Model files that are not in a project but are in the 6.4 DiveLine namespace retain their ACLs as setup in DI-Config.
Access control for Models in a 7.x project, whether created new or aliased in, is defined in Workbench.
Access control for Models in Workbench projects could resemble the following script excerpt:
model-access {
// The class limit, for the "Managers" group only
limit-dimension {
if-group "Managers"
dimension "Sales Region"
values "South*" "Not-appearing-in-this-film" "North"
}
// Same as $groups outside projects
limit-dimension-by-groups {
dimension "Product Family"
}
// Same as $user outside projects
limit-dimension-by-username {
dimension "salesperson-uid"
}
// New
limit-dimension-by-property {
dimension "Product Name"
property "Products"
}restrict-columns "Revenue" "Profit"
allow-columns "Revenue" "Profit" {if-group "Managers"
restrict-columns "Revenue" "Profit"
allow-columns "Revenue" "Profit" {
if-property "Role" "Manager"restrict-columns "Revenue" "Profit"
allow-columns "Revenue" "Profit" {
if-user "CEO"
}
NOTE: The delete-columns tag is deprecated; use the restrict-columns and allow-columns tags instead.
// Deprecated delete-columns "Cost" { if-user "someone" } delete-columns "Revenue" { if-group "group B" } delete-columns "Sensitive" { if-property "Sensitivity" "0" "1" "2" "3" } delete-columns "Units" {
if-group "A group"
}} }
NOTE: Previous versions using Model ACLs for security could not OR conditions. Access control for 7.x projects and cBases supports the union of access control rules when using limit-rows-by-filter, which accepts an arbitrary Spectre expression to allow or disallow each row in a cBase.
See also:
- About Access Control
- Access Control Model Sample
- Access Control File Samples
- Access Control File Code Block
- Access Control File Tags
- Properties Overview