Define Access Rule

Access rule contains the conditions that enable users to access restricted content. These conditions are defined with <rule> tags which are nested under the <access-rule> tag. The <access-rule> tag can be assigned one of two class values to define its behaviour:

: Class values that can be assigned to the access rules tag

Class value	Description
`satisfy-any`	Grants access if one rule condition is met.
`satisfy-all`	Grants access if all rule conditions are met.

Child element tags

: Child element tags

Tag	Description
`<rule>`	Rules are defined in security model with the `<rule>` tag. Rules can be nested to handle more complex access conditions. There are five access rule conditions that can be applied using the following `class` values:
	`satisfy-any`	Grants access if one rule condition is met. Only used when acting as a parent to other `<rule>` tags.
	`satisfy-all`	Grants access if all rule conditions are met. Only used when acting as a parent to other `<rule>` tags.
	`match-any`	Grants access if a value from the specified security privileges property field matches a value from the specified security metadata property field.
	`match-all`	Grants access if all values from the specified security privileges property field matches all values from the specified security metadata property field.
	`match-literal`	Grants access if a value from the specified security privileges property field matches the value defined in the `<literal>` tags.
`<claim>`	The `<claim>` tag is used inside a rule to target a specific security privileges property field. This is done by entering the `name` attribute value of a claim schema `<property>` tag between the opening and closing `<claim>` tags.
`<security-metadata>`	The `<security-metadata>` tag is used inside a rule to target a specific security metadata property field. This is done by entering the `name` attribute value of a security metadata schema `<property>` tag between the opening and closing `<security-metadata>` tags.
`<literal>`	The `<literal>` tag is used inside a rule to target a specific value in a security privileges property field. This is done by entering the name of the value between the opening and closing `<literal>` tags.

Code examples

: Code examples for common implementations of access rules

Task	Code example
Create an access rule that requires only one of the following rule conditions to be satisfied for access to be granted: Rule 1: One value from this security privileges (claim) property field needs match one value from this security metadata property field. Rule 2: This security privilege (claim) property field must contain this value (literal). Rule 3: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.	`<access-rule class="satisfy-any">` `<rule class="match-any"><claim>user-name</claim><security-metadata>user-access</security-metadata></rule>` `<rule class="literal"><claim>sintelix-access</claim><literal>admin</literal></rule>` `<rule class="match-all"><claim>group</claim><security-metadata>group-access</security-metadata></rule>` `</access-rule>` The access rule will grant access to the user johnsmith if: Rule 1 is true OR Rule 2 is true OR Rule 3 is true Sintelix UI output: Security Privileges : Admin > Manage User Accounts > Users authenticated by Sintelix > Security Privileges column
	Security Metadata: Collections > Collection > Collection Configuration > Security Metadata pane
Create an access rule that requires all of the following rule conditions to be satisfied for access to be granted: Rule 1: Only one of the following nested rule conditions must be satisfied: Rule 1-1: One value from this security privileges (claim) property field needs match one value from this security metadata property field. Rule 1-2: One value from this security privileges (claim) property field needs match one value from this security metadata property field. Rule 2: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.	`<access-rule class="satisfy-all">` `<rule class="satisfy-any">` `<rule class="match-any"> <claim>role</claim><security-metadata>role-access</security-metadata></rule>` `<rule class="match-any"><claim>department</claim><security-metadata>department-access</security-metadata></rule>` `</rule>` `<rule class="match-all"><claim>clearance</claim><security-metadata>clearance-access </security-metadata></rule>` `</access-rule>` The access rule will grant access to the user johnsmith if: Either Rule 1-1 or Rule 1-2 is true AND Rule 2 is true Sintelix UI output: Security Metadata : Collections > Collection > Collection Configuration > Security Metadata pane

Task

Code example

Create an access rule that requires only one of the following rule conditions to be satisfied for access to be granted:

Rule 1: One value from this security privileges (claim) property field needs match one value from this security metadata property field.
Rule 2: This security privilege (claim) property field must contain this value (literal).
Rule 3: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.

<access-rule class="satisfy-any">

<rule class="match-any"><claim>user-name</claim><security-metadata>user-access</security-metadata></rule>

<rule class="literal"><claim>sintelix-access</claim><literal>admin</literal></rule>

<rule class="match-all"><claim>group</claim><security-metadata>group-access</security-metadata></rule>

</access-rule>

The access rule will grant access to the user johnsmith if:

Rule 1 is true OR
Rule 2 is true OR
Rule 3 is true

Sintelix UI output: Security Privileges : Admin > Manage User Accounts > Users authenticated by Sintelix > Security Privileges column

Security Metadata: Collections > Collection > Collection Configuration > Security Metadata pane

Create an access rule that requires all of the following rule conditions to be satisfied for access to be granted:

Rule 1: Only one of the following nested rule conditions must be satisfied:

Rule 1-1: One value from this security privileges (claim) property field needs match one value from this security metadata property field.
Rule 1-2: One value from this security privileges (claim) property field needs match one value from this security metadata property field.

Rule 2: All values from this security privileges (claim) property field needs to match all values from this security metadata property field.

<access-rule class="satisfy-all">

<rule class="satisfy-any">

<rule class="match-any"> <claim>role</claim><security-metadata>role-access</security-metadata></rule>

<rule class="match-any"><claim>department</claim><security-metadata>department-access</security-metadata></rule>

</rule>

<rule class="match-all"><claim>clearance</claim><security-metadata>clearance-access </security-metadata></rule>

</access-rule>

The access rule will grant access to the user johnsmith if:

Either Rule 1-1 or Rule 1-2 is true AND
Rule 2 is true

Sintelix UI output: Security Metadata : Collections > Collection > Collection Configuration > Security Metadata pane