Access Control Policy Condition rule
An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.
Each filter compares a column source (a property of the policy’s class) to a target value. An
example filter is Case.RequiredClearance <= UserInfo.SecurityLevel. Each
set of filters compares a case attribute (property value) to any clipboard property value that
you want. This comparison value typically represents information about the user attempting to
access cases. The filter logic used to combine the filters uses the
OR operators and parentheses. You can enter multiple sets of filter logic
values, each associated with a when rule, so that the filters enforced for a specific user are
dynamically determined at run time.
The special comparison operators
All Of and
One Of can be
used to compare two property values when each is a comma-separated list of one of more values.
The comparison values that are referenced in policy condition filters must be existing
Requestor properties or requestor-scoped data pages.
The following restrictions apply to column source properties:
- They must be top-level, optimized properties that are available as database columns and can be referenced in generated SQL. For best performance, consider indexing optimized properties that are referenced in policy conditions.
- They must be included among the custom search properties that are stored in the search
index in a returnable form if they do not have a text data type or if the
One Ofcomparison operator is used.When access policies are inherited by multiple classes, column source properties might need to be optimized and stored in a returnable form in the search index in each class where the policies are enforced. Also, when the list of custom search properties for a class changes, the search index must be rebuilt for the class on the Search landing page.
Do not enter case attributes or policy class property values in an Access When rule that is used for conditional logic because doing so causes invalid results or run-time failures.
Target values are restricted to a clipboard page reference or to a nonparameterized data page reference. Primary page properties are not allowed. Target values must be of the same data type as the column source.