Implementing MAC Policies

Implementing MAC Policies

Introduced in 11 SP12, MAC Policies allow for more customization when it comes to Access Control. The standard access permissions available within innovator are based solely on roles. Role based permissions are important, but sometimes you want to go deeper. MAC Policies have that added level of depth. They allow you to create more complex rules to fit the needs of your organization. This blog post will be about how to configure a MAC Policy as well as some examples.

Defining the Policy

A MAC Policy has a few different parts which all work together to help define the policy. The image below is the main form for MAC Policies. 

Let's start with the two relationships on MAC Policies. Applied To is where we can define the ItemTypes which will be affected by this MAC Policy. There are some restrictions on what kind of items can utilize MAC Policies, but the majority of standard ItemTypes are valid. Once you apply a MAC Policy to an ItemType, any interactions with that item will trigger an evaluation of the policy definition. The only exception to this, is if the user is a member of an Exempt Identity. Any identities added to that list will have standard access to whichever ItemType this MAC Policy is applied to. 

The Policy Rules relate to the standard Innovator access levels. Here you can assign different levels of access control to different permissions. This means you can define one policy for get permission, and a completely separate set of permissions for update. Each permission can be assigned a condition, which is specified within the MAC Policy editor. You can navigate to that using the ribbon on the left. 

Defining the Condition

Conditions are the heart of a MAC Policy. This is where you actually create the logic which is checked when a user interacts with an Item.  The condition is evaluated, and if a value of true is returned access is granted, otherwise it is denied. There are a few things you should note about MAC conditions:

  • Values are case sensitive. 
  • String literals text must be enclosed between quotation marks ('text'), quotation escapes with back slash (\').
  • A Constant can act as an operand when you use it in a comparison. Otherwise a Constant is a string type. 
  • Operators and precedence are the same as those used in SQL languages. 
  • Arithmetic operators are not supported. 
  • Parentheses can be used to override operator precedence. 
  • Operators are not case sensitive.
  • Comparing two strings follows Transact-SQL rules.

The editor has an intellisense of sorts, auto-completing based on a fixed list of properties you can modify. If you wished to add a new property to either the item or the user, you'll have to modify the MP_PolicyAccessItem and add a new property. 

The condition above limits access to template items to the specified users. The OR  statement is necessary to ensure that access to standard project items is not affected by the policy. The ability to utilize a collection of Boolean operators allows for you to write complex conditions to control access. Here is another example of a simple MAC condition. 

The example above allows anyone to access different parts, but only members of the All Employees identity can access parts classified as software. This condition utilizes one of the unique functions available within MAC conditions. IsMemberOf() is a function which is evaluated when the policy is, checks to see if the active user is a member of the specified identity. Here is a list of functions you can utilize in your MAC conditions. 

Activation

Once you've configured your MAC Policy to your liking, you can activate it under Actions>Activate. Once you've activated a policy you cannot make changes until you create a new version. There is another action which simply creates a new version of the existing MAC Policy for editing. This allows you to make modifications before applying your new policy. The other action Deactivate  will turn off the policy. MAC Policies should only be activated or deactivated when there are no online users.

Closing Thoughts

MAC Policies can be incredibly powerful, but be careful with implementation. MAC Policies with incorrect conditions can limit access across the board. With proper configuration you can limit subsets of items to any group of users you wish. There are a lot of possibilities, and you can configure the policies to fit your exact needs. 

If you have any interesting examples of a MAC policy to share, please add it to this GitHub Repository! We would love to add more interesting use cases to that project, making it more useful for everyone.