You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Creating PBAC Membership Policies

PBAC Membership policies are policies you create to specify the conditions under which an EmpowerID actor, such as a person or a Business Role and Location combination, can be added to or potentially added to Management Roles, groups, Business Role and Location combinations, and Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them. This article elucidates the components of PBAC Membership Policies and guides you on their creation and application.

Step 1 – Create the policy

There are two methods you can use to create PBAC Membership Policies:

  1. You can create a policy on a role or group’s View page

  2. You can create a policy on the Role Modeling Inbox page.

Create a policy using the View page

  1. Use the global search to search for the role or group for which you want to create a PBAC Membership Policy. To do so, select the appropriate resource type and then search for the specific resource. For example, if you want to create a policy for a Management Role named “spmemgroup,” select Group as the resource type and then search for “spmemgroup.”

    image-20240124-204058.png


    This action directs you to the View page for the selected resource, which in this case, is the View page for the “spmemgroup” group.

    image-20240124-205013.png

     

  2. On the View page, select the Advanced tab, the Membership sub-tab, and then expand the Attribute-Based Membership accordion.

     

  3. Click the Add [+] button in the Attribute-Based Membership Policies accordion.
    This action opens the form for creating the policy.

     

  4. Fill in the form with the appropriate information.

Field

Description

Action / Task

Field

Description

Action / Task

Name

Name of the policy

Enter a name for the policy.

Display Name

Display Name of the policy

Enter a display name for the policy.

Policy Type

The policy type defines what happens as a result of policy matches. Results include:

  • Member – Matches are granted membership if Auto-Approve is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users for approval.

  • Eligible – Matches are eligible for membership and can request it in the IAM Shop.

  • Pre-Approved – Matches are pre-approved for membership.

  • Suggested – Matches see membership as a suggestion and can request it in the IAM Shop.

Select the desired policy type from the drop-down.

 

Is Enabled

Setting that specifies whether the system compiles the policy and adds entries to the inbox to be processed. If this setting is not checked, the system generates proposals that allow you to view what would happen if the policy was enabled.

Check or uncheck.

Auto-Approve

Setting that specifies whether the system auto-approves membership for all actors matching the policy. This setting only applies when Member is the selected policy type.

Check or uncheck.

Job Schedule

Setting that specifies the start date the policy compiler can first compile the policy, when the date the compiler should stop compiling the policy, and the frequency of compilation. The default start date is the date of creation with an interval that compiles the policy once every 24 hours.

Select the Start and End dates for the policy and specify the interval as desired.

Responsible Party

In the EmpowerID system, the term "responsible party" refers to a person designated to bear accountability for the security and audit aspects of various IT objects.

Select the person who is to be the responsible party for the policy.

  1. When ready, click Save to create the policy.

Create a policy using the Role Modeling Inbox page

  1. On the navbar, expand Role Management and select Role Modeling Inbox.

  2. Select the Attribute-Based Membership Policies tab and then click the Add button on the grid header.


    This action opens the form for creating the policy.

     

  3. Fill in the form with the appropriate information.

Field

Description

Action / Task

Field

Description

Action / Task

Which Type of Assignee for this Policy?

Used to select the type of assignee the policy that is the target of the policy.

Select an assignee type.

Name

Name of the policy

Enter a name for the policy.

Display Name

Display Name of the policy

Enter a display name for the policy.

Policy Type

The policy type defines what happens as a result of policy matches. Results include:

  • Member – Matches are granted membership if Auto-Approve is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users for approval.

  • Eligible – Matches are eligible for membership and can request it in the IAM Shop.

  • Pre-Approved – Matches are pre-approved for membership.

  • Suggested – Matches see membership as a suggestion and can request it in the IAM Shop.

Select the desired policy type from the drop-down.

 

Is Enabled

This setting specifies whether the system compiles the policy and adds entries to the inbox to be processed. If this setting is not checked, the system generates proposals that allow you to view what would happen if the policy was enabled.

Check or uncheck.

Auto-Approve

This setting specifies whether the system auto-approves membership for all actors matching the policy. This setting only applies when Member is the selected policy type.

Check or uncheck.

Job Schedule

This setting specifies the start date the policy compiler can first compile the policy, when the date the compiler should stop compiling the policy, and the frequency of compilation. The default start date is the date of creation with an interval that compiles the policy once every 24 hours.

Select the Start and End dates for the policy and specify the interval as desired.

Responsible Party

In the EmpowerID system, the term "responsible party" refers to a person designated to bear accountability for the security and audit aspects of various IT objects.

Select the person who is to be the responsible party for the policy.

  1. When ready, click Save to create the policy.

 

Results

EmpowerID creates the PBAC Membership Policy for the selected group, role, or Query-Based Collection. You can view the new policy in the Role Modeling Inbox.