This section explains the elements used to define access control. After reading this section, you will be able to set up your access control file. Examples shipped with the product contain access control files you can use as models.If your user role has permission to do so, you can also create or modify an access control file in Decision Manager.To modify an existing access control file, select Access > Open.The access control file for an RMS project must be placed in the project’s config folder and it must be named using the format ProjectName.ac.See RMS Project Directories and Files. also see and Choosing Single Project or Multiple Project Mode to understand where the project folder or folders are located.In the resources element, you group the project resources in whatever way supports the permissions you want to set and give each grouping or individual resource an ID. You use the ID when setting the permissions.How you specify the resource group is partly determined by the resource type attribute. The resource type can act as a filter. For example, suppose in the name attribute you specify a folder that includes events and concepts. If you set the type attribute to "CONCEPT" then the ID associated with this grouping is used to set permissions only on the concepts in that folder (and its subfolders).You could create a second grouping whose type specifies "EVENT" so that you can set permissions on events in that folder branch separately.To specify an individual resource, provide the project path to the resource in the name attribute. The project path is the folder path to the ontology entity, as seen in the Explorer panel. The example below shows how to specify an ID that is associated with the FirstName property of the Person concept:<resource name="/Concepts/Person/FirstName" id="FN" type="PROPERTY"/>You can associate groups of resources with an ID using the wildcard character in the project path. The asterisk (*) is used as the wildcard character. For example:The broadest resource grouping is provided by setting permissions at the level of resource type. This method groups all resources of that type in the project. To set a resource type resource group, you associate an ID with a resource type, and you do not use the name attribute:For example: <resource id="C" type="CONCEPT"/>See Table 9, Resource Types and Action Types for a list of resource types, and the action types that are valid for each resource type.By default, all permissions are denied. If a certain permission is not explicitly given to a role, then the role does not have the permission. This approach ensures unauthorized users do not accidentally gain access to restricted resources.Permissions are not hierarchical. That is, a create permission does not imply a modify permission or a delete permission. All privileges are mutually exclusive.For each resource type there is a predefined set of action types (see Table 9, Resource Types and Action Types). You must grant permission separately for each action type. For example, you would add four permission elements to give a user role permissions to create, read, modify, and delete a specified group of resources of a certain type.
In the Decision Manager application, you cannot create, modify, or delete properties, rulesets, concepts, and rule functions.
Copyright © TIBCO Software Inc. All Rights Reserved.