Security Model Schema

This section explains the security model schema and provides a quick reference on XML element tags, attributes and accepted values when you are modifying or creating a security model. The XML tag tree below is a visual representation of the security model schema and shows how to use tags correctly in the security model.

XML tag reference tables

The XML tag reference tables provide useful information for each tag. This includes attribute information, code snippets and descriptions, and the valid context in which a tag is used.

<claims-schema>

Parent

XML Tag	Attributes	Code	Valid Context
`<claims-schema>`	-	-	`<claims-schema>` child tags `</claims-schema>`	Contains the properties used to create security privileges property fields.	`<security-model>`	`<property>`

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<claims-schema>

child tags

</claims-schema>

Contains the properties used to create security privileges property fields.

<security-model>

<property>

Level 1 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<property>`	`class`	`string`	`<property class="string"` `name="`yourname`"label="`yourlabel`"min-occurs="`0`"max-occurs="`0`" />`	Used to create a security privilege property field that accepts any value.	`<claim-schema>`	-
	`name`	lowercase string value
	`label`	lowercase string value
	`min-occurs`	integer value of 0 or more
	`max-occurs`	integer value of 0 or more
`<property>`	`class`	`enumeration`	`<property class="enumeration"` `name="`yourname`"label="`yourlabel`"min-occurs="`0`"max-occurs="`0`" >` child tags `</property>`	Used to create a security privilege property field that accepts a defined set of values. `<value>` tags can be used only when this is the assigned class.	`<claim-schema>`	`<value>`
	`name`	lowercase string value
	`label`	lowercase string value
	`min-occurs`	integer value of 0 or more
	`max-occurs`	integer value of 0 or more

Level 2 Child

XML Tag	Attributes	Code	Valid Context
`<value>`	-	-	`<value>` text-string </value>	Used to create predefined values for a property field. Used only under `<property>` tags with a class of `enumeration`.	`<property class="enumeration">`	-

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<value>

text-string

</value>

Used to create predefined values for a property field. Used only under <property> tags with a class of enumeration.

<property class="enumeration">

<security-metadata-schema>

Parent

XML Tag	Attributes	Code	Valid Context
`<security-metadata-schema>`	-	-	`<security-metadata-schema>` child tags `</security-metadata-schema>`	Contains the properties used to create security metadata property fields.	`<security-model>`	`<property>`

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<security-metadata-schema>

child tags

</security-metadata-schema>

Contains the properties used to create security metadata property fields.

<security-model>

<property>

Level 1 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<property>`	`class`	`string`	`<property class="string"name="`yourname`"label="`yourlabel`"min-occurs="`0`"max-occurs="`0`"merge-type="INTERSECTION">` child tags </property>	Used to create a security metadata property field that accepts any value.	`<security-metadata-schema>`	-
	`name`	lowercase string value
	`label`	lowercase string value
	`min-occurs`	integer value of 0 or more
	`max-occurs`	integer value of 0 or more
	`merge-type`	`INTERSECTION`
	`merge-type`	`HIGHEST`
`<property>`	`class`	`enumeration`	`<property class="enumeration"name="`yourname`"label="`yourlabel`"min-occurs="`0`"max-occurs="`0`"merge-type="HIGHEST">` child tags </property>	Used to create a security metadata property field that accepts a defined set of values. `<value>` tags can be used only when this is the assigned class.	`<security-metadata-schema>`	`<value>`
	`name`	lowercase string value
	`label`	lowercase string value
	`min-occurs`	integer value of 0 or more
	`max-occurs`	integer value of 0 or more
	`merge-type`	`INTERSECTION`
	`merge-type`	`HIGHEST`

Level 2 Child

XML Tag	Attributes	Code	Valid Context
`<value>`	-	-	`<value>` text-string </value>	Used to create predefined values for a property field. Used only under `<property>` tags with a class of `enumeration`.	`<property class="enumeration">`	-

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<value>

text-string

</value>

Used to create predefined values for a property field. Used only under <property> tags with a class of enumeration.

