Adding Access Check Rules and Policies

To add access check rules and policies, use the Attribute-Based Access Control section on the navigation panel.

NOTE. When roles of information security administrator and application administrator are separated, the Attribute-Based Access Control section is available only for information security administrator. Attribute-based access control structure creation (attribute addition, policy and rules editing) is controlled by the system and is available to the administrator with the Changing User Permissions, Distributing Roles, Changing Policy privilege and the Changing Security Label and Access Control List of Any Object privilege.

The section is based on the attribute-based access control method, it is used to create access check rules with necessary conditions. The system checks if a user can execute a specific action on an object and/or data segment through an attribute check.

Make sure that the Use Attribute-Based Access Control checkbox is selected in the access control.

The section contains a structure of attribute-based access control that consists in the elements hierarchy:

IMPORTANT. If attribute-based access control structure is not set, all operations on objects are denied.

To add a set of policies:

In the web application:

Select in the Attribute-Based Access-Control policies list hierarchy:

Click the Create button in the toolbar.
Select the Add Set item in the drop-down menu of the Create button.

Select the existing set of policies in the list hierarchy:

Select the Add Set item in the drop-down menu of the Create button.

In the desktop application:

Select in the Attribute-Based Access-Control policies list hierarchy:

Click the Add button.
Select the Add Set item in the drop-down list of the Add button.

Select the existing set of policies in the list hierarchy:

Select the Add Set item in the drop-down list of the Add button.

After executing one of the operations the set of policies for the selected element in the list hierarchy is added. Set properties of a set of policies on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

To add a policy, select the existing set of policies in the list hierarchy:

In the web application:

Click the Create button in the toolbar.
Select the Add Policy item in the drop-down menu of the Create button.

In the desktop application:

Click the Add button.
Select the Add Policy item in the drop-down menu of the Add button.

After executing one of the operations the policy is added for the selected set of policies. Set properties of a set of policies on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

To add a rule, select the existing policy in the list hierarchy:

In the web application:

Click the Create button in the toolbar.
Select the Add Rule item in the drop-down menu of the Create button.

In the desktop application:

Click the Add button.
Select the Add Rule item in the drop-down list of the Add button.

After executing one of the operations the rule for the selected policy is added. Set properties of a set of policies on the Properties side panel in the web application or in the right part of the security manager in the desktop application.

For attribute-based access control, selected set of policies, policy, rule, set properties determining access to objects and/or data segments, in the right part of the security manager of the desktop application or on the Properties side panel in the web application.

Description of properties:

Name. The name that unites the set of policies, policies and rules.
Objective. A condition for further checking user action access to object.

IMPORTANT. If a rule is added, the field is mandatory. When a set of policies and a policy are added, the objective is set as data filtering.

Condition. Additional condition of access control as a dynamically calculated logical expression. An MDM dictionary element attribute is also specified as a condition to set up user access permissions to element.
Effect. Enable or disable access after the rule execution.

NOTE. The effect works if logical expression calculation result matches in the objective and the condition.

Root Set/Policies/Rule Combination Algorithm. A drop-down list of algorithms, which determines the access:

Deny Overriding. It denies access if at least one calculation result returns deny.
Allow Overriding. It allows access if at least one calculation result returns allow.
Apply the First Available Rule. The calculation result of the first available rule in the policy hierarchy. The rule is available if logical expression calculation result matches in the objective and the condition.

NOTE. If no rule is available, the policy is not executed.

Apply the Only Available Rule. The calculation result of the single available rule in the policy hierarchy. The rule is available in if logical expression calculation result matches in the objective and the condition.

NOTE. If the policy contains several rules or the single rule is unavailable, the policy is not executed.

Description. The comment to the generated set of policies, policy, rule.

After creating an access check policy the section will display attribute-based access structure.

To optimally place attribute-based access control elements in the structure, use the

Up and

Down buttons or Drag&Drop mechanism.

If required, delete the attribute-based access control elements using the Delete button.