Adding Access Check Rules and Policies

To add access check rules and policies, use the Attribute-Based Access Control section on the navigation panel.

NOTE. When roles of information security administrator and application administrator are separated, the Attribute-Based Access Control tab is available only for information security administrator. Attribute-base access control structure creation (attribute addition, policy and rules editing) is controlled by the system and it is available to administrator with Changing User Permissions, Distributing Roles, Changing Policy or Change Security Mark and List of Control Access of Any Object privileges.

The section is based on the attribute-based access control method, it is used to create access check rules with necessary conditions. The system checks whether a user can execute a specific action on an object and/or data segment through an attribute check.

Make sure that the Use Attribute-Based Access Control checkbox is used in the access control.

The section contains a structure of attribute-based access control that consists in the elements hierarchy:

IMPORTANT. If attribute-based access control structure is not specified, all operations with objects are denied.

To add a policies set:

In the web application:

Select the policies set in the Attribute-Based Access-Control list policies hierarchy.

Click the Create button in the toolbar.
Select the Add Set item in the drop-down menu of the Create button.

Select the existing policies set in the list hierarchy:

Select the Add Set item in the drop-down menu of the Create button.

In the desktop application:

Select the policies set in the Attribute-Based Access-Control list policies hierarchy:

Click the Add button
Select the Add Set item in the drop-down list of the Add button.

Select the existing policies set in the list hierarchy:

Select the Add Set item in the drop-down list of the Add button.

After executing one of the actions, the set of policies for the selected element in the list hierarchy will be added. Set properties of a policies set on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

To add a policy, select the existing policies set in the list hierarchy:

In the web application:

Click the Create button in the toolbar.
Select the Add Policy item in the drop-down menu of the Create button.

In the desktop application:

Click the Add button
Select the Add Policy item in the drop-down menu of the Add button.

After executing one of the operations, the policy will be added for the selected policies set. Set properties of a policies set on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

To add a rule, select the existing policy in the list hierarchy:

In the web application:

Click the Create button in the toolbar.
Select the Add Rule item in the drop-down menu of the Create button.

In the desktop application:

Click the Add button
Select the Add Rule item in the drop-down list of the Add button

After executing one of the operations, the rule for the selected policy will be added. Set properties of a policies set on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

For attribute-base access control, selected policies set, policy, rule, set properties determining access to objects and/or data segments, in the right part of the security manager of the desktop application or on the Properties side panel in the web application.

Properties description:

Name. The name that unites the policies set, policies and rules.
Objective. A condition for further checking of user action access to object.

IMPORTANT. If rule is added, the field is mandatory. When policies set and policy are added, the objective is set as data filtering.

Condition. Additional condition of access control as a dynamically calculated logical expression. An MDM dictionary element attribute is also specified as a condition to set up user access permissions to element.
Effect. Enable or disable access after the rule execution.

NOTE. The effect works in case of logical expression calculation result matching in objective and condition.

Root Set/Policies/Rule Combination Algorithm. A drop-down list of algorithms, which determines the access gaining:

Deny Overriding. It denies access if at least one of the calculation results returns deny.
Allow Overriding. It allows access if at least one of the calculation results returns allow.
Apply the First Available Rule. The calculation result of the first available rule in the policy hierarchy. The rule is available in case of logical expression calculation result matching in objective and condition.

NOTE. If none of the rule is available, the policy is not executed.

Apply the Only Available Rule. The calculation result of the single available rule in the policy hierarchy. The rule is available in case of logical expression calculation result matching in objective and condition.

NOTE. If the policy contains several rule or the single rule is not available, the policy is not executed.

Description. The comment to the generated policies set, policy, rule.

After creating an access check policy the section will display attribute-based access structure.

To optimally place attribute-based access control elements in the structure, use the

Up and

Down buttons or Drag&Drop mechanism.

If required, delete the attribute-based access control elements using the Delete button.