Security rules can only be used in the Web Client.
In addition to or in place of owning groups, you can use security rules to limit the classes of objects users have access to. You restrict the data returned from the database by creating a security rule that links one or more class definitions to one or more access groups with a condition. When used with owning groups, the security rule further segregates user access to the different classes of objects.
For example, an organization has a number of transmittals organized by owning groups based on their internal requirements, such as Classified, Restricted, and Open. The organization can create user accounts for external customers using the same roles and access groups as for internal users. However, with the security rules in place, the organization can ensure that each external customer can only access the transmittals that are applicable to them.
Security rules can also be configured using the Web Client. For more information,
see Configure security rules.
Security rules on a class definition
Rules can be configured on a class definition. The SPFSecurityRule class definition, and the SPFClassDefSecurityRule and SPFSecurityRuleAccessGroup relationship definitions are used to configure the security rules.
When a security rule is configured on a class definition, the security rules that are applied during a relationship expansion are controlled by the SPFSecurityRuleExecution12 and SPFSecurityRuleExecution21 flags. These are property definitions that are exposed on the ISPFRelDefExt interface definition. For example, <ISPFRelDefExt SPFSecurityRuleExecution12 = True>.
-
When the SPFSecurityRuleExecution12 is set to True, the security rules are applied to End2 when expanding from End1.
If the SPFSecurityRuleExecution12 is set to True and no relationship exists, the software applies the security rules based on the
instantiated interface definition. This uses the security rule associated with the
first class definition encountered that has a security rule.
-
When the SPFSecurityRuleExecution21 is set to True, the security rules are applied to End1 when expanding from End2.
-
If either the SPFSecurityRuleExecution12 or the SPFSecurityRuleExecution21 are set to False, then the security rules are not applied to the relationship expansion.
-
If an entry point on an interface definition, any security rules configured on class definitions that realize the same interface definition are applied. The rules are also applied on any graph definitions on a class definition that is realized by an interface definition.
Security rules on the end object of a relationship definition
Security rules can also be configured directly on objects, but only when the security rules are accessed through a specific relationship or edge definition. This scenario for security rules is useful where the end interface of the relationship definition is realized by multiple class definitions.
Relationships – direction 12 – Applies the configured security rule directly to the End2 object without evaluating the security rule applied to the End2 object’s class definition. For example, SPFRelDefSecurityRule12.
Relationships – direction 21 – Applies the configured security rule directly to the End1 object without evaluating the security rule applied to the End1 object’s class definition. For example, SPFRelDefSecurityRule21.
When defining relationship definitions directly on the security rule and the SPFSecurityRuleExecution12 or SPFSecurityRuleExecution21 flags are set to False, the security rule is not evaluated on relationship expansions.
Edges – Applies the security rule to all the objects returned by the edge definition. For example, SPFEdgeDefSecurityRule.
You can also restrict access to objects attached to workflows by relating the user
role to an object class and setting a condition on the relationship. For more information,
see Workflow access configuration.