Policy-based access control(PBAC) is a method for controlling user access to complex systems in which users' business roles are combined with certain well-defined policies to decide what access capabilities each role should have. These policies are called PBAC membership policies. Policy-based access control considers roles as well as attributes when determining access privileges.
Policies define the business meaning, and every consumer application receives the decision, regardless of its technical implementation. For example, in the banking domain, an example PBAC policy may be defined as “Basic profiles and bank accounts of clients who are in the same line of business and branch are accessible to branch managers."
PBAC membership policies are statements that combine attributes to describe what is permitted and what is not permitted. Policies can be local or global, and they can be formulated in such a way that they override other policies. For example,
a) If the document is in the same department as the user, the user can see it.
b) If you are the document's owner and the document is in draft mode, you can edit it.
c) After 9 p.m. and before 9 a.m. deny access.
In EmpowerID, PBAC membership policies are policies we create to specify the conditions under which an EmpowerID actor, such as a person or a business role and location, can be added to or potentially added to management roles, groups, business roles and locations, or query-based collections. PBAC membership policies are comprised of comprise attribute-based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy.
In this article, we discuss the components of PBAC membership policies and how to create and use them.
Step 1 - Create PBAC Membership policies
PBAC Membership policies can be created in two different ways: They can be created on the View One pages of the roles, groups, and collections that are the target of the policy and they can be created globally on the Role Modeling Inbox page of EmpowerID. In the below example, we demonstrate how to create a policy on the Role Modeling Inbox page.
...
On the navbar, expand Role Management and select Role Modeling Inbox.
Select the Attribute-Based Membership Policies tab and then click the Add button on the grid header.
...
Enter the information appropriate for your situation and then click Save to create the policy.
Now that the policy is created, the next step is to define the conditions needed for users to be added to the policy target. You do this by adding rules to it.
Step 2 - Add Attribute Conditions to the policy
Locate the policy you just created in the Attribute-Based Membership Policies grid and click the Name link for it.
...
Expand the Attribute Conditions (Field Types) accordion and click the Add button on the grid header.
...
Enter the following information in the Dynamic Membership Rule form that appears:
...
Name – Name of the rule
...
Right – If the rule defines an application right that needs to be met, search for and select the appropriate right
...
Field Type (Attribute) – If the rule specifies an application field type that needs to be met, search for and select the appropriate attribute
...
...
Save the rule.
...
Repeat, adding as many rules as needed.
| Info |
|---|
When adding multiple rules to a policy you create an AND condition. In order to qualify for the target, users need to meet all conditions. If you want to create an OR condition where users only need to meet one of multiple conditions, you would need create a separate policy for each condition. |
After creating the policy, the system should compile it – and depending on the settings applied – will show matching records in either the Attribute-Based Membership Inbox accordion (when Enabled is set to True and Auto-Approve is set to True) or in the Preview Proposed Changes accordion.
...
When the PBAC engine compiles PBAC Membership policies, it checks to see whether any EmpowerID actors have the policy's characteristics and adds them to the policy's target if they do.
EmpowerID’s PBAC Membership policies are a particular type of policy that connects the world of attribute-based real-time dynamic access to the traditional model of granting permissions within applications and systems. For example, PBAC membership policies allow the flexible attribute and role-based assignment model to determine who should be a member of which groups or roles in EmpowerID.
The primary building blocks of PBAC membership policy are depicted in the below overview diagram.
For PBAC membership policy to work in EmpowerID following steps are needed.
Check Pre-requisite Job(s) are Running - For the PBAC membership policy to work in EmpowerID, certain prerequisites jobs must be running.
Create a PBAC Attribute Type - PBAC field type or an attribute is a connector used to connect an EmpowerID actor( e.g., a person) to a PBAC membership policy target( e.g., a group).
Add value to PBAC attribute Type - PBAC field type or attribute has some values used to compare for membership of an actor(e.g., Person) to a target( e.g., Group).
Add PBAC Attribute Type to an Actor - PBAC field type or attribute should be added to an EmpoerID actor( e.g., a Person).
Create a PBAC Membership Policy - It is required to create a PBAC membership policy so that we can use it for a target type( e.g., a Group).
Add PBAC Attribute Type to PBAC Membership Policy - PBAC field type or attribute should be added to a PBAC membership policy, for connecting it to an EmpowerID actor.
Verify the Result - After the PBAC membership policy is compiled, we can verify the result. For example, after the PBAC membership policy is compiled, it will add the actor ( e.g., person) to a target ( e.g., a group)
Related
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|