Creating Additional Conditions of Access Check

On using attribute-based access control method, additional access check conditions can be set in each of policy rules.

To create additional conditions of access check:

Select a rule.

In the window right part the rule properties are displayed, containing additional conditions to check access:

Set additional conditions to check access as a logical expression using one of the ways:

Use the Condition field to manually create the expression.
Use the Create Condition dialog box to create expression using the attributes (operands), functions and operators.

To open the dialog box, click the button:

In the desktop application in the right part of the security manager dialog box.
In the web application in the Properties side panel.

After executing one of the actions, the Create Condition dialog box opens:

To create an expression, see theCreating Formulas and Expressions section.

NOTE. The specified expression is displayed in the Condition field and in the Create Condition dialog box, independently of the expression creation method.

After executing the actions, the additional conditions to check access will be set.

Available Attributes

To create an expression, the system and custom attributes that are contained in the attribute-based access control are available.

System attributes, for which a value based on information stored in the system, can be obtained, are divided into groups:

Object attributes

Subject attributes

Environment attributes

Features of MDM Dictionary Element Attribute

To control access permissions to table MDM dictionary elements, use the object attribute as OBJECT.ELEMENT.<attribute identifier>. Element attribute identifiers are located on the Attributes tab on opening dictionary for edit.

NOTE. The element attribute is set only in the rule additional condition.

For details see the Access Permissions for MDM Dictionary Elements section.

Basic Functions

To create an expression, system functions and the ABAC functions are used:

Name

Syntax and parameters

Description

Count

Syntax. ABAC.Count(<argument>).

Parameters. Set as argument:

Subject custom attribute (SUBJECT.<Attribute identifier>).
Object custom attribute (OBJECT.<Attribute identifier>).
List of groups where user is included (SUBJECT.GROUPS).

The Count method returns the number of values in the custom attribute array of subject or object and the number of groups where the user is included or the number of users in group.

Examples:

ABAC.Count(OBJECT.ATTR)

The method returns the number of values in custom attribute array of the object with the ATTR identifier.

ABAC.Count(SUBJECT.GROUPS)

The method returns the number of groups where the user is included.

Is_Empty

Syntax. ABAC.Is_Empty(<argument>).

Parameters. Set as argument:

Subject custom attribute (SUBJECT.<Attribute identifier>)
Object custom attribute (OBJECT.<Attribute identifier>).

The Is_Empty method determines the contents of the custom attribute value of subject or object and returns the value:

True. Custom attribute of subject or object contains empty value.
False. Custom attribute of subject or object does not contain empty value.

Examples:

ABAC.Is_Empty(OBJECT.ATTR_OBJ)

The method returns True, if custom attribute of the object with the ATTR_OBJ identifier contain empty value, otherwise - False.

ABAC.Is_Empty(SUBJECT.ATTR_USER)

The method returns True, if custom attribute of the subject with the ATTR_USER identifier contain empty value, otherwise - False.

Interseca

Syntax. ABAC.Interseca(<argument_1>,..., <argument_n>), where n is the number of specified arguments.

Parameters. Set as arguments:

Numeric or string value.
Value or array of subject custom attribute value array (SUBJECT.<Attribute identifier>).
Value or array of object custom attribute value array (OBJECT.<Attribute identifier>)

NOTE. Value array must contain at least in one specified arguments.

The Interseca method searches common values of the specified arguments and returns the value:

True. Common values of specified arguments are found.
False. Common values of specified arguments are not found.

Examples:

ABAC.Interseca(OJBECT.ATTR_1, SUBJECT.ATTR_2, 3.3)

The method returns True, if value array of object custom attribute with the ATTR_1 identifier and value array of subject custom attribute with the ATTR_2 identifier contains the 3.3 value, otherwise - False.

ABAC.Interseca(SUBJECT.ATTR_3, OJBECT.ATTR_4)

The method returns True, if value array of subject custom attribute with the ATTR_3 identifier and value array of object custom attribute with the ATTR_4 identifier contain common values, otherwise - False.

Intersecc

Syntax. ABAC.Intersecc("<attribute property>", <argument_1>,..., <argument_n>), where n is the number of specified arguments.

