The main condition of the attribute-based access control is to fulfill the objective. The objective contains the condition for further access control of user actions to objects using the specified combination algorithm and is compared with the result of additional conditions.
Determine an objective on updating:
An objective is a simple logical expression that consists of an attribute, condition and value.
To create a logical expression:
Select the attribute of object, subject or environment from the Attributes drop-down list.
NOTE. The full list of available attributes and its description is contained in the Creating Additional Conditions of Access Check section.
Select relation operation or N operation.
NOTE. The IN operation is used only for the OPERATION environment attribute that contains operations on object. Before starting the use of the attribute with IN operation, see features.
Determine value that will be compared with the value of attribute for access check in the Value field. The field is generated by data type of the selected attribute.
The purpose for the OPERATION environment attribute is set by two methods:
Select in the Value box of the drop-down list the main operation With object.
Enter code of specific operation with object in the Value box. Lists of specific operation codes are contained in enumerations of the Metabase value is set.
Features of the IN operation use with the OPERATION attribute:
If the attribute value contains operation code set to 1, 2 or 4, then children operations are used automatically. For example, when the objective is set to OPERATION IN 2, all children read operations are included: read descriptor, read parameters, read metadata, additional print, export operations, specific operations.
Several operation codes can be set in attribute value as a sum. For example when the objective is set to OPERATION IN 792, the attribute value contains sum of codes of operations that can be set in the attribute. The sum 792 is obtained from: 8 - modify permissions, 16 - delete, 256 - read descriptor, 512 - modify descriptor.
The policy contains a rule allowing the full access to objects with the "open data" value of the ATTR custom attribute. The full access condition is set using the OPERATION environment attribute.
The use of objectives is also given in the example for attribute access control method setup.
See also:
Setting Up Attribute-Based Access Control Method | Creating Additional Conditions of Access Check