Access Control Check Objective

The main condition of the attribute-based access control is to fulfill the objective. The objective contains the condition for further access control of user actions to objects using the specified combination algorithm and is compared with the result of additional conditions execution.

Determine an objective on updating:

An objective is a simple logical expression that consists of an attribute, condition and value.

To create a logical expression:

  1. Select the attribute of object, subject or environment from the Attributes drop-down list.

NOTE. The full list of available attributes and its description is contained in the Creating Additional Condition of Access Check section.

  1. Select relation operation or N operation.

NOTE. The IN operation is used only for the OPERATION environment attribute that contains operations on object. Before starting the use of the attribute with IN operation, see features.

  1. Determine value that will be compared with the value of attribute for access check in the Value field. The field is generated by data type of the selected attribute.

Features of Use of the OPERATION Attribute and the IN Operation

The purpose for the OPERATION environment attribute is set by two methods:

Features of the IN operation use with the OPERATION attribute:

Example

The policy contains a rule allowing the full access to objects with the "open data" value of the ATTR custom attribute. The full access condition is set using the OPERATION environment attribute.

The use of objectives is also given in the example for attribute access control method setup.

See also:

Setting Up Attribute-Based Access Control Method | Creating Additional Condition of Access Check