Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Page Properties
hiddentrue
idDONE

Product Version
Report Note
Assignee

Resources & Remarks

Modification History

NameDateProduct VersionAction
Antje08 FEB 20212.4New page properties macro.
Antje23 FEB 20212020 WinterReplace content.
Antje17 MAY 20212021 Summernew structure
JaR20 FEB 20232021 Winter LTSclarification



Excerpt

A yuuvis® Momentum user has to be authorized to the functionality of the system by assigning roles. For the individual roles, permissions can be set to allow actions on objects restricted by defined conditions where appropriate and the usage of specific endpoints can be controlled.

...

create
(as of 2021 Autumn)
permission to create new objects
read

permission to know the about the existence of objects, to receive them in search results and to call various GET endpoints to a special object

deletepermission that allows to delete objects content or metadata of objects for which also read permission is granted
writepermission to update objects or to move the content of objectsobjects for which also read permission is granted

Conditions

Conditions are statements in the proprietary CMIS-based query language that define the subset of documents in the system affected by a permission. If the condition for a document is met (meaning evaluating the query language expression returns 'true'), the owner of the role gets to access that document. For example, conditions can limit a user's access to a specific type of object or hide documents that are older than a specific date. The conditions are applied to all requests from the role owner and thereby act as filters for the corresponding search results. 

Note: In a permission including the create action, the CONTAINS()query function cannot be used in a condition. The whole statement would always be evaluated as false, even if the condition contains other sub-statements that do not use CONTAINS() and that would individually considered be evaluated as true. Thus, it is not possible to specify a condition on the content of objects to be created.

The condition can also be left out – indicating that the permission applies to all documents in the system.

...

Code Block
languagexml
titleExamples for Creation Permissions with Condition and without
<!-- UsersThis withrole thisdoes rolenot aregrant notany allowedpermission to create, update or delete any object. -->
<role>
   <name>CAN_CREATE_NOTHING</name>
</role>

<!-- UsersThis withrole thisgrants rolecreation canpermission createfor any object. No conditions have to be matched. -->
<role>
   <name>CAN_CREATE_EVERYTHING</name>
   <permission>
       <action>create</action>
   </permission>
</role>

<!-- UsersThis withrole thisgrants rolecreation canpermission createfor objects that match the condition. In this case, only objects of type 'appTable:order' or 'appEmail:email' can be created. -->
<role>
   <name>CAN_CREATE_SOMETHING</name>
   <permission>
      <action>create</action>
      <condition>
         system:objectTypeId IN ('appTable:order', 'appEmail:email')
   	  </condition>
   </permission>
</role>

As of 2023 Summer, it is possible to specify conditions referencing the abac (attribute-based access control) section within the internal JWT (JSON Web Token). The following example role grants read permission for objects with at least one entry of the string list property appEmail:mailboxes contained in the current user's @abac.mailGroups string list within the JWT.

Code Block
languagexml
titleExample for Read Permissions with Condition
<role>
   <name>CAN_CREATE_SOMETHING</name>
   <permission>
      <action>read</action>
      <condition>
         appEmail:mailboxes IN @abac.mailGroups
   	  </condition>
   </permission>
</role>

...