Creating Additional Condition of Access Check

After executing the operations, additional condition of access check is set, its result is taken into account on determining rule effect. The specified expression will be displayed in the Condition box.

After executing the actions, the expression will be modified in the Condition box and in the Create a Condition dialog box.

Available Attributes

System attributes, for which a value based on information stored in the system, can be obtained, are divided into groups:

Attributes contained into objects:

Attribute	Description	Data type
OBJECT.KEY	Key. Object key.	Integer
OBJECT.ID	Identifier. Object identifier.	String
OBJECT.NAME	Name. Object name.	String
OBJECT.CLASS	Class. Object typeis set up in repository.	Integer
OBJECT.DESCRIPTION	Description. Object description.	String
OBJECT.TIMESTAMP	Time marker. Date and time of object modification.	Date
OBJECT.PARENT	Parent. Object parent. It is set with the object attribute property definition for example, OBJECT.PARENT.ID.	Depending on the attribute property data type
OBJECT.UTC_TIMESTAMP	Time marker in UTC. Date and time in UTC.	Date
OBJECT.<attribute identifier>	Custom attribute. Attributes added for objects.	Depending on the data type of added attribute values

Attributes of users or groups of users:

Attribute	Description	Data type
SUBJECT.NAME	Name. User name.	String
SUBJECT.FULL_NAME	Full Name. Full name of user.	String
SUBJECT.DESCRIPTION	Description. User description.	String
SUBJECT.GROUPS	Groups. The list of groups of users to which the user belongs. NOTE. The attribute is used only to create an additional condition.	IABACAttributeInstances
SUBJECT.SID	Security identifier. User SID.	String
SUBJECT.ISUSER	User. It determines security subject: True. User is a subject. False. Group of users is a subject.	Logical
SUBJECT.ISADMIN	Administrator. It determines the user inside the group of administrators: True. User is included in the group of administrators. False. User is not included in the group of administrators.	Logical
SUBJECT.<attribute identifier>	Custom attribute. Attributes added for users and groups of users.	Depending on the data type of added attribute values

Attributes of workstation, current date and time:

Attribute	Description	Data type
OPERATION	Operation. Operation with object.	Integer
DATE	Current date.	Date
TIME	Current time.	Date
DATE_TIME	Current time and date.	Date
UTC_DATE	Current date in UTC.	Date
UTC_TIME	Current time in UTC.	Date
UTC_DATE_TIME	Current time and date in UTC.	Date

Features of MDM Dictionary Element Attribute

To control access permissions to MDM dictionary elements, use the object attribute as OBJECT.ELEMENT.<attribute identifier>. Element attribute identifiers are located on the Attributes tab on opening an MDM dictionary for edit.

NOTE. The element attribute is set only in the rule additional condition. When creating a condition, one can use only system and general attributes without multiple values.

If MDM dictionary elements have hierarchy, then on applying access control permissions to child elements, it is required to exclude parent element in additional condition of access check. Exclude parent element using the KEY element attribute as the comparison condition OBJECT.ELEMENT.KEY > <parent element key>.

For example, MDM dictionary contains parent element with the 0 key and seven child elements with the 1,2,3,4,5,6,7 keys. When access is denied to child elements which key is less than 5, the condition must take into account exclusion of parent element with the 0 key:

After executing the condition, the parent element will be available containing child elements with the 5,6,7 keys. Child elements with the 1,2,3,4 keys will be unavailable.

Basic Functions

Available functions:

Abs. It returns the absolute value (modulus) of a real number.
AbsI. It returns the absolute value (modulus) of an integer number.
Average. It returns arithmetic mean of real number array.
AverageI. It returns arithmetic mean of integer number array.
Cos. It returns the cosine of the specified angle.
Exp. It returns the result of raising the number "e" to the specified power.
Floor. It returns the result of real number rounding up to the nearest multiple of significance with a lack.
FloorI. It returns the result of integer number rounding up to the nearest multiple of significance with a lack.
Int. It returns the result of specified value rounding to the nearest smaller integer.
Ln. It returns the natural logarithm of the specified number.
Log. It returns the number logarithm based on the specified base.
Log10. It returns the base-10 logarithm of the specified number.
Max. It returns the greatest value from the specified array of real numbers.
MaxI. It returns the greatest value from the specified array of integer numbers.
Min. It returns the minimum value from the specified array of real numbers.
MinI. It returns the minimum value from the specified array of integer numbers.
Power. It returns the result of raising a real number to real power.
PowerI. It returns the result of raising an integer number to integer power.
Rand. It returns the uniform distributed random number from the [0; 1) range.
RandBetween. It returns a random real number between two specified numbers
Round. It returns the result of rounding a number to the specified number of decimal places.
RoundDown. It returns the result of rounding the number to the nearest value smaller in modulus.
RoundUp. It returns the result of rounding the number to a nearest value greater in modulus.
Sin. It returns the sine of the specified angle.
Sqrt. It returns the square root of the specified number.
Tan. It returns the tangent of the specified angle.
Trunc. It returns the result of truncated number to the specified number of decimal places.

Available functions:

Count. It returns the number of values in the custom attribute array of subject or object and the number of groups where the user is included.
FindAttr. It searches attribute by the specified property in the list of groups where the user is included and it returns value of the found attribute specified property.
Interseca. It searches for common values of compared arguments and returns True or False.
Intersecc. It searches for common values of compared arguments by specified property and returns True or False.
Is_Empty. It determines whether a value of subject or object custom attribute is empty and it returns True or False.

The category contains functions list of all categories.

Available functions:

Sign. It returns the symbol before specified real number.
SignI. It returns the symbol before specified integer number.

Available functions:

Sum. It returns the sum of elements of the specified array of real numbers.
SumI. It returns the sum of elements of the specified array of integer numbers.
SumSq. It returns the sum of elements squares of the specified array of real numbers.

Available function:

Pi. It returns Pi mathematical constant (3,14159265358979), accurate to 14 digits.

Available functions:

ASCII. It returns ASCII code for the first symbol of the specified string.
Chr. It returns character corresponding to the specified ASCII code.
Contains. It returns whether the required substring is in the source string.
EndsWith_. It returns whether the source string ends with the required substring.
Find. It returns substring position index in string.
Left. It returns the specified number of characters from the left end of a text string.
Length_. It returns the number of characters in the specified string.
Max_. It returns minimum of the two strings by means of characterwise comparison.
Mid. It returns a substring of the specified length that starts with the specified position of source string.
Min_. It returns minimum of the two strings by means of characterwise comparison.
Replace. It returns a string, in which all occurrences of the specified substring are replaced with the specified string.
Right. It returns the specified number of characters from the left end of a text string.
Space. It returns a string consisting of specified number of spaces.
StartsWith_. It returns whether a source string starts with the searched substring.
ToLower. It returns the specified string transformed into low case.
ToUpper. It returns the specified string transformed into low case.
Trim. It returns a string with deleted spaces at the beginning and at the end.
TrimEnd. It returns a string with deleted spaces at the end of the string.
TrimStart. It returns a string with deleted spaces at the beginning of the string.

The category contains the list of connected functions.

NOTE. The category is available only in the desktop application, if custom functions were connected to the expression editor. For details see the Connecting Custom Functions section.