Creating and Editing Access Control Rules
To create or edit a policy access control rule, click a domain’s name from the Domains pane in the Policy Administration window and select the Access Control Rules tab. In the Search Results table, choose one of the following:
• To create an access control rule, click the create new access control rule
icon.
• To edit an access control rule, select an existing rule (that is defined in the current domain) from the
Search Results table and click
Edit from the actions on the right-click button mouse menu or click the edit icon
. To help determine which rule to update, you can access additional information about the participant in each row by hovering over the participant. For an explanation of the information displayed, see
Managing Access Control.
| If more than one rule is selected in the Search Results table, then Edit is disabled. The action is also disabled for rules from other contexts that are displayed as a result of including ancestor domains in the search. |
When creating a rule, you must set the following properties for the rule:
Property | Action |
Type | Click find to open the Find Type window. Select the object type for which you are defining a rule from the Object Type tree. Hover over a type name or icon to view its internal name in a tooltip. | All subtypes of the selected type inherit the rules defined for the type. |
Types that are not instantiable do not display in the Find Types window by default, however any that you specify in the property wt.admin.hierarchyListAdditions.wt.access.PolicyAccessControlled of the wt.properties file will be displayed provided that the type can be placed under access control. |
State | Select the life cycle state that an object must be in for the rule to apply, or select All to apply the rule to the object, regardless of its state. If State does not apply to the selected object type, it is disabled. |
Participant | Select a user, group, organization, or role and whether the permissions apply to the selected participant or to all users except the selected participant. Begin typing the name of a participant and make a selection from the auto-suggest list. Alternatively, click find next to the search field, or More Search Options at the bottom of the auto-suggest list, to open the Find Participants window. Use this window to select a participant; for more information, see Find Participants. | All except selected participant cannot be selected for a pseudo role. |
|
Permissions | Select Grant, Deny, Absolute Deny, or None for each permission listed by clicking the corresponding radio button. Any permissions that do not apply to the selected object type are disabled. Granting some permissions automatically selects the Grant radio button for other permissions. For example, granting Modify permission automatically selects Grant for the Read and Download permissions. However, you can clear those automatic selections. See Access Permissions. | If a permission will automatically select other permissions, a tool tip displays when you hover over its radio button in the Grant column stating what permissions will be selected. |
| Absolute Deny cannot be selected for a pseudo role. |
|
When you are satisfied with your choices, click OK to save your changes and return to the Policy Administration window.
or
Click Apply to save the rule and clear your selections to create another rule. Use Reset to clear the fields and reset the values to the defaults when you first opened the window.
OK and Apply are disabled until a type, state, and participant are selected and at least one permission has been selected in the Permissions table.
Edit Access Control Rule Window
When you edit a rule, you can only modify the permissions. When you are satisfied with your changes, click OK to save your changes and return to the Policy Administration window. At least one permission must be selected to save changes to the rule.