Versions Compared

Version Old Version 1 New Version Current
Changes made by

Phillip Hanegan

Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PBAC Membership policies Policies are policies you create used to specify define the conditions under which an EmpowerID actoractors, such as a person people or a Business Role and Location can be added to or potentially added to Management Roles, groups, Business Roles and Locations, or Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them. These policies leverage attribute-based rules to dynamically manage access, enhancing security and compliance across the organization. This article guides you through the process of creating PBAC Membership Policies, ensuring you can effectively establish robust access management tailored to your organizational needs.

Info

PBAC Membership policies can be created directly on the View One pages of the roles, groups, and collections that they target, or more broadly on the Role Modeling Inbox page of EmpowerID. Here, we'll demonstrate the latter method, focusing on how to apply a policy to a specific management role.

...

Roles and Locations, are added to roles, groups, or collections. These policies use attribute-based rules to dynamically assign membership based on specified criteria, such as field types and field type values.

This article provides step-by-step instructions for creating a PBAC Membership Policy using the Role Modeling Inbox. For a detailed explanation of PBAC Membership Policies and their components, seeOverview of PBAC Membership Policies.

Procedure: Creating a PBAC Membership Policy

  1. Sign in to EmpowerID as an administrator.

  2. Navigate to Role Management > Role Modeling Inbox.

  3. Click on Open the Attribute-Based Membership Policies tab , then and click the Add New button.

    image-20240429-135901.pngImage Removedimage-20240429-135901.pngImage Added


    This action opens the Attribute-Based Membership Policy form.

    image-20240430-162948.pngImage Removed


    image-20240430-162948.pngImage Added


  4. Specify the target type and assignee.
    Under the Assignment Information, select the target type section:

    • Select the type of assignee for the policy from the

    "

    • Which Type of Assignee for this Policy?

    "

    • dropdown.

    Options

    • Available options include

    :

    • Business Role and Location, Management Role, Management Role Definition, Group, or Query-Based Collection.

    • After selecting the

    assignee

    • type,

    select

    • choose the specific assignee

    for that type

    • . For example,

    in the below image, we selected “Management Role” as the assignee type and “Docs-SA” as the specific Management Role. If you were to choose group as the assignee type, you would then select a specific group, and so on for each available assignee type.
    image-20240430-164243.pngImage Removed

    Under Other Info, complete the form with the following details:

    • if you select Management Role, you can choose a specific Management Role like “Docs-SA.” Similarly, if you select Group, you will choose a specific group.

      image-20240430-164243.pngImage Added

  5. Complete the policy details under the Other Info section.

    • Name: Enter a unique name of for the policy.

    • Display Name: Provide a display name for easier identification in EmpowerID.

    • Policy Type: Select Choose one of the following options to define determine how EmpowerID processes the outcomes of policy matches. :

      • Member : Matches are granted membership if the Auto-Approve option is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users are generated and sent for approval.

      • Eligible : Matches are eligible for membership and can request it in through the IAM Shop.

      • Pre-Approved : Matches are automatically added to the group, role, or collection as members by the system.

      • Suggested : Matches see the membership option as suggested a suggestion in the IAM Shop.

    • Is Enabled: Toggle this option to enable the system to compile policy. When enabled, the system compiles the policy and process entries or leave it disabled to generate reviewable proposalsprocesses entries. When disabled, it generates reviewable proposals without applying them.

    • Auto-Approve: Enable this option to direct allow the system to automatically approve the action specific to the chosen policy type; otherwise, the system will generate Business Requests for actions for the selected policy type. If disabled, Business Requests will be generated for manual approval.

    • Job Schedule Interval: Set Specify the policy's start and end dates for the policy and specify the desired execution interval, with the default being . The default is once every 24 hours.

  6. Click Save to finalize the creation of the policy.You should see the policy you create

    • The newly created policy will appear in the Attribute-Based Membership Policies grid.


    image-20240430-164839.pngImage Removed

...


    • image-20240430-164839.pngImage Added

Next Steps: Defining Attribute Conditions

Once the policy has been created, the next step is to define the specific conditions for under which users to can be added to its the policy’s target. You do this This is accomplished by adding attribute condition rules to itto the policy. Refer to the article /wiki/spaces/EAGV24R2/pages/3390602423 for detailed instructions.