Creating PBAC Membership Policies

PBAC Membership Policies are used to define the conditions under which EmpowerID actors, such as people or Business Roles and Locations, are added to roles, groups, or collections. These policies use attribute-based rules to dynamically assign membership based on specified criteria, such as field types and field type values.

This article provides step-by-step instructions for creating a PBAC Membership Policy using the Role Modeling Inbox. For a detailed explanation of PBAC Membership Policies and their components, seeOverview of PBAC Membership Policies.

Procedure: Creating a PBAC Membership Policy

1. Sign in to EmpowerID as an administrator.

2. Navigate to Role Management > Role Modeling Inbox.

3. Open the Attribute-Based Membership Policies tab and click the Add New button.
   
   

   Open

   

   
   This opens the Attribute-Based Membership Policy form.
   
   

   Open

   

   
   

4. Specify the target type and assignee.
   Under the Assignment Information section:

   • Select the type of assignee for the policy from the Which Type of Assignee for this Policy? dropdown. Available options include Business Role and Location, Management Role, Management Role Definition, Group, or Query-Based Collection.

   • After selecting the type, choose the specific assignee. For example, if you select Management Role, you can choose a specific Management Role like “Docs-SA.” Similarly, if you select Group, you will choose a specific group.
     
     

      

5. Complete the policy details under the Other Info section.

   • Name: Enter a unique name for the policy.

   • Display Name: Provide a display name for easier identification in EmpowerID.

   • Policy Type: Choose one of the following options to determine how EmpowerID processes policy matches:

     • Member: Matches are granted membership if the Auto-Approve option is enabled; otherwise, Business Requests are generated and sent for approval.

     • Eligible: Matches are eligible for membership and can request it through the IAM Shop.

     • Pre-Approved: Matches are automatically added as members by the system.

     • Suggested: Matches see the membership option as a suggestion in the IAM Shop.

   • Is Enabled: Toggle this option to enable the policy. When enabled, the system compiles the policy and processes entries. When disabled, it generates reviewable proposals without applying them.

   • Auto-Approve: Enable this option to allow the system to automatically approve actions for the selected policy type. If disabled, Business Requests will be generated for manual approval.

   • Job Schedule Interval: Specify the policy's start and end dates and the desired execution interval. The default is once every 24 hours.

6. Click Save to finalize the creation of the policy.

   • The newly created policy will appear in the Attribute-Based Membership Policies grid.
     
     

Next Steps: Defining Attribute Conditions

Once the policy has been created, the next step is to define the specific conditions under which users can be added to the policy’s target. This is accomplished by adding attribute condition rules to the policy. Refer to the article Adding PBAC Attributes to PBAC Membership Policies for detailed instructions.