The main condition of the attribute-based access control is to fulfill the objective. The objective contains the condition for further access control of user actions to objects using the specified combination algorithm and is compared with the result of additional conditions.
Determine an objective:
On adding a set of policies.
On adding a policy.
On adding a rule.
An objective is a simple logical expression that consists of an attribute, condition and value.
To create a logical expression:
Select the attribute of object, subject or environment from the Attributes drop-down list.
NOTE. The full list of available attributes and its description is contained in the Creating Additional Conditions of Access Check section.
Select relation operation or the IN operation from the Condition drop-down list to allocate several values to the attribute.
NOTE. The IN operation is used only for the OPERATION environment attribute that contains operations on object.
Determine value that will be compared with the value of attribute for access check in the Value field. The field is generated by data type of the selected attribute:
| Data type | Attributes | Example |
| Integer | OBJECT.KEY OBJECT.CLASS NOTE. For the OBJECT.CLASS attribute the object type value is set. OPERATION NOTE. For the OPERATION attribute the code of operation under the object value is set. |
OBJECT.KEY <> 1020 OPERATION = 16» OPERATION IN 792 (the value contains the sum of operation codes that can be set in the attribute, for example, the amount 792 is obtained from: 8 - change permissions, 16 - delete, 256 - read descriptor, 512 - change descriptor) |
| String | OBJECT.ID OBJECT.NAME OBJECT.DESCRIPTION OBJECT.PARENT SUBJECT.NAME SUBJECT.FULL_NAME SUBJECT.DESCRIPTION SUBJECT.GROUPS SUBJECT.SID SUBJECT.ISUSER SUBJECT.MEMBERS |
OBJECT.NAME = "Data" SUBJECT.FULL_NAME = "MANAGER_DMITRIEV_VA" |
| Date | OBJECT.TIMESTAMP OBJECT.UTC_TIMESTAMP DATE TIME DATE_TIME UTC_DATE UTC_TIME UTC_DATE_TIME |
DATE >= 23.07.2018 TIME = 12:30 DATE_TIME <> 23.07.2018 12:30 |
The policy contains a rule allowing the full access to objects with the "open data" value of the ATTR custom attribute. The full access condition is set using the OPERATION environment attribute.
The use of objectives is also given in the example for attribute access control method setup.
See also:
Setting Up Attribute-Based Access Control Method | Creating Additional Conditions of Access Check