You are hereAttribute Based Access Control / Example: Row Access Restricted to Row Creator
Example: Row Access Restricted to Row Creator
This example demonstrates the use of the Trusted RUBIX ABAC to control access to the rows of a table such that only the creator of the row (i.e., the user performing the insert) will be able to access the row. This is accomplished through a special column in the table, called name, that holds the name of the user who inserted the row. Policy sets the value of the name column during insert and disallows any further update to the name column. Policy also only allows subsequent row operation to be performed on the row if the user name is equal to the value of the name column.
To see a detailed description of this example, please see the Trusted RUBIX Security Policy Manager Tutorial.
The following diagram shows the policy components and their relation to each other. The SPML policy code is organized into four policies (user-table-table-ops, user-table-sel-del-upd, user-table-insert, and deny) and one policy set (user-table).
Policy and Policy Set descriptions and code are:
(Click the links on the policy names to see the corresponding SPML policy code.)
The deny Policy: Always denies the operation. Used as the "catch-all" policy within policy sets when no other policy within the policy set permits an operation.
The user-table-table-ops Policy: Simply permits all table operations.
The user-table-sel-del-upd Policy: Permits row SELECT and DELETE only if the name of the user performing the operation is equal to the value of the name field of the row being operated on. Permits a row UPDATE operation only if the name of the user performing the operation is equal to the value of the name field of the row being operated on and if the name field is not being updated. This policy demonstrates the use of the Variable Definition construct (IsCreator). This allows a named snippet of code logic to be defined and then referenced by name multiple times through the policy.
The user-table-insert Policy: Permits all INSERT operations and sets the name field of the row being inserted equal to the name of the user performing the insert.