PingAuthorize

Policy sets, policies, and rules

The Policy Manager reflects the structure of grouping rules for attribute-based access control (ABAC) with three types of entities and the relationship between them. The entities are policy sets, policies, and rules.

A typical enterprise-level organization might impose hundreds or thousands of conditions and constraints around access control. Such constraints comprise the business rules that define the circumstances under which users access certain .

You can group these rules together naturally, so that you can understand them without focusing on all of them at the same time. For example, a set of policies around authentication might require a user to authenticate to a certain level before they can access a certain resource. Another set of policies might gather together all of the business rules around accessing the resources of a particular business unit. Yet another set of policies might define the audit processes triggered with each attempt to access a set of restricted resources.

This structure is inherent in the problem domain of resource-access control. The Policy Manager allows you to organize these business rules into a tree structure, with a root policy set that contains policy sets for each business case. The policy sets contain related policies, and each policy contains one or more rules that help define its behavior.

A root policy set is not required, but it is useful for building a deployment package from the entire policy tree. Individual policies often belong to policy sets but can also stand on their own.