PBAC Membership Policies define the conditions under which an EmpowerID actor—such as a person or a Business Role and Location—can be added to or considered for inclusion in Management Roles, groups, Business Roles and Locations, or Query-Based Collections. These policies are built on Attribute-Based membership rules that specify the field types, field type values, and rights required for users to qualify for membership in the policy’s target.
By leveraging attribute-based rules, PBAC Membership Policies enable dynamic and automated access management, ensuring security and compliance while reducing administrative overhead. This article explains the core components of PBAC Membership Policies and provides step-by-step instructions for creating and applying them to meet your organization’s specific access management requirements.
PBAC Membership Policies can be created directly from the View One pages of the roles, groups, or collections they target. Alternatively, they can be created and managed centrally from the Role Modeling Inbox page in EmpowerID. In this article, we will demonstrate the process of creating a PBAC Membership Policy using the Role Modeling Inbox and applying it to a specific Management Role.
Procedure: Creating a PBAC Membership Policy
Sign in to EmpowerID as an administrator.
Navigate to Role Management > Role Modeling Inbox.
Open the Attribute-Based Membership Policies tab and click the Add New button.
This action opens the Attribute-Based Membership Policy form.
Specify the target type and assignee.
Under the Assignment Information section:Select the type of assignee for the policy from the Which Type of Assignee for this Policy? dropdown. Available options include Business Role and Location, Management Role, Management Role Definition, Group, or Query-Based Collection.
After selecting the type, choose the specific assignee. For example, if you select Management Role, you can choose a specific Management Role like “Docs-SA.” Similarly, if you select Group, you will choose a specific group.
Complete the policy details under the Other Info section.
Name: Enter a unique name for the policy.
Display Name: Provide a display name for easier identification in EmpowerID.
Policy Type: Choose one of the following options to determine how EmpowerID processes policy matches:
Member: Matches are granted membership if the Auto-Approve option is enabled; otherwise, Business Requests are generated and sent for approval.
Eligible: Matches are eligible for membership and can request it through the IAM Shop.
Pre-Approved: Matches are automatically added as members by the system.
Suggested: Matches see the membership option as a suggestion in the IAM Shop.
Is Enabled: Toggle this option to enable the policy. When enabled, the system compiles the policy and processes entries. When disabled, it generates reviewable proposals without applying them.
Auto-Approve: Enable this option to allow the system to automatically approve actions for the selected policy type. If disabled, Business Requests will be generated for manual approval.
Job Schedule Interval: Specify the policy's start and end dates and the desired execution interval. The default is once every 24 hours.
Click Save to finalize the creation of the policy.
The newly created policy will appear in the Attribute-Based Membership Policies grid.
Next Steps: Defining Attribute Conditions
Once the policy has been created, the next step is to define the specific conditions under which users can be added to the policy’s target. This is accomplished by adding attribute condition rules to the policy. Refer to the article Adding PBAC Attributes to PBAC Membership Policies for detailed instructions.