Applying Policy Rules

Once you create Conditions, you may assign them to specific Access Rights. There are five drop down lists:

• Show Permission Warning – determines if, when permissions are restricted, the user receives a standard permission warning.
• Discover – determines if the user can view an Item within a search grid.
• Get – determines if the user can open Forms and view all the Properties of an Item.
• Update – determines if a user can claim an Item, make changes, and save those changes.
• Delete – determines if a user can delete an Item.

Selecting a Condition from the dropdown list applies that Condition to the access right. The user is denied access if the selected conditions are not met.

Figure 22.

Standard Aras Innovator role-based permissions and all applicable MAC Policy rules must grant access to an Item before a user is able to access it.

Once you establish the Policy Rules, you must assign the MAC Policy to the desired ItemTypes and then activate the MAC policy. Assigning the MAC policy to ItemTypes is done by adding them to the Applied To Relationship. To activate a MAC Policy, unclaim the policy and select the ‘Activate’ Action. When Activating a MAC Policy, all users except for the admin activating the MAC Policy should be logged off and prevented from accessing the system until the MAC Policy is activated.

Figure 23.

Once activated, a MAC Policy can be deactivated or versioned. The Deactivate action sets a MAC Policy to the Inactive state. When a MAC Policy is Inactive, the Policy Rules are not applied to control access. To modify a previously active MAC Policy, the Policy must be versioned through the New Version Action. The previous revision of the MAC Policy is promoted to the Archived state only after the new version of the Policy is activated.