Understanding Field Type Selection Rules
Field Type Selection Rules are the mechanism through which users provide attribute values during access requests in EmpowerID's Policy-Based Access Control (PBAC) system. While Field Types define which attributes policies evaluate—such as department, region, or classification—Selection Rules determine how users specify those attribute values when requesting access. This user experience layer is critical because policies can only evaluate attributes accurately if users provide valid, properly formatted data.
Selection Rules shape both the user experience and data quality. By choosing appropriate controls for each Field Type—dropdowns for predefined lists, text entry for flexible input, lookup controls for complex datasets—administrators ensure that users can efficiently provide the information needed for policy evaluation while preventing invalid entries that could cause policy failures or incorrect authorization decisions.
Field Types define WHAT attributes policies need to evaluate during authorization decisions. Selection Rules define HOW users provide those attribute values during access requests. Together, they form the data collection layer that enables PBAC's attribute-based approach.
For more information on Field Types and how they enable attribute-based policies, see Understanding Field Types in EmpowerID PBAC.
The Role of Selection Rules in Access Requests
During access requests, users may need to provide additional information based on Field Types associated with the requested application rights or resources. This information collection is not incidental—it's fundamental to how PBAC works. The attribute values users provide become the data that policies evaluate to make authorization and approval routing decisions.
Consider a PBAC policy that grants access to financial reports based on the user's department and the report's region. When a user requests access, they must specify which region's reports they need. The Selection Rule configured for the "Region" Field Type determines whether users see a dropdown list, checkbox options, or a lookup control for selecting regions. The user's selection—"North America," for example—becomes the attribute value that the policy evaluates.
If the Selection Rule allows invalid data entry—such as free text where users might enter "NA" instead of "North America"—the policy evaluation could fail because the value doesn't match what the policy expects. This demonstrates why Selection Rules are not merely cosmetic UI choices but are integral to ensuring that PBAC policies function correctly.
How Selection Rules Support Policy Evaluation
Selection Rules contribute to successful policy evaluation in several ways:
Data Validation - Selection Rules enforce constraints on what users can enter. Dropdown lists and checkboxes limit choices to predefined values that match Field Type Values exactly. This prevents typos, inconsistent formatting, and invalid entries that policies wouldn't recognize.
Required Field Enforcement - Selection Rules can mark certain Field Types as required, ensuring that users provide all attributes necessary for policy evaluation. If a policy requires both department and region to make an authorization decision, Selection Rules ensure users cannot submit the request without providing both values.
Appropriate Granularity - The choice of Selection Rule affects how granularly users can specify attributes. A MultiSelectCheckBoxList allows users to request multiple regions simultaneously, while a SingleSelectDropdownList restricts them to one region at a time. This granularity directly impacts how requests are evaluated and potentially split for approval routing.
User Guidance - Well-chosen Selection Rules guide users toward providing policy-relevant data. Lookup controls can display additional context about each option, helping users select values that accurately represent their access needs. This improves both the user experience and the accuracy of attribute data flowing into policy evaluation.
Categories of Selection Rules
Selection Rules fall into several categories based on how users interact with input fields. Each category offers specific strengths depending on the nature of the data being collected and how it will be evaluated by policies.
Selection-Based Rules
Selection-based rules guide users to choose from predefined options, ensuring that provided values match exactly what policies expect.
SingleSelectDropdownList - Displays a dropdown interface suitable for longer lists where conserving screen space is important. Ideal for Field Types with many possible values, such as countries, departments, or project codes. Users must select exactly one value from the list.
SingleSelectRadioButton - Presents all options simultaneously as radio buttons, suitable for shorter lists where seeing all choices at once helps users make decisions. Best for 2-7 mutually exclusive options, such as classification levels (Public, Internal, Confidential, Restricted) or priority levels.
MultiSelectCheckBoxList - Enables selection of multiple items simultaneously through checkboxes. Use this when users may legitimately need access across multiple attribute values—such as requesting access to both North America and Europe regions, or to multiple departments. This can result in request splitting for approval routing, with each selected value potentially routing to different approvers.
These controls ensure that users can only select values that exist in the Field Type's defined value list, preventing data quality issues during policy evaluation.
Text Entry Rules
Text entry rules allow direct keyboard input, providing flexibility when predefined lists are impractical or when values are user-specific.
FreeTextSingleValue - Provides a simple input field for individual values like project codes, employee IDs, or reference numbers. Use this when the possible values are too numerous or dynamic to maintain in a predefined list, but where users know the specific value they need.
FreeTextMultiValue - Supports structured key-value input, useful for capturing labeled data pairs. This allows users to specify multiple pieces of related information, such as cost centers with their corresponding approval amounts.
FreeTextMultiValues - Allows users to enter multiple unstructured values, offering flexibility in open-ended scenarios where the number and nature of values cannot be predetermined.
While text entry provides flexibility, it increases the risk of data quality issues. Policies evaluating free-text values may fail if users enter unexpected formats. Use text entry only when selection-based controls are impractical, and provide clear instructions on expected format.
Advanced Selection Rules
Advanced selection rules support scenarios where users must evaluate complex datasets before selecting values, such as when Field Types correspond to structured objects.
SingleSelectLookupControl - Displays a searchable, table-like interface showing multiple attributes of each option. Users can review details before selecting. Ideal when Field Types represent complex objects like locations (with address, region, and time zone), assets (with owner, status, and classification), or projects (with manager, budget, and timeline).
