Conditional ACL |
|
In Conditional ACL, ACL evaluation is done based on the data and metadata of the object. ACL evaluation is done on the response.
Process Platform supports conditional ACL for OLE DB and JDBC connectors (i.e. for OLE DB and JDBC data). This means that ACL can be set only on tables or fields of the OLE DB/JDBC data, based on conditions. The condition can be specified for the operations read, update, insert, and delete. ACL evaluation is done based on the data and metadata that is received as response.
For conditional ACL, all permissions are based on a specific condition. Below is a sample conditional ACL Object Tree, which sets condition on Employees object based on the value of EmployeeID.
<object>
<object id="Northwind">
<object id="Employees">
<method acl="condition" id="read"> EmployeeID > 3 </method>
</object>
</object>
</object>
The above example indicates that the Employees data can be retrieved only when the 'EmployeeID > 3' is satisfied. The following sample describes a different type of condition on the EmployeeID field.
<object>
<object id="Northwind">
<object id="Employees">
<object id="EmployeeID">
<method acl="condition" id="read"> EmployeeID in [4,6] </method>
</object>
</object>
</object>
</object>
The above sample shows that it is possible to read the value of EmployeeID from the <Employees> record only if the EmployeeID is greater than or equal to 4 and lesser than or equal to 6.
Some salient points to be noted about conditional ACL are:
- Either unconditional or conditional ACL can be set for an object at a time. It is not possible to set both at a time.
- Conditional ACL can be set on any one of the methods (read, update, insert and delete) at a time.
- For a conditional ACL set on the update Web service operation, only the new data retrieved (<tuple><new>) will be considered for evaluating the ACL.
The following table lists the access control for read, update, insert and delete operations, when conditional ACL is defined for any one of the fields:
Read |
Update |
Insert |
Delete |
|---|---|---|---|
Conditional ACL defined on field |
All values of the field are blocked |
All values of the field are blocked |
All values of the field are blocked |
All values of the field are allowed |
Conditional ACL defined on field |
All values of the field are blocked |
All values of the field are blocked |
All values of the field are allowed |
All values of the field are allowed |
Conditional ACL defined on field |
All values of the field are blocked |
All values of the field are allowed |
All values of the field are allowed |
All values of the field are allowed |
Conditional ACL defined on field |
Note:
- If a primary key is blocked, update and delete operations are not allowed and you see an
Access denied error, while an insert operation may result in a database error. However, when a non-primary key is blocked, the corresponding operation on the field is blocked but results in a SOAP fault . Apart from this, similar to unconditional ACL, the ACL on a child element overrides the one on the parent element. - The condition defined must not contain special characters. For example, consider a table with the name TEST#TABLE in the database OLEDB with fields ID and DA TA. The following ACL tree represents a valid conditional-ACL (since the condition ID = 2 does not contain any special characters)
<object> <object id="OLEDB"> <object id="TEST#TABLE"> <object id="DA TA"> <method acl="condition" id="read">ID == 2</method> </object> </object> </object> </object>