On using attribute-based access control method, additional access check condition can be set in each of policy rules. Executing additional condition depends on the access control check objective execution result and is taken into account on determining rule effect.
To create an additional condition of access check:
Select rule. After executing the operation, rules properties will be displayed.
Additional access control check condition is in the Condition field:
In the desktop application in the right part of the security manager dialog box.
In the web application in the Properties side panel.
Click the button. After executing the operation, the Create Condition dialog box opens:
Set additional condition of access check as logical expression. To create an expression, use the attributes (operands), functions and operators.
For details see the Creating Formulas and Expressions section.
Click the OK button.
After executing the actions, additional condition of access check will be set, its result is taken into account on determining rule effect. The specified expression will be displayed in the Condition box.
To edit additional condition of access check:
Use the Condition box. Expression is edited manually.
NOTE. If expression is incorrect, the box will be highlighted in red.
Use the Create a Condition dialog box. Expression can be edited at the same manner as during the creation step.
After executing the actions, the expression will be modified in the Condition box and in the Create a Condition dialog box.
To create an expression, the system and custom attributes that are contained in the attribute-based access control are available.
System attributes, for which a value based on information stored in the system, can be obtained, are divided into groups:
To control access permissions to MDM dictionary elements, use the object attribute as OBJECT.ELEMENT.<attribute identifier>. Element attribute identifiers are located on the Attributes tab on opening dictionary for edit.
NOTE. The element attribute is set only in the rule additional condition.
If MDM dictionary elements have hierarchy, then on applying access control permissions to child elements, it is required to exclude parent element in additional condition of access check. Exclude parent element using the KEY element attribute as the comparison condition OBJECT.ELEMENT.KEY > <parent element key>.
For example, MDM dictionary contains parent element with the 0 key and seven child elements with the 1,2,3,4,5,6,7 keys. When access is denied to child elements which key is less than 5, the condition must take into account exclusion of parent element with the 0 key:
After executing the condition, the parent element will be available containing child elements with the 5,6,7 keys. Child elements with the 1,2,3,4 keys will be unavailable.
To apply access permissions restriction to MDM dictionary elements, see the Access Permissions for MDM Dictionary Elements section.
To create an expression, the following categories of system functions are used:
Attribute-based access control
NOTE. The category is available only in the desktop application, if custom functions was connected to the expression editor. For details see the Connecting Custom Functions section.
See also:
Setting Up Attribute-Based Access Control Method | Adding Access Check Rules and Policies