Parameters.

Attribute property. Filtering collection attributes by the specified property. The attribute property is specified to the right from the point, for example, the NAME name is one of the properties of the SUBJECT.NAME attribute.

Arguments. Set as arguments:

Numeric or string value
Value or array of subject custom attribute value array (SUBJECT.<Attribute identifier>).
Value or array of object custom attribute value array (OBJECT.<Attribute identifier>).
List of groups where user is included (SUBJECT.GROUPS).

The Intersecc method searches common results of the specified arguments by the specified attribute property and returns the value:

True. Common values of the specified arguments by the specified attribute property are found.
False. Common values of the specified arguments by the specified attribute property are not found.

Examples:

ABAC.Intersecc("NAME", SUBJECT.GROUPS, "ADMIN")

The method returns True, if the ADMIN group name corresponds to one of the names in the list of groups where user is included, otherwise - False.

ABAC.Intersecc("NAME", SUBJECT.GROUPS, OBJECT.ATTR)

The method returns True, if list of groups where the user is included and the value array of object attribute with the ATTR identifier contains at least one matching group name, otherwise - False.

FindAttr

Syntax. ABAC.FindAttr("<attribute property>", <subject attribute>, <searched value>, "<found attribute property>").

Parameters.

Subject attribute. List of groups where user is included (SUBJECT.GROUPS) is set as an attribute.

Searched value. Numeric or string searched value corresponding to the specified attribute value.

Found attribute property. The property of found attribute which value needed to be found.

The FindAttr method searches attribute by the specified property in the list of groups where the user is included or in the list of users in the group. It returns value of the found attribute specified property.

Examples:

ABAC.FindAttr("NAME", SUBJECT.GROUPS, "ADMIN", "NAME")

The method returns ADMIN, if the list of groups, where the user is included, contains the ADMIN group name.

ABAC.FindAttr("NAME", SUBJECT.GROUPS, "ADMIN", "SID")

The method returns SID of the ADMIN group, if the list of groups, where the user is included, contains the ADMIN group name.

Attribute	Description	Data type
OBJECT.KEY	Key. Object key.	Integer
OBJECT.ID	Identifier. Object identifier.	String
OBJECT.NAME	Name. Object name.	String
OBJECT.CLASS	Class. Object typeis set up in repository.	Integer
OBJECT.DESCRIPTION	Description. Object description.	String
OBJECT.TIMESTAMP	Time marker. Date and time of object modification.	Date
OBJECT.PARENT	Parent. Object parent. It is set with the object attribute property definition for example, OBJECT.PARENT.ID.	Depending on the attribute property data type
OBJECT.UTC_TIMESTAMP	Time marker in UTC. Date and time in UTC.	Date
OBJECT.<Attribute identifier>	Custom attribute. Attributes added for objects.	Depending on the data type of added attribute values

Attribute	Description	Data type
SUBJECT.NAME	Name. User name.	String
SUBJECT.FULL_NAME	Full Name. Full name of user.	String
SUBJECT.DESCRIPTION	Description. User description.	String
SUBJECT.GROUPS	Groups. The list of groups of users to which the user belongs. NOTE. The attribute is used only to create additional conditions.	IABACAttributeInstances
SUBJECT.SID	Security identifier. User SID.	String
SUBJECT.ISUSER	User. It determines security subject: True. User is a subject. False. Group of users is a subject.	Logical
SUBJECT.ISADMIN	Administrator. It determines the user inside the group of administrators: True. User is included in the group of administrators. False. User is not included in the group of administrators.	Logical
SUBJECT.<Attribute identifier>	Custom attribute. Attributes added for users and groups of users.	Depending on the data type of added attribute values

Attribute	Description	Data type
OPERATION	Operation. Operation with object.	Integer
DATE	Current date.	Date
TIME	Current time.	Date
DATE_TIME	Current time and date.	Date
UTC_DATE	Current date in UTC.	Date
UTC_TIME	Current time in UTC.	Date
UTC_DATE_TIME	Current time and date in UTC.	Date