Access Control Policy Condition rule
An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.
Each filter compares a column source (a property of the policy’s class) to a target value. An
example filter is Case.RequiredClearance <= UserInfo.SecurityLevel. Each
set of filters compares a case attribute (property value) to any clipboard property value that
you want. This comparison value typically represents information about the user attempting to
access cases. The filter logic used to combine the filters uses the AND
and
OR
operators and parentheses. You can enter multiple sets of filter logic
values, each associated with a when rule, so that the filters enforced for a specific user are
dynamically determined at run time.
The special comparison operators All Of
and One Of
can be
used to compare two property values when each is a comma-separated list of one of more values.
The comparison values that are referenced in policy condition filters must be existing
Requestor properties or requestor-scoped data pages.
The following restrictions apply to column source properties:
- They must be top-level, optimized properties that are available as database columns and can be referenced in generated SQL. For best performance, consider indexing optimized properties that are referenced in policy conditions.
- They must be included among the custom search properties that are stored in the search
index in a returnable form if they do not have a text data type or if the
All Of
orOne Of
comparison operator is used.Do not enter case attributes or policy class property values in an Access When rule that is used for conditional logic because doing so causes invalid results or run-time failures.
Target values are restricted to a clipboard page reference or to a nonparameterized data page reference. Primary page properties are not allowed. Target values must be of the same data type as the column source.
Previous topic Creating an access control policy condition Next topic Using security attributes markings