Creating ABAC policies for a case and a user
You can create hierarchical attributes (to specify a defined ranking of values, represented as integers) and All Of and One Of conditions (to specify how to compare the multivalue attribute types between the user and object) on cases to determine who is authorized to access the case.
Note: You can create policies only for Work-, Data-, and Assign- classes.
- In Designer Studio, open a case and choose a property field, where you want to enter:
- Multivalue attributes in a comma-separated noun list.
- Hierarchical attributes as a numerical value.
Note: The One Of or All Of comparison operators are case-sensitive and sensitive to extra spaces in the lists of values being compared. For performance reasons, ensure that the column source property values and target values that are compared by these operators are in all uppercase (or all lowercase), with no spaces.
- Click Save.
- Click Records > Security > Access Control Policy Condition.
- Click +Create.
- In the Label field, enter the policy condition name.
-
In the Context section in the Apply to (class) field, enter the rule, to which the policy applies.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- Optional: Click Add conditional logic to configure a filter logic string for the condition.
- On the Definition tab, in the section, click Add conditional logic as needed to support situations where different logic needs to be applied.
- In the WHEN field, enter an Access When rule that evaluates whether the conditional logic should be used.
- In the second field, enter a filter logic string that is applied when the Access When rule evaluates to true. When the set of filters to be applied in an Access Control Policy Condition rule is determined conditionally using Access When rules, leave the filter logic entry blank if you want to enforce no policy condition at all, for example, for certain highly privileged users.
- In the OTHERWISE field, enter the filter logic string that is used when all of the when rules evaluate to false.
- In the Policy Conditions section, in the Condition field, enter a condition name.
-
In the Column source field, enter the property in which the case attributes are entered.
- In the Relationship field, select an attribute, or attributes.
If you select Is null or Is not null in the Relationship field, the Treat Empty As Null check box is automatically selected. When Treat Empty as Null is checked, even empty values are considered null.
If you select Is null or Is not null in the Relationship field, the Value field is not active.
- In the Value field, enter all the attribute values that you want the condition to check.
- Click Save.
-
Click Records > Security > Access Control Policy.
- Click +Create.
- In the Label field, enter the policy name.
- In the Action list, select one of the actions:
- Read - The user can open a case that meets the policy conditions or view data for the case in lists, reports, searches, and others.
- Update - The user can create a case that meets the policy conditions or update data for such a case.
- Discover - The user can see limited information (defined by a developer) about a case that does not meet the Read policy conditions but does satisfy the Discover policy conditions.
- Delete - The user can delete a case that meets the policy conditions.
- In the Context section in the Apply to (class) field, enter a class.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- On the Definition tab, select the Disallow creation of a policy with the same name at a descendant class check box to prevent overriding the policy in a descendant class.
- In the Condition field, enter the policy condition rule name.
- Click Save.
Open topic with navigation