Privilege Conditions

The rights granted via a role in the yuuvis® RAD rights management can be accompanied by a clause that further refines them. The clause represents the WHERE part of an eSQL statement. So any clause will be constructed as follows: select * from dms:typename where <clause>. This page gives you examples of the possible clauses that can be used in this context.
It is important to know that the rights controlling the visibility of an object – 'Available' and 'Display' – will be precompiled and written to the Elasticsearch database. Thus, statements with dynamic parts such as currentuserid() or dateadd() will not work for these rights.

Selecting Objects by Date/Time Criteria

Important

The sysitemcreationdate field selects the creation date of the entire object (item), whereas syscreationdate selects the creation date of the active version.
The datetime identifier takes input of the form yyyy-MM-dd hh:mm:ss. The only required part is yyyy, but all left out parts will be autocompleted with 00.
Object type names and element (field) names are accessed by their technical names.

Clause	Description

Clause	Description
`sysitemcreationdate <= datetime'2018-01-23 13:14:15'`	The right will be granted to all objects (of the corresponding object type) that were created before or exactly on January 23, 2018, 13:14:15.
`syscreationdate < datetime'2018-07'`	The right will be granted to all objects (of the corresponding object type) that were created and last modified before July 1, 2018, 00:00:00.
`customfield1 = 'acknowledged' and customfield2 < datetime'2018-02-01'`	The right will be granted to all objects (of the corresponding object type) where `customfield1` has the value `acknowledged` and `customfield2` contains a date that is January 31, 2018, 23:59:59.999 or earlier.
`sysitemcreationdate <= dateadd(day, -7, currentdatetime())`	The right will be granted to all objects (of the corresponding object type) that were created a week ago from now (including the time) or earlier. The `dateadd()` function can add to or subtract a specified amount of time from the provided date: `dateadd(<unit>, <amount>, <date>)` The unit can be "second", "minute", "hour", "day", "week", "month", "year" The date can be taken from the index data, specified manually or `currentdate()` (start of current day)/`currentdatetime()` (now) WARNING: This is a dynamic statement. Do not use this for the 'Available' or 'Display' right.

Selecting Objects by Creator Criteria

Statement	Description

Statement

Description

exists (select 1 from syscreationtraceOwner2user r join org:sysuser u where r.sysid1=sysid and u.sysname='user4711')

The right will be granted to all objects (of the corresponding object type) where the creator of the currently active version was user4711.
This means either the object is in version 1 and user4711 was the creator, or the object is in version 2 or higher and user4711 was the last modifier.

exists (select 1 from syscreationtraceOwner2user r where r.sysid1=sysid and r.sysid2=currentuserid())

The right will be granted to all objects (of the corresponding object type) where the creator of the currently active version was the currently logged-in user.
This means the object is either in version 1 and the currently logged-in user was the creator, or the object is in version 2 or higher and the currently logged-in user was the last modifier.

WARNING: This is a dynamic statement. Do not use this for the 'Available' or 'Display' right.

exists (select 1 from sysversionedcreationtraceOwner2user r where r.sysid1=sysid and r.sysid2='user4711')

The right will be granted to all objects (of the corresponding object type) where the creator of the first version was user4711.
This means user4711 created the (first version of the) item.

Selecting Objects by Index Data/ID

Statement	Description

Statement	Description
`sysitemid = id'ED01B5E5996648088D0A474C37962C93'`	The right will be granted to the object (of the corresponding object type) with the item ID `ED01B5E5996648088D0A474C37962C93`.
`longnumber = 123456789L`	The right will be granted to all objects (of the corresponding object type) where the field `longnumber` has the value `123456789`.
`string1 = 'ipsum'`	The right will be granted to all objects (of the corresponding object type) where the field `string1` has the value `ipsum`.
`catalogfield = 'english'`	The right will be granted to all objects (of the corresponding object type) where the field `catalogfield` has a catalog entry with data value `english`.
`orderstable containsrowwithcondition(orderstablerecord.order = 'order4711')`	The right will be granted to all objects (of the corresponding object type) where the table `orderstable` has a row in which the `order` column has the value `order4711`. This also applies to multi-tagging fields which are technically a table with one column. In this case, any element has to have the value `order4711`. ← Valid for versions <= 8.16 LTS
`ordersset containsrowwithcondition(order = 'order4711')` `ordersset containsrowwithcondition(order IN ('order4711','value0815'))`	Valid for versions >= 9.0 The right will be granted to all objects (of the corresponding object type) where the field of type SET[string] (multi-tagging) with the technical name `ordersset` contains an element (chip) with the technical element name `order` that has the value `order4711` (first example) or the values `order4711` or `value0815` (second example).
`field1='value1' and exists (select 1 from folder f where f isParentOf doctype and f.folderfield = 'value2')`	The right will be granted to all objects of type `doctype` where the field `field1` has the value `value1` and where its parent object (folder type with technical name `folder`) has the value `value2` in the field `folderfield` on the folder type. Pay attention that the right side of the `isParentOf` operator is the technical name of the document type that you are editing this clause for.