Creating an access control policy condition
You can define a set of conditions and comparison logic that you want to evaluate to grant access to an object.
Using the Data Access tab, you can build complex authorization models in which access restrictions for a class depend on the attributes that are present in the associated and indexed classes, along with the attributes in the current class. The Data Access tab is read-only, and any information that is displayed on the tab is input into the Column source field.- In the navigation pane of Dev Studio, click Records.
- Expand the Security category, and then click Access Control Policy Condition.
- Click Create.
- In the Label field, enter the policy condition name.
- In the Context section, in the Apply to (class) field, press the Down arrow key, and then select the rule to which the policy condition applies.
- In the Add to ruleset field, select a ruleset.
- Click Create and open.
- Optional: To configure a filter logic string for the condition, click Add conditional
logic, and then define the logic:
- On the Definition tab, in the Conditional logic section, click Add conditional logic for situations where you need to apply different logic.
- In the WHEN field, enter an Access When rule that evaluates whether the conditional logic should be used.
- Optional: To enforce a policy condition, in the adjacent field, enter a filter logic string
to apply when the Access When rule evaluates to true. When the set of filters to be applied in an Access Control Policy Condition rule is determined conditionally by using Access When rules, leave the filter logic entry blank if you want to enforce no policy condition at all, for example, for certain highly privileged users.
- In the OTHERWISE field, enter the filter logic string that is used when all the when rules evaluate to false.
- On the Definition tab, in the Policy Conditions section, in the Condition field, enter a condition name.
- In the Column source field, press the Down Arrow key and select
a property from the Apply To class from the list.
Use the Column source field to add content from the Applies to, associations and declarative index classes in your policy conditions. When you select Applies to, associations and declarative index classes, this information auto-populates on the Data Access tab.
- In the Relationship list, click the comparison logic appropriate
for the evaluated attribute type.For Numeric attributes:
Attribute Behavior Is equal The Apply To property value and comparison value are equal. Is not equal The Apply To property value and comparison value are not equal. Is greater than The Apply To property value is greater than the comparison value. Is greater than or equal to The Apply To property value is greater than or equal to the comparison value. Is less than The Apply To property value is lower than the comparison value. Is less than or equal to The Apply To property value is lower than or equal to the comparison value. For String attributes:Attribute Behavior Is equal The Apply To property value and comparison values are equal. The comparison value can be a single value or a comma-delimited list. Is not equal The Apply To property value and comparison value are not equal. All of Both the Apply To property value and the comparison value are strings that consist of a comma-delimited list. The list does not contain any spaces within the string (except for spaces within a value), for example: “Brazil,Canada,France,Germany,South Africa,UK,USA”.
The condition is satisfied if every element of the list within the Apply To property value is also an element in the list within the comparison value.
One of Both the Apply To property value and the comparison value are strings that consist of a comma-delimited list. There should be no spaces within the string (except for spaces within a value), for example: “Brazil,Canada,France,Germany,South Africa,UK,USA”.
The condition is satisfied if at least one element of the list within the Apply To property value is also an element in the list within the comparison value.
For all attributes:Attribute Behavior Is null The Apply To property value is null. Is not null The Apply To property value is not null. - In the Value field, enter the comparison values that you want
the condition to check.If you select Is null or Is not null in the Relationship field, the Value field is not active.
- Optional: To define additional conditions, click Add Condition and repeat steps 7 through 10.
- Optional: For multiple conditions, to define more complex Boolean operations, complete the
Conditional Logic field.By default, multiple conditions are combined by using the AND operator.
- Click Save.
Previous topic Configuring encryption for properties in embedded classes Next topic Access Control Policy Condition rule