An attribute with a specified order of values (hierarchy) is the main attribute type that defines the access level, by being assigned to objects and operators. The value of this attribute can be internally represented by an integer. A simple numeric comparison is made to determine if the subject has access to the object.
You can define the access level with hierarchical attributes in two ways:
- The attribute is represented by a string type property on the object and the user, with one of the text values: Senior Manager, Manager, or User. To achieve a hierarchy, you define a set of conditions, for example:
A Operator.SecurityClearance = “Senior Manager” B Operator.SecurityClearance = “Manager” C Operator.SecurityClearance = “User” D .SecurityClearance = “Senior Manager” E .SecurityClearance = “Manager” F .SecurityClearance = “User”
The properties then have to be combined with the following logic:
A or (B and (E or F)) or (C and F)
For convenience the hierarchical attributes can be represented by a numeric data type. The attribute values must be mapped to a top-level numeric property on both the object and the subject, for example:
- Senior Manager=1
To determine the access level a single condition with a numeric comparison can be used, for example:
.SecurityClearance >= Operator.SecurityClearance
- Attribute-based access control
You can restrict the ability of a user to view, modify, and delete instances of classes, or properties within classes. Use attribute-based access control (ABAC) to enforce row-level and column-level security in your application.
- Creating an access control policy condition
You can define a set of conditions and comparison logic to be evaluated to grant access to an object.