Allstate Clause for the Add Policy Command

This clause allows you to define who can access a business object and what type of access they have across every state in the policy. Rather than specifying this for each state, the access you grant or deny will be applied to all states and is in addition to any access defined for a particular state.

This page discusses:

Syntax

The ability to deny or revoke access is another option for controlling access. Revoking access in an allstate access definition is different from the other ways access is revoked in that it is evaluated by the system as denying access rather than related to granting access.

The system first evaluates if access has been revoked prior to evaluating if access has been granted. No access is revoked by default. Revoke access must be explicitly defined. To define allstate access rules for a policy:

allstate [ALLSTATE_ITEM {,ALLSTATE_ITEM}]

Or:

allstate revoke [ALLSTATE_ITEM {,ALLSTATE_ITEM}]
rule RULENAME [all | MAPPED_ACCESS_USER {MAPPED_ACCESS_USER}
  • ALLSTATE_ITEM is an allstate subclause which provides additional information about the allstate access rule you are defining. For more information, see ACCESS_USER Subclauses.
  • MAPPED_ACCESS_USER means that a specific username or username+key is added to the state. If you do not specify a key, then only rule items that match that username and have no defined key are referenced. Owner and public rule items that have a key can be referenced, but the built-in owner and public rules (no key) cannot be referenced. For more information, see Rule Subclause.

To define a policy Software Maintenance with only read access to public on all states, use the following command:

add policy “Software Maintenance” allstate public read;

In this example, public has read and show access but does NOT have modify access if attribute[attribute1] != value1:

policy policy1 
   description 
   state allstate 
      revoke public modify 
         filter attribute[attribute1] == value1 
   public read,show 
      filter attribute[attribute1] == value1 
   owner none

Additional examples of usage:

add policy simple-u type all sequence "0-9,A-Z" 
   format f 
   store captured-u 
   allstate public checkin 
      user Designer modify filter "organization == US" 
   state one 
      owner all 
      public read,show 
      user Designer read,show 
   state final 
      owner all 
      public read,show; 
print policy simple-u select allstate allstate.*; 
   allstate = TRUE 
   allstate.publicaccess = checkin 
   allstate.owneraccess = all        // default if not specified 
   allstate.access[Designer] = modify 
   allstate.filter[Designer] = organization == US 
modify policy simple-u allstate remove user Designer all; 
print policy simple-u select allstate allstate.*; 
   allstate = TRUE 
   allstate.publicaccess = checkin 
   allstate.owneraccess = all

Filter expressions of the form current.access[ACCESS_TYPE] == TRUE accept as an ACCESS_TYPE.