PBAC Membership policies are policies you create to specify the conditions under which an EmpowerID actor, such as a person or a Business Role and Location can be added to or potentially added to Management Roles, groups, Business Roles and Locations, or Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them. These policies leverage attribute-based rules to dynamically manage access, enhancing security and compliance across the organization. This article guides you through the process of creating PBAC Membership Policies, ensuring you can effectively establish robust access management tailored to your organizational needs.
PBAC Membership policies can be created directly on the View One pages of the roles, groups, and collections that they target, or more broadly on the Role Modeling Inbox page of EmpowerID. Here, we'll demonstrate the latter method, focusing on how to apply a policy to a specific management role.
Procedure
Sign in to EmpowerID as an administrator.
Navigate to Role Management > Role Modeling Inbox.
Click on the Attribute-Based Membership Policies tab, then click the Add New button.
This action opens the Attribute-Based Membership Policy form.
Under Assignment Information, select the target type for the policy from the "Which Type of Assignee for this Policy?" dropdown. Options include:
Business Role and Location
Management Role
Management Role Definition
Group
Query-Based Collection
After selecting the assignee type, select the specific assignee for that type. For example, in the below image, we selected “Management Role” as the assignee type and “Docs-SA” as the specific Management Role. If you were to choose group as the assignee type, you would then select a specific group, and so on for each available assignee type.
Under Other Info, complete the form with the following details:
Name: Enter a unique name of the policy.
Display Name: Provide a display name for easier identification in EmpowerID.
Policy Type: Select one of the following options to define how EmpowerID processes the outcomes of policy matches.
Member – Matches are granted membership if Auto-Approve is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users for approval.
Eligible – Matches are eligible for membership and can request it in the IAM Shop.
Pre-Approved – Matches are automatically added to the group, role, or collection as members by the system.
Suggested – Matches see the membership option as suggested in the IAM Shop.
Is Enabled: Toggle this to enable the system to compile the policy and process entries or leave it disabled to generate reviewable proposals.
Auto-Approve: Enable this to direct the system to automatically approve the action specific to the chosen policy type; otherwise, the system will generate Business Requests for approval.
Job Schedule Interval: Set the start and end dates for the policy and specify the desired interval, with the default being once every 24 hours.
Click Save to finalize the creation of the policy.
You should see the policy you create appear in the Attribute-Based Membership Policies grid.
Now that the policy is created, the next step is to define the conditions for users to be added to its target. You do this by adding attribute condition rules to it.