In EmpowerID, PBAC membership policies are policies we create to specify the conditions under which an EmpowerID actor, such as a person or a business role and location can be added to or potentially added to management roles, groups, business roles and locations, or query-based collections. PBAC membership policies are comprised of attribute-based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy.
When the PBAC engine compiles PBAC Membership policies, it checks to see whether any EmpowerID actors have the policy's characteristics and adds them to the policy's target if they do.
EmpowerID’s PBAC Membership policies are a special type of policy that connects the world of attribute-based real-time dynamic access to the traditional model of granting permissions within applications and systems. For example, PBAC membership policies allow the flexible attribute and role-based assignment model to determine who should be a member of which groups or roles in EmpowerID.
The primary building blocks of PBAC membership policy is depicted in the below overview diagram.
