For example, the access portion of the policy or rule might be: user Writer read,modify,fromconnect,toconnect filter ACCESS_FILTER; Where
To evaluate a filter, at least Read access (and Show access, if enabled) is required so these access checks are disabled when analyzing filters. However, if the filter includes the access selectable, such as one that checks access on a connected object, these access checks are turned back on for evaluation. A filter in a policy is always executed in the context of the login user. Use localfilter instead of filter in policies and access rules to return only results to which the current user definitely has access. When you use localfilter, the expression is not evaluated by full-text search. These operands can be used in expression access filters:
If a revoke filter expression evaluates to “true,” the specified access will not be granted. If it evaluates to “false,” the specified access will not be revoked but it will also not be granted. Before access is granted, the system checks to see if access has been explicitly granted. Filter expressions of the form
$ACCESS MacroThe
If an object is connected to more than one parent object, the
expression evaluates to true if any one of the parents has the required access.
To specify that a child should inherit the access from only one of the parents,
the expression must identify the relevant connection between the parent and the
child. For example:
The
current.access[$ACCESS] state[STATE1].access[$ACCESS] The macro is not expanded if it appears anywhere else in the
expression, including if a program is called as part of the access filter.
There will be no macro substitution for
program[checkAccess $ACCESS]However, if the checkAccess program itself creates a command of the form print bus $OBJECTID select current.access[$ACCESS] , it
will be evaluated.
In the following show, read, modify access filter, the
filter '("$ACCESS" == "show") || ("$ACCESS" == "modify" && (from.owner == context.user))'This expanded use of $ACCESS can be used to create rules that define the
access a user has on a relationship.
The $ACCESS macro can be used in an access rule filter and is populated with the current access being checked whenever the filter is evaluated. For example, the following rule allows a different condition for modify versus revise access: ($ACCESS == modify && <modify-condition>) || ($ACCESS == revise $$ <revise-condition>) Output from the revise portion of this filter continues to be "revise" instead of "minorrevise" to maintain backward compatibility. Expression Access Filter ExampleWhen developing filters, you can use the
For example: MQL<15> eval expr '(attribute[Actual Weight] > 100) AND ("relationship[Designed Part Quantity].to.type" == "Body Shell")' on bus Comment 12345 1;From the above we can say that the expression '(attribute[Actual Weight] > 100) AND ("relationship[Designed Part Quantity].to.type" == "Body Shell")'is a valid expression and thus can be used for an expression access filter. Context in which the filter is executed, for example: MQL<1>add person pgrantor; MQL<2>add person pgrantee; MQL<3>add type test_typ; MQL<4>add policy ptest type test_typ state exists public show,read user pgrantor grant,revoke,changevault filter 'state[toggle].access[execute]' state toggle public show user pgrantor execute; # Add the bus and the grant MQL<5> add bus test_typ bus1 0 policy ptest vault xxxx; MQL<6> set context user pgrantor; MQL<7> mod bus test_typ bus1 0 grant pgrantee access changevault; MQL<8> set context user pgrantor; MQL<9> print bus test_typ bus1 0 select current.access[changevault]; >>TRUE MQL<10> set context user pgrantee; MQL<11> print bus t2 ptest 0 select current.access[changevault] >> FALSE This is because the pgrantor has execute access in state toggle. Even
though pgrantee is granted the changevault access, the login user
(
MQL<12> set context user creator; MQL<13> mod policy ptest state toggle remove user pgrantor execute; MQL<14> mod policy ptest state toggle user pgrantee execute; MQL<15> set context user pgrantor; MQL<16> print bus test_typ bus1 0 select current.access[changevault]; >> FALSE MQL<17> set context user pgrantee; MQL<18> print bus test_typ bus1 0 select current.access[changevault]; >> TRUE It should be TRUE since even though the policy state
‘ |