Access Control Policy Condition rule
An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.
Each filter compares a column source (a property of the policy’s class) to a target value. An example filter is Case.RequiredClearance <= UserInfo.SecurityLevel. Each set of filters compares a case attribute (property value) to any clipboard property value that you want. This comparison value typically represents information about the user attempting to access cases. The filter logic used to combine the filters uses the
OR operators and parentheses. You can enter multiple sets of filter logic values, each associated with a when rule, so that the filters enforced for a specific user are dynamically determined at run time.
The special comparison operators
All Of and
One Of can be used to compare two property values when each is a comma-separated list of one of more values. The comparison values that are referenced in policy condition filters must be existing Requestor properties or requestor-scoped data pages.
The following restrictions apply to column source properties:
- They must be top-level, optimized properties that are available as database columns and can be referenced in generated SQL. For best performance, consider indexing optimized properties that are referenced in policy conditions.
- They must be included among the custom search properties that are stored in the search index in a returnable form if they do not have a text data type or if the
One Ofcomparison operator is used.When access policies are inherited by multiple classes, column source properties might need to be optimized and stored in a returnable form in the search index in each class where the policies are enforced. Also, when the list of custom search properties for a class changes, the search index must be rebuilt for the class on the Search landing page.
Do not enter case attributes or policy class property values in an Access When rule that is used for conditional logic because doing so causes invalid results or run-time failures.
Target values are restricted to a clipboard page reference or to a nonparameterized data page reference. Primary page properties are not allowed. Target values must be of the same data type as the column source.
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
- Security attributes markings
Attributes are unique security markings, which are assigned to objects and operators. Each attribute has a value associated with it, which means that a user must possess an attribute value to access an object.
- Creating an access control policy condition
You can define a set of conditions and comparison logic to be evaluated to grant access to an object.