PBAC Membership policies are policies you create to specify the conditions under which an EmpowerID actor, such as a person or a Business Role and Location can be added to or potentially added to Management Roles, groups, Business Roles and Locations, or Query-Based Collections. PBAC Membership policies are comprised of Attribute-Based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy. In this article, we discuss the components of PBAC Membership policies and how to create and use them.
Step 1 - Create PBAC Membership policies
PBAC Membership policies can be created in two different ways: They can be created on the View One pages of the roles, groups, and collections that are the target of the policy and they can be created globally on the Role Modeling Inbox page of EmpowerID. In the below example, we demonstrate how to create a policy on the Role Modeling Inbox page.
On the navbar, expand Role Management and select Role Modeling Inbox.
Select the Attribute-Based Membership Policies tab and then click the Add button on the grid header.
This opens the Policy Form, which is where you add the information necessary to create the policy.
The form contains the following fields:Field
Purpose
Which Type of Assignee for this Policy
Select the target type for the policy. These include:
Business Role and Location
Management Role
Management Role Definition
Group
Query-Based Collection
Select <Assignee> to Receive Policy
Select the specific assignee, such as the specific Management Role or Business Role and Location, that is to be the target of the policy. Specific assignees that can be selected are filtered by type. Thus if you selected Management Role as the type of assignee, this field allows you to only search for Management Roles.
Name
Name of the policy.
Display Name
Display name of the policy.
Policy Type
Policy type defines what happens as a result of policy matches. Results include:
Member – Matches are granted membership if Auto-Approve is enabled on the policy; otherwise, the system generates Business Requests and sends them to the appropriate users for approval.
Eligible – Matches are eligible for membership and can request it in the IT Shop.
Pre-Approved – Matches are pre-approved for membership.
Suggested – Matches see the role as suggested for them in the IT Shop.
Is Enabled
If selected, the system compiles the policy and adds entries to the inbox to be processed. It this setting is not selected, the system generates proposals that allow you to view what would happen if the policy was enabled.
Auto-Approve
If selected, the system approves the action specific to the chosen Policy Type; otherwise, the system generates Business Requests and sends them to the appropriate users for approval.
Job Schedule Interval
Select the Start and End dates for the policy and specify the interval as desired. The default start date is the date of creation with an interval that compiles the policy once every 24 hours.
Enter the information appropriate for your situation and then click Save to create the policy.
Now that the policy is created, the next step is to define the conditions needed for users to be added to the policy target. You do this by adding rules to it.
Step 2 - Add Attribute Conditions to the policy
Locate the policy you just created in the Attribute-Based Membership Policies grid and click the Name link for it.
This directs you to the Policy Details (View One) page for the policy.
The page contains a General pane and four accordions for viewing information about the policy and configuring it as needed.Page Element
Purpose
General Panel
Provide general overview about the policy to include the following:
Name – Name of the policy
Is Enabled – Whether the policy is enabled; True or False
Policy Type – Action granted by the policy, such as Member
Auto-Approve – Whether the system approves the action for users meeting the conditions of the policy; True or False
Last Success – Displays the date and time of the last successful compilation of the policy
Last Attempt – Displays the date and time the system last tried to compile the policy
Next Compilation Time – Displays the date and time the system will recompile the policy
Last Error – Displays the last error to occur during compilation, if any
Locked by Server – Displays the EmpowerID server that compiled the policy
Assignee Member Policy ID – GUID of the policy
Attribute Conditions (Field Types)
Accordion that allows you to view and create policy rules that set the attribute conditions needed to be met in order to be added to the target of the policy
Field Type Values for Policy
Accordion that lists the field type values for the policy as specified by the attribute conditions
Attribute-Based Membership Inbox
Accordion that lists users and other EmpowerID actors that meet the conditions specified by the selected field types and have been added to the inbox for processing. The inbox is only populated when the policy is enabled.
Preview Proposed Changes
Accordion that allows you to view what would occur if the policy is enabled.
Expand the Attribute Conditions (Field Types) accordion and click the Add button on the grid header.
Enter the following information in the Dynamic Membership Rule form that appears:
Name – Name of the rule
Right – If the rule defines an application right that needs to be met, search for and select the appropriate right
Field Type (Attribute) – If the rule specifies an application field type that needs to be met, search for and select the appropriate attribute
Field Values Constraints on Right Assignment – If the field type can have multiple values, select the values needed
In the below example, the rule specifies that users need the Data Access right to the Customer field type for Intu.
Save the rule.
Repeat, adding as many rules as needed.
When adding multiple rules to a policy you create an AND condition. In order to qualify for the target, users need to meet all conditions. If you want to create an OR condition where users only need to meet one of multiple conditions, you would need create a separate policy for each condition.
After creating the policy, the system should compile it – and depending on the settings applied – will show matching records in either the Attribute-Based Membership Inbox accordion (when Enabled is set to True and Auto-Approve is set to True) or in the Preview Proposed Changes accordion.
