...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<!-- This role does not grant any permission to create, update or delete any object. -->
<role>
<name>CAN_CREATE_NOTHING</name>
</role>
<!-- This role grants creation permission for any object. No conditions have to be matched. -->
<role>
<name>CAN_CREATE_EVERYTHING</name>
<permission>
<action>create</action>
</permission>
</role>
<!-- This role grants creation permission for objects that match the condition. In this case, only objects of type 'appTable:order' or 'appEmail:email' can be created. -->
<role>
<name>CAN_CREATE_SOMETHING</name>
<permission>
<action>create</action>
<condition>
system:objectTypeId IN ('appTable:order', 'appEmail:email')
</condition>
</permission>
</role> |
Especially, as As of 2023 Summer, it is possible to specify conditions referencing the abac (attribute-based access control) section within the internal JWT (JSON Web Token). The following example role grants read permission for objects with at least one entry of the string list property appEmail:mailboxes contained in the current users user's @abac.mailGroups string list within the JWT.
...