Access Control Rule Guide

Operators#

Rule operators are effectively words which alter the behavior of particular access control rules. The following table is a guide on their use.

Multi-level Logical Criteria#

Criteria which is described as multi-level logical criteria indicates that it is a list of lists. The first level i.e. the list least indented to the right will be referred to the OR-list, and the list most indented to the right will be referred to the AND-list.

The OR-list matches if any of the criteria from it’s AND-list’s matches; in other words, a logical OR. The AND-list matches if all of it’s criteria matches the given request; in other words, a logical AND.

In addition to these rules, if the AND-list only needs one item, it can be represented without the second level.

Examples#

List of Lists#

The following examples show various abstract examples to express a rule that matches either c, or a AND b; i.e (a AND b) OR (c). In relation to access control rules all of these should be treated the same. This format should not be used for the configuration item type list(list(object)), see List of List Objects instead.

Fully Expressed#

rule:
  - - 'a'
    - 'b'
  - - 'c'

Omitted Level#

rule:
  - - 'a'
    - 'b'
  - 'c'

Compact#

rule:
  - ['a', 'b']
  - ['c']

Compact with Omitted Level#

rule:
  - ['a', 'b']
  - 'c'

Super Compact#

rule: [['a', 'b'], ['c']]

List of List Objects#

The following examples show various abstract examples that mirror the above rules however the AND-list is a list of objects where the key is named value. This format should only be used for the configuration item type list(list(object)), see List of Lists if you’re not looking for a list(list(object))

Fully Expressed#

rule:
  - - value: 'a'
    - value: 'b'
  - - value: 'c'

Omitted Level#

rule:
  - - 'a'
    - 'b'
  - value: 'c'

Compact#

rule:
  - ['a', 'b']
  - ['c']

Compact with Omitted Level#

rule:
  - ['a', 'b']
  - 'c'

Super Compact#

rule: [['a', 'b'], ['c']]