Managing hierarchical attributes
An attribute with a specified order of values (hierarchy) is the main attribute type that defines the access level, by being assigned to objects and operators. The value of this attribute can be internally represented by an integer. A simple numeric comparison is made to determine if the subject has access to the object.
You can define the access level with hierarchical attributes in two ways:
- The attribute is represented by a string type property on the object and the user, with
one of the text values: Senior Manager, Manager, or User. To achieve a hierarchy, you define
a set of conditions, for example:
A Operator.SecurityClearance = “Senior Manager” B Operator.SecurityClearance = “Manager” C Operator.SecurityClearance = “User” D .SecurityClearance = “Senior Manager” E .SecurityClearance = “Manager” F .SecurityClearance = “User” The properties then have to be combined with the following logic:
A or (B and (E or F)) or (C and F)
For convenience the hierarchical attributes can be represented by a numeric data type. The attribute values must be mapped to a top-level numeric property on both the object and the subject, for example:
- Senior Manager=1
- Manager=2
- User=3
To determine the access level a single condition with a numeric comparison can be used, for example:
.SecurityClearance >= Operator.SecurityClearance
Previous topic Managing access control policy condition performance Next topic Reviewing access control policies