From the Minerva Vault: How to Create Secure Access Using MAC Policy in Aras Innovator

From the Minerva Vault: How to Create Secure Access Using MAC Policy in Aras Innovator


This blog by Damien Destrez goes over an incredibly interesting use case for MAC Policy within Aras Innovator. If you're unfamiliar with MAC Policies we have an introduction blog which can be found here, as well as another concrete example here.

If you prefer to watch the video tutorial, you can find it here.

Mandatory Access Control principles

  • First, a MAC Policy is a feature that by default is not activated on any ItemType, it's available to introduce specific business requirements around Security.
  • When active, MAC policies are a MANDATORY LAYER that cannot be skipped or bypassed.*The rule can include some specified Exempted User and/or Group of User
  • MAC policy basically compare properties from the logged in User and an Item:

Businesses that can be supported by MAC Policy

Data Model changes required

As MAC Policy is comparing properties between a User and an Item, we need to add to both ItemTypes for the properties that will be compared.

We will use as an example the Secrecy Level on Documents.

The end result that we need to prove is that a User with a Secrecy Level lower than the one set on the Document cannot access the Document.

New property on User

Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

New property on Document

Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

Allow custom property to be used on MAC Policy

We need to modify the ItemType: mp_PolicyAccessItem by adding the EXACT same property as the one just added on the ItemType: Document.

Add a new Property:

  • Name = sec_level
  • Label = Secrecy Level
  • Data type = Integer

Create a MAC Policy

As an Administrators, go into the TOC -> Administration -> Access Control

And then click "MAC Policies" / Create new

  • 1. Enter a Name (can have some space), and a Description if needed
  • 2. Into the TAB "Applied To", add the ItemTypes you want to activate this MAC Policy (in our case, Document)
  • 3. Into TAB "Exempt Identities" we can add Identities (User / Group of Users) that would skip this rule
  • 4. Save


Then we go into the Policy Rule Editor

  • 1. Click into the bar on the "New Condition" icon (first from the left)
  • 2. Set a Name on the bottom right
  • 3. Create the Rule by directly starting to type on the bottom left
    • CurrentUser.[Secrecy Level] >= CurrentItem.[Secrecy Level]
  • 4. Save the MAC Policy

Then you need to set Rule policy

  • 1. Go Back into the main Form
  • 2. Into the section "Policy Rules" set your rule on all "Accesses"
  • 3. Save the MAC Policy

Activate a MAC Policy

Once you have saved your MAC Policy and its rules

  • 1. Go into the Action menu
  • 2. Click on "Activate"
  • 3. A message will tell you when the MAC Policy is active

Modify a MAC Policy

If you need to modify an Active MAC Policy

  1. Into the Action Menu, first click on Deactivate
  2. Then in the same menu, click on "New Version"
  3. Then you can modify your MAC Policy as you wish
  4. Save your changes
  5. And finally, into the same menu, click on "Activate"

Daily Usage

Once you have everything setup, you need to modify your Forms (User + Document) to set the values.

And when a User will need to create a Document or modify one, the Secrecy Level will appear.

Here you can add any Business logic on the Client / Server side in order to avoid people creating documents on a Level that is above their own, or any other business logic.

The result will be, any Document created with a Secrecy Level superior to the User's one, won't be accessible by the user.

How to test

Log as an Administrator (i.e. admin)

  • Create multiple users with different Secrecy Level
  • Create 2 documents with the following Secrecy Level values.

Document Secrecy Level




User 100



User 500






Once those 2 Users and 2 Documents are created you can test that as follow:

  • Connect as User100
    • When running a Search for Document, nothing appears
  • Connect as User500
    • When running a Search for Document, only the 200 documents should appear
  • Connect as an Administrator (.i.e. admin)
    • When running a Search for Document, both documents should appear