Access Control Policy Condition rule

An Access Control Policy Condition rule defines a set of filters, and the filter logic combining them, for an access control policy. They describe the conditions under which the access type is granted to a property.

Each filter compares a column source (a property of the policy’s class) to a target value. An example filter is Case.RequiredClearance <= UserInfo.SecurityLevel. Each set of filters compares a case attribute (property value) to any clipboard property value that you want. This comparison value typically represents information about the user attempting to access cases. The filter logic used to combine the filters uses the AND and OR operators and parentheses. You can enter multiple sets of filter logic values, each associated with a when rule, so that the filters enforced for a specific user are dynamically determined at run time.

The special comparison operators All Of and One Of can be used to compare two property values when each is a comma-separated list of one of more values. The comparison values that are referenced in policy condition filters must be existing Requestor properties or requestor-scoped data pages.

The following restrictions apply to column source properties:

  • They must be top-level, optimized properties that are available as database columns and can be referenced in generated SQL. For best performance, consider indexing optimized properties that are referenced in policy conditions.
  • They must be included among the custom search properties that are stored in the search index in a returnable form if they do not have a text data type or if the All Of or One Of comparison operator is used.
    CAUTION:
    When access policies are inherited by multiple classes, column source properties might need to be optimized and stored in a returnable form in the search index in each class where the policies are enforced. Also, when the list of custom search properties for a class changes, the search index must be rebuilt for the class on the Search landing page.

    Do not enter case attributes or policy class property values in an Access When rule that is used for conditional logic because doing so causes invalid results or run-time failures.

Target values are restricted to a clipboard page reference or to a nonparameterized data page reference. Primary page properties are not allowed. Target values must be of the same data type as the column source.