...
| Code Block |
|---|
| language | xml |
|---|
| title | Examples for Creation Permissions with Condition and without |
|---|
|
<!-- UsersThis withrole thisdoes rolenot aregrant notany allowedpermission to create, update or delete any object. -->
<role>
<name>CAN_CREATE_NOTHING</name>
</role>
<!-- UsersThis withrole thisgrants rolecreation canpermission createfor any object. No conditions have to be matched. -->
<role>
<name>CAN_CREATE_EVERYTHING</name>
<permission>
<action>create</action>
</permission>
</role>
<!-- UsersThis withrole thisgrants rolecreation canpermission createfor objects that match the condition. In this case, only objects of type 'appTable:order' or 'appEmail:email' can be created. -->
<role>
<name>CAN_CREATE_SOMETHING</name>
<permission>
<action>create</action>
<condition>
system:objectTypeId IN ('appTable:order', 'appEmail:email')
</condition>
</permission>
</role> |
As of 2023 Summer, it is possible to specify conditions referencing the abac (attribute-based access control) section within the internal JWT (JSON Web Token). The following example role grants read permission for objects with at least one entry of the string list property appEmail:mailboxes contained in the current user's @abac.mailGroups string list within the JWT.
| Code Block |
|---|
| language | xml |
|---|
| title | Example for Read Permissions with Condition |
|---|
|
<role>
<name>CAN_CREATE_SOMETHING</name>
<permission>
<action>read</action>
<condition>
appEmail:mailboxes IN @abac.mailGroups
</condition>
</permission>
</role> |
...