Skip to main content

Access policies

Control access to items based on their data

As an admin, permissions let you specify which user groups have read or write access to all items of a particular design/interface. For more granular per-item access control, you can extend your permissions configuration with access policies.

An access policy lets you control which items of a design/interface are accessible to users, based on each item's attribute values.

Each rule in the policy targets a set of user groups and has one or more expressions. Each expression defines a condition that items of the targeted design/interface must fulfil to be accessible to those user groups. A rule may require all or any of its expressions to be fulfilled before access is granted.

For example, imagine an access policy that targets the Street Cleaning Jobs design. It has a rule stating that Group A can only see items whose Geometry attribute is located within a specific area.

Caution

Access policies don't work on their own! If a user group doesn't have the Read permission enabled for a design/interface, the group can't access any of those items, regardless of any access policies.

Interfaces

If you create an access policy for an interface, it will apply to all designs/interfaces that implement it.

For example, imagine an access policy that targets the Jobs interface. It has a rule stating that Group B can only see items of designs that implement the interface, whose Team attribute equals "Street Cleaning Team B".

However, be aware that those designs/interfaces may have their own access policies, which could affect the overall item results.

Multiple access policies

In situations where multiple access policies apply, access is granted to any item that fulfils at least one of those policies.

For example, imagine a user that belongs to Group A and Group B in the examples above. If they search the Street Cleaning Jobs design, they will only see items located within the specific area, or assigned to "Street Cleaning Team B", or both!

Access policies in action

Like permissions, access policies are enforced throughout Alloy, whenever item data is fetched. This includes:

If any access policies exist for a given design/interface, the items shown to users will be filtered, according to the groups a user belongs to (either directly or via a role).

Note

Layers and workflows aren't affected by access policies because they run under a system user (even when manually triggered). However, you can use permissions to restrict access to individual layers and workflows as needed.