Creating ABAC policies for a case
ABAC policy conditions compare property values on the clipboard (typically a data page that represents a user’s security credentials) with property values on each instance of a class. For example, hierarchical comparisons compare two integer values that represent clearance levels, and attribute comparisons that use either the OneOf or AllOf operators compare two text values (each is a comma-separated list of attribute values).
To view the Access Control Policy Condition, you must have the pzCanManageSecurityPolicies privilege.
You can create policies only for Work-, Data-, and Assign- classes.
- In Designer Studio, open a case and choose a property field, where you enter one of the following:
- Multivalue attributes in a comma-separated noun list.
- Hierarchical attributes as a numerical value.
The One Of or All Of comparison operators are case-sensitive and sensitive to extra spaces in the lists of values that are being compared. For performance reasons, ensure that the column source property values and target values that are compared by these operators are in all uppercase (or all lowercase), with no spaces.
- Click Save.
- Click Records > Security > Access Control Policy Condition.
- Click +Create.
- In the Label field, enter the policy condition name.
-
In the Context section in the Apply to field, enter the rule, to which the policy applies.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- Optional: Click Add conditional logic to configure a filter logic string for the condition.
- On the Definition tab, in the section, click Add conditional logic as needed to support situations where different logic needs to be applied.
- In the WHEN field, enter an Access When rule that evaluates whether conditional logic should be used.
- In the second field, enter a filter logic string that is applied when the Access When rule evaluates to true. When the set of filters to be applied in an Access Control Policy Condition rule is determined conditionally using Access When rules, leave the filter logic entry blank if you want to enforce no policy condition at all, for example, for certain highly privileged users.
- In the OTHERWISE field, enter the filter logic string that is used when all of the when rules evaluate to false.
- In the Policy Conditions section, in the Condition field, enter a condition name.
-
In the Column source field, enter the property in which the case attributes are entered.
- In the Relationship field, select an attribute, or attributes.
- If you select Is null or Is not null in the Relationship field, the Treat Empty As Null check box is automatically selected. When Treat Empty as Null is selected, even empty values are considered null.
- If you select Is null or Is not null in the Relationship field, the Value field is not active.
- In the Value field, enter all the attribute values that you want the condition to check.
- Click Save.
-
Click Records > Security > Access Control Policy.
- Click +Create.
- In the Label field, enter the policy name.
- In the Action list, select one of the following actions:
- Read - The user can open a case that meets the policy conditions or view data for the case in lists, reports, searches, and others.
- Update - The user can create a case that meets the policy conditions or update data for such a case.
- Discover - The user can see limited information (defined by a developer) about a case that does not meet the Read policy conditions but does satisfy the Discover policy conditions.
- Delete - The user can delete a case that meets the policy conditions.
- PropertyRead - The user has a limited view of property values, including property values with read and update access.
- In the Context section in the Apply to (class) field, enter a class.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- On the Definition tab, select the Disallow creation of a policy with the same name at a descendant class check box to prevent overriding the policy in a descendant class.
- In the Permit access if field, enter the policy condition rule name.
- Click Save.
Open topic with navigation