Categories
Related

Intermediate MAC Policy

Skyler Crossman
Intermediate MAC Policy

This post will cover some new features of Mandatory Access Control policies in Aras Innovator. Mandatory Access Control (MAC) is one way to control access to data based on the properties of the information requested and the properties of the user making the request. We’re going to go over how to incorporate environment attributes and derived attributes to determine whether to allow or deny access. The screenshots in this post were taken on Aras Innovator 12 Service Pack 7, and while the steps should be similar as long as you’re on Version 12, you may notice some small changes in what you see if you’re using a different service pack. Please note that you’ll need to be an administrator to follow along.

This article assumes you're comfortable with creating and maintaining basic MAC Policies. If you want to brush up, check out this post

Environment Attributes

Environment Attributes facilitate access rights based on circumstances about when and where an access request is being made from. You'll find them in the table of contents just above MAC Policy. For example, say we want to stop users from accessing our information outside of work hours, to encourage employees not to spend too long at the office and to have a healthy work/life balance.

Each environment attribute needs three things: a name, a type, and a method with which to get the value. Of these, the method is the most significant, and will need to be created according to the EnvironmentAttributeMethod template. As an example, make a method with the following code:

Now that you have that, go back to your environment attribute.

  1. For Name, enter "work_hours" in the field. This will be how we recognize and refer to our attribute.
  2. In Type, select "Boolean" from the dropdown. We only care if access is allowed or not, true or false.
  3. In Get Value Method, search for your method from above and select it. That method sets the attribute to true between the hours of 9 and 5 pm.

Once this environment attribute is set up, open the MAC Policy you'd like to use. You'll find that the variable $work_hours is now available and can be checked against in conditions.

Derived Attribute Definitions

Derived Attribute Definitions meanwhile allow queries to be run against all manner of other items and properties and are found in the table of contents just above Environment Attributes. Perhaps we only want most users to see parts which have up-to-date documentation and to hide documentation which is not current.

New Derived Attribute Definition 

The name and description are common sights in Aras Innovator, and the Datatype simply refers to the kind of data that your query should return. The novel bit is the query itself, which goes in the Attribute Queries pane below. Each query has three parts. First, the Applied To column selects the item type which the query starts with. The Leaf Item is where you can use the related items and relationships from the root to specify the item type the query looks towards. The last part is the target property you want your query to return! For details and tips on building queries, take a look at this blog post on the subject. 

Lets build the query to check whether related documents are current.

  1. Name your Derived Attribute. In this example, we'll name it "isDocumentCurrent"
  2. Double click the Applied To column to open up an ItemType selector.
  3. Search for and select Part. 
  4. Double click the Leaf Item column to open up the query builder.
  5. Right click the root node ("Part") and, under the "Add Related Item" option, click "Using Relationship" 
  6. In the resultant menu, click on Document
  7. Click Add. You should now see the Part Document relationship and the related document.
  8. To the left of the related document, you can hover over several options. (See below!)
  9. The rightmost option allows you to add properties you wish to use. Click that.
  10. Select the "modified on" property from the drop down, then click save.
  11. Below, click OK.
  12. Now you should be back at the Derived Attribute screen. Save the attribute using the save button at the top. save

Go back to one of your MAC Policies. Since the Derived Attribute we just made is for an item, you should be able to write CurrentItem.isDocumentCurrent, referencing the documents associated with the part. Note that you'll only see the Derived Attribute Definitions that actually apply to the same ItemType that your MAC Policy applies to.

Keep in mind that, for Derived Attributes, you can only go one level of indirection in your query builder. Longer, extended chains of references would create performance issues, and we want to keep Aras Innovator nice and quick! On the topic of MAC Policy quirks, such policies cannot be used for the File itemtype, which has its own permissions and rules.

Conclusions and Congratulations

Now you know how to use derived and environment attributes in your MAC Policies. From here, keep in mind the way your organization uses information, which users will need what data, and how you can classify your items and properties to make sure things move smoothly. If you have questions, our community pages- and the comments below- are open!