Access rule

Access rule contains the conditions that enable users to access secured content. These conditions are defined with <rule> tags which are nested under the <access-rule> tag. The <access-rule> tag can be assigned one of two class values to define its behaviour:

Table 1: Class values that can be assigned to the access rules tag

Class value

Description

satisfy-any

Grants access if one rule condition is met.

satisfy-all

Grants access if all rule conditions are met.

Child element tags

Table 2: Child element tags

Tag

Description

<rule>

Rules are defined in security model with the <rule> tag. Rules can be nested to handle more complex access conditions.

There are five access rule conditions that can be applied using the following class values:

 

satisfy-any

Grants access if one rule condition is met. Only used when acting as a parent to other <rule> tags.

 

satisfy-all

Grants access if all rule conditions are met. Only used when acting as a parent to other <rule> tags.

 

match-any

Grants access if a value from the specified security privileges property field matches a value from the specified security metadata property field.

 

match-all

Grants access if all values from the specified security privileges property field matches all values from the specified security metadata property field.

 

match-literal

Grants access if a value from the specified security privileges property field matches the value defined in the <literal> tags.

<claim>

The <claim> tag is used inside a rule to target a specific security privileges property field.

This is done by entering the name attribute value of a claim schema <property> tag between the opening and closing <claim> tags.

<security-metadata>

The <security-metadata> tag is used inside a rule to target a specific security metadata property field.

This is done by entering the name attribute value of a security metadata schema <property> tag between the opening and closing <security-metadata> tags.

<literal>

The <literal> tag is used inside a rule to target a specific value in a security privileges property field.

This is done by entering the name of the value between the opening and closing <literal> tags.

Code examples

Table 3: Code examples for common implementations of access rules

Task

Code example

Create an access rule that requires only one of the following rule conditions to be satisfied for access to be granted:

  • Rule 1: One value from this security privileges (claim) property field needs match one value from this security metadata property field.
  • Rule 2: This security privilege (claim) property field must contain this value (literal).
  • Rule 3: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.

<access-rule class="satisfy-any">

<rule class="match-any"><claim>user-name</claim><security-metadata>user-access</security-metadata></rule>

<rule class="literal"><claim>sintelix-access</claim><literal>admin</literal></rule>

<rule class="match-all"><claim>group</claim><security-metadata>group-access</security-metadata></rule>

</access-rule>

The access rule will grant access to the user johnsmith if:

  • Rule 1 is true OR
  • Rule 2 is true OR
  • Rule 3 is true

Sintelix UI output: Security Privileges: Admin > Manage User Accounts > Users authenticated by Sintelix > Security Privileges column

 

Security Metadata: Collections > Collection > Collection Configuration > Security Metadata pane

Create an access rule that requires all of the following rule conditions to be satisfied for access to be granted:

  • Rule 1: Only one of the following nested rule conditions must be satisfied:
    • Rule 1-1: One value from this security privileges (claim) property field needs match one value from this security metadata property field.
    • Rule 1-2: One value from this security privileges (claim) property field needs match one value from this security metadata property field.
  • Rule 2: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.

<access-rule class="satisfy-all">

<rule class="satisfy-any">

<rule class="match-any"> <claim>role</claim><security-metadata>role-access</security-metadata></rule>

<rule class="match-any"><claim>department</claim><security-metadata>department-access</security-metadata></rule>

</rule>

<rule class="match-all"><claim>clearance</claim><security-metadata>clearance-access
</security-metadata></rule>

</access-rule>

The access rule will grant access to the user johnsmith if:

  • Either Rule 1-1 or Rule 1-2 is true AND
  • Rule 2 is true

Sintelix UI output: Security Metadata: Collections > Collection > Collection Configuration > Security Metadata pane

 

fontfontfont