<property class="enumeration">

<access-rule>

Parent

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<access-rule>`	`class`	`satisfy-all`	`<access-rule class="satisfy-all">` child tags `</access-rule>`	Contains rules and grants access when the conditions of all rules are met.	`<security-model>`	`<rule>`
`<access-rule>`	`class`	`satisfy-any`	`<access-rule class="satisfy-any">` child tags `</access-rule>`	Contains rules and grants access when the conditions of at least one rule is met.	`<security-model>`	`<rule>`

Level 1 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<rule>`	`class`	`satisfy-all`	`<rule class="satisfy-all">` child tags `</rule>`	Only used when acting as a parent to nested rules. True when the conditions of all nested rules are met.	`<access-rule>`	`<rule>`
`<rule>`	`class`	`satisfy-any`	`<rule class="satisfy-any">` child tags `</rule>`	Only used when acting as a parent to nested rules. True when the conditions of one nested rule is met.	`<access-rule>`	`<rule>`
`<rule>`	`class`	`match-any`	`<rule class="match-any">` child tags `</rule>`	Creates a rule that is true when one value from a specified security privileges property field matches one value from a specified security metadata property field.	`<access-rule>` `<rule class="satisfy-all">` `<rule class="satisfy-any">`	`<claim>` `<security-metadata>`
		`match-all`	`<rule class="match-all">` child tags `</rule>`	Creates a rule that is true when all values from a specified security privileges property field matches all values from a specified security metadata property field.		`<claim>` `<security-metadata>`
		`match-literal`	`<rule class="match-literal">` child tags `</rule>`	Creates a rule that is true when a specified value is found in a specified security privileges property field. Can contain only `<claim>` and `<literal>` tags.		`<claim>` `<literal>`

Level 2 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<claim>`	-	-	`<claim>` claims-schema-property-name-value `</claim>`	Accepts the `name` value of a claims schema `<property>` tag.	`<rule>`	-
`<security-metadata>`	-	-	`<security-metadata>` security-metadata-property-name-value `</security-metadata>`	Accepts the `name` value of a security metadata schema `<property>` tag.	`<rule>`	-
`<literal>`	-	-	`<literal>` security-privileges-property-field-value `</literal>`	Targets a value in a security privileges property field. Used only under `<rule>` tags with a class of `match-literal`.	`<rule class="match-literal">`	-

<default-security-metadata>

Parent

XML Tag	Attributes	Code	Valid Context
`<default-security-metadata>`	-	-	`<default-security-metadata>` child tags `</default-security-metadata>`	Contains rules that define what security metadata is assigned to newly added documents and created collections.	`<security-model>`	`<rule>`

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<default-security-metadata>

child tags

</default-security-metadata>

Contains rules that define what security metadata is assigned to newly added documents and created collections.

<security-model>

<rule>

Level 1 Child

XML Tag	Attributes	Code	Valid Context
`<rule>`	`class`	`inherit-claim`	`<rule class="inherit-claim">` child tags `</rule>`	Creates a rule that assigns values from a specified security privileges property field to a specified security metadata property field.	`<default-security-metadata>`	`<claim>` `<security-metadata>`

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<rule>

class

inherit-claim

<rule class="inherit-claim">

child tags

</rule>

Creates a rule that assigns values from a specified security privileges property field to a specified security metadata property field.

<default-security-metadata>

<claim>

<security-metadata>

Level 2 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<claim>`	-	-	`<claim>` claims-schema-property-name-value `</claim>`	Accepts the `name` value of a claims schema `<property>` tag.	`<rule>`	-
`<security-metadata>`	-	-	`<security-metadata>` security-metadata-property-name-value `</security-metadata>`	Accepts the `name` value of a security metadata schema `<property>` tag.	`<rule>`	-

<security-options>

Parent

XML Tag	Attributes	Code	Valid Context
`<security-options>`	-	-	`<security-options>` child tags `</security-options>`	Contains additional security options.	`<security-model>`	`<show-accessible>` `<per-document-security>`

XML Tag

Attributes

Code

Valid Context

name

values

snippet

description

parent tag

child tag

<security-options>

child tags

</security-options>

Contains additional security options.

<security-model>

<show-accessible>

<per-document-security>

Level 1 Child

XML Tag	Attributes		Code		Valid Context
XML Tag	name	values	snippet	description	parent tag	child tag
`<show-accessible>`	-	-	`<show-accessible>` <`/show-accessible>`	Used to show or hide the names of restricted networks and collections from the lists of an active user who has insufficient security privileges. Accepts a value of `true` or `false`.	`<security-options>`	-
`<per-document-security>`	-	-	`<per-document-security>` `</per-document-security>`	Used to enable and disable the security feature for applying security metadata to individual documents. Accepts a value of `true` or `false`.	`<security-options>`	-