Create a security rule - SmartPlant Foundation - IM Update 46 - Help - Hexagon

SmartPlant Foundation Web Client Help
Language
English
Product
SmartPlant Foundation
Search by Category
Help
SmartPlant Foundation / SDx Version
10

This functionality was modified in an update. For more information, see Create a security rule (modified in an update).

You can group multiple class definitions and access groups together into a security rule and restrict their access based on a condition.

Security rules can have a major impact on system performance. Do not create complex rules that lead to queries with many ORs or JOINs.

  1. In the System Administration feature set, select Create Security Rule.

  2. In the Create Security Rule page, type the name and description in the Main details section.

  3. In the Security rule definition box, type the syntax to describe the condition that the object must meet for the methods related to the access group to appear. Example: obj->SPFCXmtlExternalCompany_12.Name=ENV.USERORGANIZATIONNAME.

    • The security rule syntax is the same as that used to create conditions, but security rules do not support keywords, such as ‘NOT’, 'OBJ1', 'OBJ2', or function keywords, such as ‘ISSET’, or ‘ISSETB’. For more information about creating conditions, see Configure conditions.

    • The keyword 'INSTR' is supported so you can calculate a value on a property string (Obj.Name) to part of a substring (XYZ). For example, INSTR(Obj.Name, 'XYZ').

      • If a security rule expression contains interface definitions then a comparator value should be 0 and should not contain ‘>' or '=’. When ‘>' or '=’ is used and set to '0', this means the security rule expression can or cannot contain the interface. For example, INSTR(obj.Interfaces, 'ISPFSubscribableItem') = 0.

      • If a security rule expression left value is different from the object expression then the comparator value should be ‘0’. For example, INSTR(Env.SecurityCodesForUserInQueryConfig, Obj.SecurityCodeName) > 0.

  4. Find and select one or more class definitions from the Class definitions list to associate with the security rule.

  5. Find and select one or more access groups from the Access groups list to associate with the security rule.

  6. Find and select one or more edge definitions to expand and apply the security rule.

  7. Find and select one or more relationship definitions to expand from End1 to End2 and apply the security rule.

  8. Find and select one or more relationship definitions to expand from End2 to End1 and apply the security rule.

    For example, the following security rule definition has a relationship definition expansion:

    Obj->SDAItemSecurityCode_12.Name = Env.SecurityCodesForUserInQueryConfig Or obj.objdefuid = ‘SDAArea’

    This security rule definition ensures that the results either match the security code or are in an SDAArea, which may not have a security code.