Creating Additional Condition of Access Check

On using attribute-based access control method, additional access check condition can be set in each of policy rules. Executing additional condition depends on the access control check objective execution result and is taken into account on determining rule effect.

To create an additional condition of access check:

  1. Select rule. After executing the operation, rules properties will be displayed.

Additional access control check condition is in the Condition field:

  1. Click the button. After executing the operation, the Create Condition dialog box opens:

  1. Set additional condition of access check as logical expression. To create an expression, use the attributes (operands), functions and operators.

For details see the Creating Formulas and Expressions section.

  1. Click the OK button.

After executing the actions, additional condition of access check will be set, its result is taken into account on determining rule effect. The specified expression will be displayed in the Condition box.

To edit additional condition of access check:

NOTE. If expression is incorrect, the box will be highlighted in red.

After executing the actions, the expression will be modified in the Condition box and in the Create a Condition dialog box.

Available Attributes

To create an expression, the system and custom attributes that are contained in the attribute-based access control are available.

System attributes, for which a value based on information stored in the system, can be obtained, are divided into groups:

Object attributes

Subject attributes

Environment attributes

Features of MDM Dictionary Element Attribute

To control access permissions to MDM dictionary elements, use the object attribute as OBJECT.ELEMENT.<attribute identifier>. Element attribute identifiers are located on the Attributes tab on opening dictionary for edit.

NOTE. The element attribute is set only in the rule additional condition.

If MDM dictionary elements have hierarchy, then on applying access control permissions to child elements, it is required to exclude parent element in additional condition of access check. Exclude parent element using the KEY element attribute as the comparison condition OBJECT.ELEMENT.KEY > <parent element key>.

For example, MDM dictionary contains parent element with the 0 key and seven child elements with the 1,2,3,4,5,6,7 keys. When access is denied to child elements which key is less than 5, the condition must take into account exclusion of parent element with the 0 key:

After executing the condition, the parent element will be available containing child elements with the 5,6,7 keys. Child elements with the 1,2,3,4 keys will be unavailable.

To apply access permissions restriction to MDM dictionary elements, see the Access Permissions for MDM Dictionary Elements section.

Basic Functions

To create an expression, the following categories of system functions are used:

Arithmetical

Attribute-based access control

All functions

Logical

Transformations

Other

Text

Custom functions

NOTE. The category is available only in the desktop application, if custom functions was connected to the expression editor. For details see the Connecting Custom Functions section.

See also:

Setting Up Attribute-Based Access Control Method | Adding Access Check Rules and Policies