Overview of PBAC Membership Policies

Owned by Phillip Hanegan
Dec 19, 2024
3 min read

Policy-Based Access Control (PBAC) Membership Policies in EmpowerID define rules that determine how users and other entities, collectively known as EmpowerID actors, are included in specific groups, roles, or collections. These policies evaluate attributes assigned to actors, allowing access to be granted and updated dynamically based on organizational requirements.

What Are PBAC Membership Policies?

PBAC Membership Policies define the conditions under which EmpowerID actors—such as individuals, Business Roles, or Locations—are included in specific policy targets, such as groups, roles, or collections. These conditions are evaluated dynamically based on the attributes assigned to actors, ensuring that access remains aligned with current organizational needs.

For example:

  • A PBAC Membership Policy for the "Finance Team" group might use the Department attribute to include users assigned to the "Finance" department.

  • A project-specific policy could evaluate the Project attribute to grant access to team members based on their project assignments.

This dynamic approach eliminates the need for manual updates, ensuring that users are always assigned appropriate access as their roles and attributes change.

Key Components of PBAC Membership Policies

PBAC Attribute Types (Field Types)

PBAC Attribute Types, also referred to as Field Types, are the categories used to define membership rules for policies. These categories, such as Department, Region, or Project, provide a structured way to evaluate attributes assigned to users.

For instance, a Department Attribute Type might include values like "HR," "Finance," and "IT," allowing policies to filter users based on their departmental assignments.

Attribute Values

Attribute Values are the specific options within an Attribute Type that determine membership conditions. These values are assigned to EmpowerID actors and evaluated by policies.

For example:

  • A Region Attribute Type could have values like "North America" or "Europe."

  • A PBAC Membership Policy might require the Region attribute to equal "North America" for a user to gain access.

Attribute Conditions

Attribute Conditions define the rules within PBAC Membership Policies that evaluate assigned attributes to determine membership eligibility. These conditions specify combinations of Attribute Types and Attribute Values that must match for a user to qualify.

For example, a condition might require both "Department: Finance" and "Region: Europe" for a user to gain access to specific financial resources.

PBAC Attributes for EmpowerID Actors

PBAC Attributes are assigned directly to EmpowerID actors, such as individuals, Business Roles, or Locations. These attributes represent the actor’s contextual information and are evaluated against the Attribute Conditions defined in PBAC Membership Policies.

For example:

  • A user assigned the attributes "Department: HR" and "Region: North America" will only qualify for policies requiring those specific conditions.

How PBAC Membership Policies Work

PBAC Membership Policies dynamically evaluate the attributes of EmpowerID actors to determine membership eligibility. The process typically follows these steps:

  1. Policy Creation: Administrators create PBAC Membership Policies, specifying the Attribute Conditions required for membership in the policy's target (e.g., a group or role).

  2. Attribute Evaluation: The system evaluates the attributes assigned to EmpowerID actors to determine whether they meet the conditions defined in the policy.

  3. Membership Assignment: Actors who meet the conditions are automatically assigned to the policy’s target. If an actor's attributes change, the system updates their membership to reflect the new conditions.

PBAC Membership Policies can enforce different types of membership:

  • Member: Automatically assigns actors to the policy target.

  • Eligible: Marks actors as eligible for membership, allowing them to request access through the IAM Shop.

  • Pre-Approved: Grants automatic membership without additional approval.

  • Suggested: Displays the membership as a suggestion in the IAM Shop.

Related Tasks

The following articles provide step-by-step instructions for creating and managing PBAC Membership Policies and their components:

  1. Creating PBAC Membership Policies: Learn how to define membership policies targeting specific groups, roles, or collections.

  2. Creating PBAC Attribute Types: Define the Attribute Types that form the basis for Attribute Conditions.

  3. Adding PBAC Attributes to PBAC Membership Policies: Specify Attribute Conditions in membership policies to refine membership criteria.

  4. Adding PBAC Attributes to EmpowerID Actors: Assign PBAC Attributes directly to actors to enable policy evaluation.