About EmpowerID PBAC
This article introduces EmpowerID's Policy-Based Access Control (PBAC) model and its key components. You'll learn about PBAC concepts, authorization models, and the building blocks needed for PBAC implementation in your environment. For detailed implementation steps, see the articles under “Configuring PBAC Applications.”
Organizations must maintain precise and flexible control over access to sensitive data and critical systems in today's complex digital landscape. Traditional access control models often rely on static, role-based assignments, making adapting challenging as requirements evolve. EmpowerID's Policy-Based Access Control (PBAC) model provides a dynamic framework that integrates with existing RBAC structures while supporting fine-grained, attribute-based policies. By unifying Access Management, Identity Governance and Administration (IGA), and Privileged Access Management (PAM) capabilities, EmpowerID delivers a comprehensive approach to modern access control challenges.
Understanding Policy-Based Access Control
What is PBAC?
Policy-Based Access Control (PBAC) determines permissions by evaluating conditions and attributes in real time rather than relying solely on predefined roles. Unlike strictly Role-Based Access Control (RBAC), PBAC can incorporate user attributes, resource properties, and environmental factors. This flexibility allows for more granular and adaptive authorization decisions.
EmpowerID’s PBAC Model
EmpowerID's PBAC model merges RBAC's structured approach with PBAC's dynamic flexibility. Organizations can implement configurations ranging from simple RBAC to full PBAC with attribute-based conditions by centering authorization on applications. This adaptability supports precise and context-aware security across diverse systems and environments.
Core Components of EmpowerID PBAC
Applications as Central Elements
In EmpowerID PBAC, applications serve as the core entities around which authorization is structured. Each application can have a unique security configuration, enabling administrators to tailor access controls to the application's specific requirements. This might mean using basic RBAC for one application while applying complex PBAC policies with Attribute-Based Access Control (ABAC)-style attributes for another.
Authorization Models
EmpowerID supports multiple authorization models that vary in complexity and integration:
Not PBAC and not Azure: The application does not use PBAC features or Azure integration.
PBAC App: No App Resources, No Field Types: A basic PBAC application without additional resources or attributes.
PBAC App: Yes App Resources, No Field Types: A PBAC model with defined application resources but no attributes.
PBAC App: Yes App Resources, Yes Field Types: A PBAC model with both resources and ABAC-style attributes for fine-grained control.
PBAC App: No App Resources, Yes Field Types: A PBAC model that uses attributes without specifying particular application resources.
Azure App: An application integrated with Azure, utilizing Azure-specific features.
Azure Applications with PBAC: An Azure-integrated application that employs PBAC capabilities.
Azure Applications with App Resources and PBAC: A model that combines Azure integration, application resources, and PBAC attributes.
For guidance on selecting the appropriate authorization model for your applications, see Onboarding PBAC Applications .
Field Types
Field Types in EmpowerID represent attributes used in policies to enable fine-grained authorization. They allow for the creation of dynamic policies that consider real-world data and conditions, enhancing the flexibility and precision of access control.
Types of Field Types
Field Types can be associated with different aspects of access control:
Assignee Attributes
Attributes related to the user requesting access, such as department, job title, or security clearance level. For example, a policy might grant access to certain financial records only if the user is part of the "Finance" department.
Resource Attributes
Attributes that describe characteristics of the resource being accessed, like data classification, region, or project code. A policy might restrict access to documents tagged with "Confidential" unless the user has the appropriate clearance.
Environmental Attributes
Contextual factors such as time of day, location, or device type. For instance, access to sensitive systems might be permitted only during business hours or from specific network locations.
Note: For detailed steps on configuring and managing Field Types, see the articles under "Managing App Rights and Field Types" in this guide.
The Universal PBAC Data Model
As organizations integrate diverse systems and applications, managing permissions across different platforms becomes increasingly complex. EmpowerID addresses this challenge through its Universal PBAC Data Model, which provides a consistent framework for representing and managing permissions from various systems within the PBAC model.
Integration with Diverse Permission Models
EmpowerID's Universal PBAC Data Model is designed to integrate diverse permission models from both internal and external systems, ensuring coherent cross-application access and risk management. By cataloging roles and rights from different systems, EmpowerID enables administrators to manage permissions in a unified manner.
For example, systems like Microsoft Entra ID and SAP S/4HANA have their own complex permission models. EmpowerID integrates with these systems by representing their permissions within the Universal PBAC Data Model, allowing for consistent management and analysis.
