Advanced capabilities of access control lists

Attributes can be customized to create more complex rules.

Rules can use multiple attributes and use substitution strings as shown in this example. You can create these custom attributes.

Multiple attribute and value pairs
Use the + and - operators to combine attributes. Also, you can create complex rules and store the results in a single rule. Using the following rule, the IBM® Rational® Synergy Support group can read and write all defect CRs for the Synergy product.
Scope Attribute Value Access Permission Users and Groups
Product_Line Type Synergy Defect Grant Read/Write Synergy Support
Attribute Value = Group substitution
You can create one rule to define all instances where the attribute value is the same as the group value. Use the {substitution} value for both the Attribute value and Users and Groups name. With this value, you can easily set permissions so that a group can have access to information specific to that group, as shown in the following example.
Scope Attribute Value Access Permission Users and Groups
Responsible_Group {substitution} Grant Read/Write {substitution}
Substring parsing
Use this feature when the attribute value is not an exact match for the group value, but a substring of one can be used to derive the other, or not be used at all.
In the following example, the ACL uses the value of Product_Line as a substring to create a list of groups that have permission to read and write the CR.
  • In the first rule, if the Product_Line=DOORS, then the groups DOORS_PM, DOORS_PD, and DOORS_Support have read/write access.
  • The second rule shows that CRs with an External Product_Line and a Contractor_Group beginning with ext_ are readable by groups that have the substitution string.
  • The third rule shows an example of the CR attribute value being a substring of the Group.
  • The last rule is an example of using {substitution} in the scope but not in the list of users and groups. CRs with Product_Line values of Public_nnn are readable and writable by everyone.
Scope Attribute Value Access Permission Users and Groups
Product_Line {substitution} Grant Read/Write

{substitution}_PM

{substitution}_PD

{substitution}_Support

Product_Line

Contractor_Group

External

ext_{substitution}

Grant Read {substitution}

Product_Line

Contractor_Group

External

ext_{substitution}

Grant Read {substitution}_Group
Product_Line Public_{substitution} Grant Read/Write {everyone}

Feedback