Authorization by Attribute Value controls access to one or more instances of a Business Object Type depending on evaluation of a single attribute of that BO Type according to a simple condition. The Working Area contains the definition of that simple condition and the attribute to which it applies. Authorization by Attribute Value There are three different ways to specify Authorization by Attribute Value:
Specifies the field (attribute) to which the following conditions should be applied. A click in the Field entry activates a separate window in which you can specify the particular attribute (displayed as a tree view). The Field (attribute) itself can be then specified in two different ways - by:
If the specified attribute of the business object matches these criteria then the authorization applies to the whole business object. A wild card '%' can be used to represent several characters. Note: The wild card symbol '%' can be placed only once within the value. Then the values are compared to the place of the '%' appearance. Any text mentioned in the permission definition behind the % sign is irrelevant and cuts no figure for the assessment of rights. Example: All objects that have Location = 10, which might represent an authorization to carry out an inventory for a specific room. See Authorization by Attribute Value using Specific Value sequence.
Sets a range of values that the attribute of the target business object should be in. The upper and lower bounds are treated inclusively. See Authorization by Attribute Value using Value Range sequence.
Specifies the attribute which value should match the contents of a particular User Variable (for example allowedDepartments). A right mouse click in the Variable entry activates a separate window in which you can specify the particular attribute (displayed as a tree view). See Authorization by Attribute Value using Variable sequence.
Select this item to use the Authorization by (Multitenancy) Dataset value. The combo box contains the hlq1 (hlq2, hlq3...) attributes which have defined a set of values (per user or per group) which make the additional condition for the authorization. For instance, if a user selects Department Object Type, selects "read" right and applies the hlq attribute, he will be able to "read" the Departments, but ONLY those Departments which the hlq field property applies to. See Multitenancy Definition section for details. Additionally, the 'Not Operator' check box can be used to define that a negation of the specified condition is to be used. | ||||||