An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy.
Each filter compares a column source (a property of the policy’s class) to a target value. An example filter is Case.RequiredClearance <= UserInfo.SecurityLevel. Each set of filters compares a case attribute (property value) to any clipboard property value that you want. This comparison value typically represents information about the user attempting to access cases. The filter logic used to combine the filters uses the AND and OR operators and parentheses. You can enter multiple sets of filter logic values, each associated with a when rule, so that the filters enforced for a specific user are dynamically determined at run time.
The special comparison operators All Of and One Of can be used to compare two property values when each is a comma-separated list of one of more values. The comparison values that are referenced in policy condition filters must be existing Requestor properties or requestor-scoped data pages.
The following restrictions apply to column source properties:
Note: When access policies are inherited by multiple classes, column source properties might need to be optimized and stored in a returnable form in the search index in each class where the policies are enforced. Also, when the list of custom search properties for a class changes, the search index must be rebuilt for the class on the Search landing page.
Caution! Do not enter case attributes or policy class property values in an Access When rule that is used for conditional logic because doing so causes invalid results or run-time failures.
Target values are restricted to a clipboard page reference or to a nonparameterized data page reference. Primary page properties are not allowed. Target values must be of the same data type as the column source.
The Access Control Policy Condition rule form displays the following tabs that provide configuration options for an access control condition.