Managing Access to Data through Access Control Rules
In each context, a set of access control rules can be set when the context is created. These rules can be defined in the template that is used to create the context. Additionally, an administrator can define access control rules for the data that is in the context and in its child contexts, thereby further controlling the access to data. Generally, each access control policy rule does the following:
• Identifies a type of data stored in a specific administrative area (domain) to which access permissions are applied.
• Identifies the specific state (or all states) of an object to which access permissions are applied.
• Identifies participants (such as users, groups of users, roles, or entire organizations) for whom access is granted, denied, or absolutely denied.
• Specifies the access permissions (such as Read, Create, and Modify) given to the participants for the data type in the specified domain.
Access control policy rules have a hierarchy based on the domain hierarchy. Descendent domains inherit rules from ancestor domains. Policy rules granting permissions to a participant cannot override inherited rules denying or absolutely denying permissions to the same participant.
The following sections introduce the domains and context structure that are available.