Question
Is there way to Apply ABAC on a combination of Data table and Work objects
We have a requirement in which one operator can be associated with multiple financial codes say f001,f002,f003 ....
With current data model, our work objects say W-1 has a page list property say eventList which has an embedded page subEventlist. Each subevent is associated a financial code f001,f002...
There are a few report defination we have created to on Work type level. Customer is expected to see the work objects which contains only financial codes which matches under the work objects referred by event--> subevent--financial code.
Please look at below post as well.
I would like understand If the Platform has this capability.
What could be the implementation approaches ?
Thanks,
Niranjan.
You said "only see" so am assuming you want to define a Read Access Policy for the applies-to class associated to "W-" case types.
What you are describing sounds somewhat like assignment skill-matching but the other way around, plus the restriction is that the eventList may not contain a code NOT IN the Operator's financial code list.
When defining an Attribute Policy Condition (APC), yes you must name at least one property associated to the case but you are free to use any property that easily allows you to define a pair of expressions, one always-true, the other always-false. For example:
A = pxObjClass is not null (always true), B = pxObjClass is null (always false)
You then need to solve your problem using the Conditional Access portion of the APC at the top.
Each Conditional Access Condition is an Access When rule. Within the Access When rule you are free to reference Data Pages listed in the Pages&Classes tab.
You have an .EventList where each page has a .SubEventList which more complex. Let's keep it simple for now and assume that each event page contains a financial code.
A Data Page can invoke a Report Definition that joins the applies-to class for W- to a Declare Index defined against the .eventList. A Report Definition can be filtered in multiple ways. One way is to compare a column against a ValueList.
Convert the Operator's set of financial codes to a ValueList named "financialCodes", Then apply the following filter condition:
EVENT.financialCode Is not equal OperatorID.financialCodes
where EVENT is the alias you associated to the Declare Index join for .eventList.
You want the Report Definition to return a COUNT. The Access When rule would return true when COUNT = 0. That Access When rule would be associated to Policy Condition "A" (always true), meaning access should be allowed since the .eventList did not contain a code not in the Operator's financialCodes ValueList.
But in your situation you have a list within a list. Try defining a Declare Index against .eventList().subEventList(). If you have M events, where each event has N subEvents, the Declare Index will generate MxN rows. After aliasing your Declare Index join as "SUBEVENT", your filter condition would be:
SUBEVENT.financialCode Is not equal OperatorID.financialCodes