Skip to main content

PBAC System Briefing Document

This document provides an overview of key themes, functionalities, and future enhancements related to the PBAC (Policy-Based Access Control) system, primarily in the context of the EmpowerID platform.

Listen to an Audio Overview

Main Themes

1. Hybrid Access Control

The PBAC system employs a hybrid access control model that merges the structure and auditability of Role-Based Access Control (RBAC) with the flexibility and context-awareness of Attribute-Based Access Control (ABAC). This combination results in a more adaptable and secure method of managing permissions.

2. Unified Permissions Model

A unified data model is central to the PBAC system, enabling seamless management of permissions across diverse platforms like Azure, SAP, AWS, and custom applications. This model simplifies governance by standardizing permission representations.

3. Risk Management

PBAC enhances risk assessment by mapping permissions across multiple systems to common "functions." This approach allows for consistent evaluation of risks associated with user access, irrespective of the underlying technology.

4. Access Request and Approval

The system offers a self-service access request mechanism with customizable workflows. Virtual approval groups can be defined using application rights, making the approval process efficient and aligned with organizational policies.

5. Projection and Fulfillment

PBAC includes functionality to "project" access granted to EmpowerID entities (such as management roles) into external systems. This is done via fulfillment groups, which map EmpowerID assignments to roles or groups in target systems, ensuring policy enforcement even in non-PBAC environments.

Important Ideas/Facts

  1. Application Rights: Specific permissions within an application, like "view video" or "edit video."
  2. Resource Types: Categories for the entities being protected, such as "video footage."
  3. Field Types (Scopes/Attributes): Attributes that add conditions to application rights, providing granular access control. Examples include "video category" or "country."
  4. Local Rights and Roles: Rights and role definitions within an application, whether created in EmpowerID or inventoried from external systems.
  5. Approval Rights: Rights used to create virtual approval groups for managing access requests.
  6. Split by Value for Approval: A feature that splits access requests into separate items based on selected field type values, enabling tailored approval workflows.
  7. Fulfillment Groups: Groups that connect EmpowerID assignments to external system roles, facilitating seamless access fulfillment.

Key Quotes from Transcripts

  1. On Hybrid Access Control:

    "In our system, we have a balance between the two...we have a hybrid of role-based and attribute-based and when you merge the two together uh really what you end up with is what people call PBAC or policy-based."

  2. Unified Permissions Model:

    "The benefit of this is that Azure stuff goes into the same tables and the same bucket as EmpowerID application stuff."

  3. Risk Management:

    "[Functions] is how we understand what people can do and whether or not that's risky."

  4. Projection and Fulfillment:

    "[Projection is] extending PBAC in a very non-traditional way...doing traditional push isn't something that exists out there really."

  5. Policy Enforcement:

    "You're making a non-PBAC system really uh have PBAC policies enforced."

Potential Future Enhancements

  1. Recertification for Local Rights/Roles: Expanding the capability to recertify assignments to local rights and roles, especially those imported from external systems.
  2. Policy Version Control: Implementing a feature for tracking policy changes, with potential for providing a historical view of policy versions.

Conclusion

The PBAC system is a comprehensive and flexible solution for managing and auditing access control across various applications and platforms. By combining RBAC and ABAC principles, it provides a robust unified permissions model, supports complex approval processes, and enhances risk management. The system aims to streamline access governance and improve organizational security through innovative features and potential future enhancements.