You are here: Security > Attribute-based access control > Hierarchical attributes

Hierarchical attributes

An attribute with a specified order of values (hierarchy) is the main attribute type that defines the access level, by being assigned to objects and operators. The value of this attribute can be internally represented by an integer. A simple numeric comparison is made to determine if the subject has access to the object.

You can define the access level with hierarchical attributes in two ways:

The attribute is represented by a string type property on the object and the user, with one of the text values: Senior Manager, Manager, or User. To achieve a hierarchy, you define a set of conditions, for example:
1. Operator.SecurityClearance = “Senior Manager”
2. Operator.SecurityClearance = “Manager”
3. Operator.SecurityClearance = “User”
4. .SecurityClearance = “Senior Manager”
5. .SecurityClearance = “Manager”
6. .SecurityClearance = “User”
The properties then have to be combined with the following logic:
A or (B and (E or F)) or (C and F)
For convenience the hierarchical attributes can be represented by a numerical data type. The attribute values must be mapped to a top-level numeric property on both the object and the subject, for example:
- Senior Manager=1
- Manager=2
- User=3
To determine the access level a single condition with a numerical comparison can be used, for example:

.SecurityClearance >= Operator.SecurityClearance

Open topic with navigation