Understanding Field Types in EmpowerID PBAC
Field Types are the mechanism through which EmpowerID's Policy-Based Access Control (PBAC) implements Attribute-Based Access Control (ABAC) principles. They represent the attributes that policies evaluate at runtime to make authorization decisions—attributes about users, resources, and environmental conditions. While RBAC provides the structural foundation of roles and rights, Field Types enable the dynamic, context-aware evaluation that makes PBAC flexible and adaptive.
Without Field Types, policies would be limited to checking role membership and static permissions. With Field Types, policies can ask questions like "Is the user's department Finance?", "Is the resource classified as Confidential?", and "Is this access attempt happening during business hours?" These attribute-based conditions, evaluated in real-time, enable policies to enforce fine-grained access control that adapts to current organizational context.
Field Types and their associated Field Type Values are the core attributes used in EmpowerID PBAC to define access conditions. They allow administrators to build access control logic that responds to real-world organizational context such as user roles, resource sensitivity, location, and more.
For a broader introduction to how Field Types fit into EmpowerID's PBAC model, see About EmpowerID PBAC.
Field Type Values: The Data Points Policies Evaluate
Each Field Type represents a category of attributes—such as "Department," "Location," or "Classification"—and within each Field Type are one or more Field Type Values, which are the specific data points that policies evaluate. For example, the Field Type "Department" might include values such as "Finance," "HR," and "IT."
Field Type Values are what PBAC policies actually test when making authorization decisions. They act as the matching criteria in policy logic. When a user requests access, EmpowerID evaluates whether their attributes, the resource's attributes, and the environmental conditions match the Field Type Values specified in applicable policies.
Example: If a policy requires that "Department = Finance," the system retrieves the user's current department value from identity data and compares it to "Finance." Only if they match does this condition evaluate to true. Multiple conditions can be combined—"Department = Finance AND Classification = Confidential AND BusinessHours = True"—to create sophisticated authorization rules.
By combining multiple Field Types and Values in a policy, EmpowerID can dynamically assess whether a user's context meets the criteria for access. This approach enables policies that reflect business requirements naturally rather than requiring complex role structures to encode every possible scenario.
Scope of Field Types
Before exploring the categories of Field Types, it's important to understand that Field Types can be either shared across applications or specific to a single application. This scoping determines how broadly Field Types can be reused.
Shared Field Types are reusable across multiple applications or systems. These provide consistency in how identity and resource attributes are evaluated across your environment. Examples include common attributes like Department, Location, or Business Unit. Shared Field Types enable centralized policy logic, reducing duplication and simplifying audit reporting. When a shared Field Type is updated—such as adding a new department value—that change is immediately available to all applications that reference it.
Application-Specific Field Types are defined locally for a particular application or system. Some access requirements are unique to a particular context and would not be meaningful elsewhere. These application-specific Field Types might reflect specialized approval workflows, internal data classification models, or custom status indicators within an application. Using local Field Types avoids overcomplicating global policy definitions while still enabling fine-grained control where needed.
The choice between shared and application-specific Field Types depends on whether the attribute has meaning across multiple systems or is unique to one application's authorization requirements.
Categories of Field Types
EmpowerID supports three main categories of Field Types, reflecting different dimensions of access control: characteristics of the user, characteristics of the resource, and characteristics of the environment.
Assignee Field Types
Assignee Field Types define characteristics of the user or entity making the access request. These often map to identity attributes from HR systems, directories, or identity management platforms.
Common examples include:
- Department - The user's organizational department (Finance, HR, Engineering, etc.)
- Job Title - The user's role within the organization (Analyst, Manager, Director, etc.)
- Region - The user's geographic location or assigned region
- Employee Type - Classification such as Full-Time, Contractor, Vendor
- Security Clearance - The user's clearance level for accessing classified information
- Manager Relationship - References to the user's manager or reporting structure
Assignee Field Types enable policies to make decisions based on who the user is and their current organizational context. For instance, a policy could restrict access to financial systems to users in the Finance department who hold a Senior level title or higher. As these attributes change in source systems—such as when an employee is promoted or transfers departments—Field Type values automatically reflect the current state when policies are evaluated.
Resource Field Types
Resource Field Types describe the attributes of the system, data, or application being protected. These help define access policies based on the nature of the target resource.
Common examples include:
- Classification - The sensitivity level of the resource (Public, Internal, Confidential, Restricted)
- Data Category - The type of data contained (Financial Data, Personal Data, Health Records, etc.)
- Owning Department - Which department owns or manages the resource
- Geographic Region - Where the resource or data is located
- Project Association - Which project or initiative the resource belongs to
- Compliance Requirement - Regulatory frameworks that apply to the resource
Resource Field Types enable policies to treat resources differently based on their characteristics. A policy might enforce additional approval steps or clearance checks for accessing resources classified as Confidential, or restrict access to resources in the Europe region to users also located in Europe. This resource-centric approach ensures that access control adapts to what is being accessed, not just who is accessing it.
Environmental Field Types
Environmental Field Types evaluate the conditions under which access is being requested, reflecting the current session context, device status, or network environment.