Resource System Types and Modules
Resource System Types and their associated modules represent external systems within the PBAC model. For example, Azure AD SCIM serves as the Resource System Type for Microsoft Entra ID integration, with modules like "Microsoft Graph" and "Microsoft Teams" representing specific services within that integration.
Rights and Roles in PBAC
Rights Management in the Universal PBAC Model
Rights represent specific permissions within an application, specifying what actions a user can perform. In the context of the Universal PBAC Model, rights from external systems are integrated and managed consistently:
Integration of External Rights
Rights from systems like Microsoft Entra ID or SAP are inventoried and represented within the PBAC model.
Global and Local Rights Mapping
External rights are mapped to EmpowerID's Global and Local Rights, allowing for consistent management and risk analysis. For example, roles and permissions from SAP S/4HANA are registered under Resource System Types like "SAP-ECC" or "S4/HANA," with modules representing services such as "SAP_UI" or "SAP ABAP."
Rights Categories
Rights are organized into two categories:
Global Rights: Standardized permissions consistent across multiple applications or systems (e.g., "Manage Users")
Local Rights: Application-specific permissions linked to Global Rights, ensuring standardization while allowing for context-specific variations
Roles
Roles simplify permission assignments by grouping related rights together. They can be:
Global Roles
Standardized roles consistent across all instances of a service or system, including identical Global Rights.
Local Roles
Specific to an application or system and composed of Local Rights.
For detailed instructions on configuring rights and roles, see the articles under "Managing App Rights and Field Types" and “Managing Role Definitions” sections of this guide.
Assignment Points in PBAC
Assignment Points and Assignment Point Types work together to define where permissions apply in your environment. While Assignment Points specify exact locations or entities within a system, Assignment Point Types categorize the scope of these assignments.
In Microsoft Entra ID environments, EmpowerID recognizes resources like Tenants, Management Groups, Subscriptions, and Resource Groups as Assignment Points. These correspond to specific Assignment Point Types:
Tenant Root: Rights applied globally across a tenant
Management Group: Rights scoped to specific management groups
Subscription: Assignments at the subscription level
Resource Group: Rights limited to specific resource groups
This hierarchical structure ensures precise control over permissions. For example, an administrator might assign a user the "Contributor" role at the Subscription level, granting them permissions within that specific subscription while preventing unintended access at the tenant level or other subscriptions.
Systems with different architectures implement Assignment Points according to their specific needs. In SAP systems, Assignment Points are represented through Field Type Values rather than explicit entities. This alternative approach enables granular control based on organizational attributes like company code, cost center, or plant, demonstrating how Assignment Points can adapt to different system architectures while maintaining precise permission control.
By utilizing Assignment Points and Assignment Point Types, EmpowerID provides a flexible and powerful mechanism for scoping permissions across various systems and applications. This approach ensures access is granted precisely, enhancing security and compliance by preventing over-provisioning permissions and maintaining clear boundaries for access rights.
EmpowerID PBAC Policies
PBAC policies in EmpowerID define the conditions under which access is granted or denied. They combine rights, roles, Field Types, and Assignment Points to create comprehensive authorization rules that are precise and auditable.
Design of PBAC Policies
EmpowerID's PBAC policies are designed to be clear and manageable, adhering to a specific structure:
Single Right or Role Assignment
Each policy assigns one Local Right or Local Role to an assignee. This clarifies what permission is being granted and simplifies auditing and compliance efforts.
Single Assignee
The assignee can be any EmpowerID Assignee Type, such as Person, Group, Management Role, Business Role and Location, or Query-Based Collection. This flexibility allows for precise policy targeting to the appropriate users or groups.
Conditions and Constraints
Policies can include conditions based on Field Types and specify Assignment Points and Assignment Point Types to define the scope of the assignment. This enables fine-grained access control.
Incorporating Assignment Points in Policies
When creating PBAC policies, administrators specify Assignment Points and Assignment Point Types to define where the policy applies. This allows for precise control over access rights, ensuring that permissions are granted only within the intended scope.
For example, a policy might grant the "Manage Resources" right to a group of users but limit it to a specific Subscription or Resource Group by specifying the appropriate Assignment Point and Assignment Point Type.
Note: For step-by-step instructions on creating and managing PBAC policies, see "Managing PBAC Policies" in this guide.
Through its integrated components—applications, authorization models, Field Types, the Universal PBAC Data Model, rights and roles, and Assignment Points—EmpowerID's PBAC framework provides organizations with the tools to implement precise, dynamic access control. This comprehensive approach enables administrators to balance security requirements with operational flexibility while maintaining clear accountability and compliance.
Next Steps
IN THIS ARTICLE