13. Administer Digital Access Policies
Policy administration describes the process of creating and updating the rules that govern logical and physical access for an organization and translating those rules into the digital policies that govern access decisions. This process applies primarily to the “dynamic” model of access management (see the Authorize Access, Dynamic use case).
Creating and implementing policy is a process that happens during design time, before users attempt to access protected resources. Once a policy has been created, it is referenced during run time to dynamically make access decisions at the time access is attempted based on an individual’s roles and attributes.
Policymaking bodies often draw on federal regulations, executive orders, legislation, organization-specific rules, and past precedent when crafting or updating digital access policy.
Pre-condition: An organization’s digital policy administration body has examined the relevant federal and organizational rules.
|From the relevant set of rules, the administration body derives access policies that match regulatory compliance and their organization’s needs.|
|This body, often in concert with other stakeholders and agency leadership, drafts, reviews, and approves new policies or changes to existing policy.|
|The administration body works with data administration to implement policy additions and adjustments.|
Post-condition: Policies are updated and implemented.
Click here for a consolidated image of this use case.