In EmpowerID, PBAC membership policies are policies we create to specify the conditions under which an EmpowerID actor, such as a person or a business role and location, can be added to or potentially added to management roles, groups, business roles and locations, or query-based collections. PBAC membership policies comprise attribute-based membership policies, which contain rules defining the field types, field type values, and rights needed by users for the system to add them to the target of the policy.
When the PBAC engine compiles PBAC Membership policies, it checks to see whether any EmpowerID actors have the policy's characteristics and adds them to the policy's target if they do.
EmpowerID’s PBAC Membership policies are a particular type of policy that connects the world of attribute-based real-time dynamic access to the traditional model of granting permissions within applications and systems. For example, PBAC membership policies allow the flexible attribute and role-based assignment model to determine who should be a member of which groups or roles in EmpowerID.
The primary building blocks of PBAC membership policy are depicted in the below overview diagram.
For PBAC membership policy to work in EmpowerID following steps are needed.
Check Pre-requisite Job(s) are Running - For the PBAC membership policy to work in EmpowerID, certain prerequisites jobs must be running.
Create a PBAC Attribute Type - PBAC field type or an attribute is a connector used to connect an EmpowerID actor( e.g., a person) to a PBAC membership policy target( e.g., a group).
Add value to PBAC attribute Type - PBAC field type or attribute has some values used to compare for membership of an actor(e.g., Person) to a target( e.g., Group).
Add PBAC Attribute Type to an Actor - PBAC field type or attribute should be added to an EmpoerID actor( e.g., a Person).
Create a PBAC Membership Policy - It is required to create a PBAC membership policy so that we can use it for a target type( e.g., a Group).
Add PBAC Attribute Type to PBAC Membership Policy - PBAC field type or attribute should be added to a PBAC membership policy, for connecting it to an EmpowerID actor.
Verify the Result - After the PBAC membership policy is compiled, we can verify the result. For example, after the PBAC membership policy is compiled, it will add the actor ( e.g., person) to a target ( e.g., a group)