID. HereIn this article, we 'll will demonstrate the latter method, focusing on how to apply a policy process of creating a PBAC Membership Policy using the Role Modeling Inbox and applying it to a specific management roleManagement Role. |
Procedure: Creating a PBAC Membership Policy
Sign in to EmpowerID as an administrator.
Navigate to Role Management > Role Modeling Inbox.
Click on Open the Attribute-Based Membership Policies tab , then and click the Add New button.
This action opens the Attribute-Based Membership Policy form.
Specify the target type and assignee.
Under the Assignment Information, select the target type section:Select the type of assignee for the policy from the
Which Type of Assignee for this Policy?
dropdown.
Available options include
Business Role and Location, Management Role, Management Role Definition, Group, or Query-Based Collection.
After selecting the
type,
choose the specific assignee
. For example,
Under Other Info, complete the form with the following details:if you select Management Role, you can choose a specific Management Role like “Docs-SA.” Similarly, if you select Group, you will choose a specific group.
Complete the policy details under the Other Info section.
Name: Enter a unique name of for the policy.
Display Name: Provide a display name for easier identification in EmpowerID.
Policy Type: Select Choose one of the following options to define determine how EmpowerID processes the outcomes of policy matches. :
Member – : Matches are granted membership if the Auto-Approve option is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users are generated and sent for approval.
Eligible – : Matches are eligible for membership and can request it in through the IAM Shop.
Pre-Approved – : Matches are automatically added to the group, role, or collection as members by the system.
Suggested – : Matches see the membership option as suggested a suggestion in the IAM Shop.
Is Enabled: Toggle this option to enable the policy. When enabled, the system to compile compiles the policy and process entries or leave it disabled to generate reviewable proposalsprocesses entries. When disabled, it generates reviewable proposals without applying them.
Auto-Approve: Enable this option to direct allow the system to automatically approve the action specific to the chosen policy type; otherwise, the system will generate Business Requests for actions for the selected policy type. If disabled, Business Requests will be generated for manual approval.
Job Schedule Interval: Set Specify the policy's start and end dates for the policy and specify the desired execution interval, with the default being . The default is once every 24 hours.
Click Save to finalize the creation of the policy.You should see the policy you create
The newly created policy will appear in the Attribute-Based Membership Policies grid.
...
Next Steps: Defining Attribute Conditions
Once the policy has been created, the next step is to define the specific conditions for under which users to can be added to its the policy’s target. You do this This is accomplished by adding attribute condition rules to itthe policy. Refer to the article Adding PBAC Attributes to PBAC Membership Policies for detailed instructions.