You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

You can create ACL rules on the different components of the system.

Record ACL Rules

Record ACL rules consists of table and field names.

  • The table name specifies the table you want to secure. If other tables extend from it, then this table is considered to be a parent table. ACL rules for parent tables apply to any table that extends the parent table.
  • The field name specifies the field that you want to secure. Some fields are part of multiple tables because of table extension. ACL rules for fields in a parent table can be applicable to any table that extends the parent table.

ACL rules can secure the following record operations:

OperationDescription
CreateAllows users to insert new records (rows) into a table.
ReadAllows users to display records from a table.
UpdateAllows users to update records in a table.
DeleteAllows users to remove records from a table or drop a table.

The processing of record ACL rules goes as follows:

  • Match the object against table ACL rules.
  • Match the object against field ACL rules.

This order ensures that users get access to more general objects before getting access to more specific objects. A user must pass both table and field ACL rules to access a record object.

  • If a user fails a table ACL rule, then access to all fields in the table is denied, even if the user passes a field ACL rule.
  • If a user passes a table ACL rule, but fails a field ACL rule. the user cannot access the field described by the field ACL rule.

Table ACL Rules

First, the table ACL rule must be passed. The base system includes STAR (*) table ACL rules that match every table. So the user must always pass at least one table ACL rule. The base system provides additional table ACL rules to control access to specific tables.

Table ACL rules are processed in the as described below:

  1. Match the table below. For example, Incident.
  2. Match the parent table name. For example, task.
  3. Match any table name (*). For example, *.

If a user fails ALL table ACL rules, then the user cannot access the fields in any tables. If a user passes a table ACL rule, the system then evaluates the field ACL rules.

Field ACL Rules

After a table ACL rule passed, then field ACL rules are processed in the following order:

  1. Match the table and field name. For example, incident.number.
  2. Match the parent table and field name. For example, task.number.
  3. Match any table (*) and field name. For example, *.number.
  4. Match the table and any field (*). For example, incident.*.
  5. Match the parent table and any field (*). For example, task.*.
  6. Match any table (*) and any field (*). For example, *.*.

A user must pass the table ACL rule; otherwise access to the table fields will be denied. For example: the user wants to access the Number field in the Incident table. In this case the user must first pass the table ACL rule.

The first successful field ACL evaluation stops ACL rule processing at the field level. When a user passes a field ACL rule, the system stops searching for other matching field ACL rules. For example, if a user passes the field ACL rule for incident.number, the system stops searching for other ACL rules that secure the Number field in the incident table.

  • No labels

© 2019-2023, SimpleOne

https://simpleone.ru