MultiSelectLookupControl - Extends the lookup concept to allow multiple selections from the same dataset. Users can search, filter, and select several items while reviewing their attributes. Useful when users need access to multiple resources that require evaluation before selection.
Lookup controls provide the best user experience when Field Type values represent entities that users need to understand before selecting, ensuring informed decision-making during access requests.
Range-Based Rules
Range rules allow users to specify boundaries, useful when policies evaluate numerical or temporal ranges.
FreeTextRange - Lets users define custom minimum and maximum values for numeric or date ranges. Use this for Field Types like budget authority limits, time windows for temporary access, or data retention periods. Policies can then evaluate whether requested ranges fall within permitted boundaries.
FixedRange - Displays predefined, read-only boundaries that communicate policy limits without allowing modification. This is useful for showing users what ranges they're permitted to request, even if they cannot change those limits during the request.
Autocomplete Rules
Autocomplete rules streamline selection from large datasets by filtering options as users type.
SingleSelectAutocomplete - Offers type-ahead suggestions for selecting one item from an extensive list. As users type, the system filters options to match their input. Best for Field Types with hundreds or thousands of values, such as customer names, asset identifiers, or location codes.
MultiSelectAutocomplete - Supports multiple entries while preserving the efficiency of predictive text. Users can select several items by typing and selecting sequentially. Useful when users need access to multiple specific items from a large catalog.
Autocomplete controls balance the data quality of predefined lists with the usability needed for very large value sets.
Display-Only Rules
Display-only rules present information without accepting user input, supporting transparency and providing context during access requests.
FixedSingleValue - Displays a single static value, such as a preassigned classification level or a system-determined region. Use this when a Field Type value is derived from other information and users should see it but not modify it.
FixedList - Shows multiple static values, often used to display existing entitlements or default policy attributes that will be evaluated. This helps users understand what conditions will apply to their request.
PersonRelative - Displays information specific to the current requester, such as their manager, team, or home location. This is useful when policies evaluate relationships or requester attributes, helping users understand which attribute values apply to them.
Display-only rules enhance transparency by showing users what attributes will be evaluated, even when those values aren't user-provided.
Impact on the Request and Approval Workflow
Selection Rules affect multiple stages of the access request and approval workflow, not just the initial data collection.
Request Submission - The Selection Rules configured for each Field Type determine what information users provide when submitting requests. This directly impacts whether users can specify the access they need clearly and completely.
Request Splitting - When users select multiple values using MultiSelectCheckBoxList or MultiSelectAutocomplete, EmpowerID may split the request into separate items—one per selected value. This splitting enables granular approval routing, where each item routes to approvers appropriate for that specific attribute value.
Policy Evaluation - The attribute values collected through Selection Rules become the data that PBAC policies evaluate. Policies check whether these values satisfy defined conditions—whether the user's department matches the resource's department, whether the requested classification level matches the user's clearance, or whether the request time falls within approved hours.
Approval Routing - For PBAC approval routing, the attribute values users provide through Selection Rules determine which approvers receive the request. A request specifying "Europe" as the region routes to European approvers because the PBAC Approver resolver evaluates the region attribute value provided through the Selection Rule.
Audit and Compliance - The attribute values collected become part of the request audit trail. Selection Rules that enforce data quality ensure that audit logs contain accurate, consistent information about what users requested and why access was granted or denied.
Choosing Appropriate Selection Rules
Selecting the right Selection Rule for each Field Type requires considering data quality requirements, user experience, and how policies will evaluate the collected data.
When selecting Field Type Selection Rules, prioritize both data accuracy and user experience. Choose controls that reduce user error and guide input toward valid, policy-relevant values while making the request process intuitive and efficient.
For Predefined Value Sets - Use selection-based controls (dropdowns, radio buttons, checkboxes) when Field Type values are known and finite. This ensures data quality by preventing invalid entries and provides users with clear choices.
For Large Value Sets - Use autocomplete controls when Field Types have hundreds or thousands of values. These maintain data quality while providing usable search and filtering.
For Complex Objects - Use lookup controls when Field Type values represent entities with multiple attributes that users should review before selecting. The additional context helps users make informed choices.
For Flexible Input - Use text entry only when predefined lists are impractical. Provide clear instructions and examples to guide users toward expected formats. Consider validating text entries against patterns when possible.
For Multiple Selections - Use multi-select controls (checkboxes, multi-select autocomplete) only when users may legitimately need access across multiple attribute values and when policies and approval workflows can handle request splitting appropriately.
Administrators should test Selection Rule configurations with actual users before deployment. Clear field labels, help text, and input examples significantly improve data quality and user experience.
Summary
Field Type Selection Rules are the data collection layer that enables EmpowerID's Policy-Based Access Control system to function. While Field Types define which attributes policies need to evaluate, Selection Rules determine how users provide those attribute values during access requests. This connection between user experience and policy enforcement is critical—policies can only make accurate authorization decisions if users provide valid, properly formatted attribute data.
By choosing Selection Rules that balance data quality with usability, administrators ensure that the attribute values flowing into PBAC policies are accurate, consistent, and policy-relevant. These rules affect not only the initial request experience but also request splitting, approval routing, policy evaluation, and audit trails.
Selection Rules demonstrate how PBAC extends throughout the entire access governance lifecycle. From the moment users request access and specify attribute values, through policy evaluation and approval routing, to final access grants and audit logging, the attributes collected through Selection Rules drive dynamic, context-aware authorization decisions. Together with Field Types, policies, and approval routing, Selection Rules complete the framework that enables organizations to implement sophisticated, attribute-based access control while maintaining usability and data integrity.