Common examples include:
- Time of Day - The current time when access is requested
- Day of Week - Whether the request occurs on a weekday or weekend
- Business Hours - Whether the current time falls within defined business hours
- Network Location - Whether the request originates from corporate network, VPN, or external
- IP Address Range - The specific IP address or range from which access is requested
- Device Type - The type of device being used (managed laptop, mobile device, etc.)
- Authentication Method - How the user authenticated (password, MFA, certificate, etc.)
- System State - Whether the system is in normal operation, maintenance mode, or emergency mode
Environmental Field Types enable policies to account for risk and context. Policies can use these to deny access to sensitive systems outside business hours, require stronger authentication from external networks, or restrict access to managed devices only. These conditions adapt automatically as circumstances change—a user who has access during business hours from the office may be denied access when attempting to connect from home on the weekend.
How Field Types Work in Policies
Field Types are the foundation of PBAC policy logic. Policies evaluate combinations of Field Type Values to determine whether to grant, deny, or route access for approval. By referencing Field Types from different categories, policies can create sophisticated rules that consider multiple aspects of an access request simultaneously.
Example: How Policies Combine Field Types
To illustrate how Field Types from different categories work together in policy evaluation, consider a policy designed to protect confidential financial reports. Such a policy would evaluate multiple conditions across all three Field Type categories:
- An Assignee Field Type (Department) to check if the user's department is Finance
- Another Assignee Field Type (Clearance) to confirm the user's clearance level equals or exceeds Confidential
- A Resource Field Type (Classification) to verify the report is indeed classified as Confidential
- An Environmental Field Type (Network Location) to ensure access is from the corporate network
- An Environmental Field Type (Business Hours) to restrict access to approved business hours
The policy would grant access only when ALL conditions are satisfied. If the user is in Finance with Confidential clearance but is accessing from an external network, the policy denies access. If they're on the corporate network during business hours but their clearance is only Internal, access is denied. This multi-attribute evaluation demonstrates how Field Types enable precise control that would be impractical to model through roles alone.
Field Types can be combined using logical operators to create complex conditions, allowing policies to express nuanced business rules naturally.
Dynamic Evaluation and Runtime Reevaluation
One of the most powerful aspects of Field Types is that access is evaluated dynamically based on current attribute values. When the value of a Field Type changes—such as an employee's department or the classification of a document—EmpowerID automatically reevaluates access rights at the next access attempt, without requiring manual policy updates.
This dynamic behavior is fundamental to PBAC's value. Unlike static permission assignments that must be manually updated when circumstances change, Field Type-based policies adapt automatically to current conditions.
Example: Employee Transfer Scenario
Consider an employee, Sarah, who works in the Marketing department and has access to marketing campaign data through a PBAC policy that grants access where "Department = Marketing." The policy is defined once and applies to all Marketing employees.
When Sarah transfers to the Sales department:
- Her department attribute in the HR system is updated to "Sales"
- No changes are made to PBAC policies—the policies remain the same
- The next time Sarah attempts to access marketing campaign data, the policy evaluates her current department value
- Since "Sales" does not match "Marketing," the condition fails and access is denied
- Simultaneously, if there's a policy granting Sales department access to sales data, Sarah now satisfies that policy's condition and gains that access automatically
This automatic reevaluation eliminates the need for manual access reviews when employees transfer, change roles, or when resource classifications change. The policies remain static—defining the rules—while the evaluation is dynamic—applying those rules to current attribute values.
The same principle applies to environmental conditions. A user who has access during business hours automatically loses access outside those hours without any policy modification. When business hours resume, access is automatically restored. This runtime evaluation ensures that policies continuously enforce access control based on current context.
Field Type Management
Field Types are managed through the EmpowerID administrative interface. This includes defining Field Types, assigning allowed values, and associating Field Types with applications and access policies. Administrators can create new Field Types to support emerging policy requirements, add or modify Field Type Values as organizational needs evolve, and link Field Types to specific applications or policy contexts.
The dynamic nature of Field Types means that administrative changes—such as adding a new department value or updating classification levels—immediately affect policy evaluation across all applicable policies. This centralized management ensures consistency while allowing policies to adapt to organizational changes without requiring individual policy modifications.
For detailed procedures on creating and managing Field Types, see the Managing App Rights and Field Types section of the EmpowerID documentation.
Summary
Field Types are the mechanism through which EmpowerID implements Attribute-Based Access Control within its Policy-Based Access Control framework. They represent attributes about users (Assignee Field Types), resources (Resource Field Types), and environmental conditions (Environmental Field Types) that policies evaluate at runtime to make authorization decisions.
By evaluating Field Type Values dynamically, PBAC policies can enforce fine-grained access control that adapts to current organizational context without requiring manual policy updates when attributes change. This approach enables organizations to express complex business rules naturally—rules that would require dozens or hundreds of roles in traditional RBAC models can be captured in a single policy that references relevant Field Types.
Field Types bridge the gap between the structured governance of RBAC (which provides roles and organizational hierarchy) and the flexible, context-aware decisions of ABAC (which evaluates attributes at runtime). Together with rights, roles, and Assignment Points, Field Types enable EmpowerID to deliver sophisticated access control policies that are both manageable and adaptive.