Relationship Structures as Access Control Domains

DAC grants access to items based on an item’s occurrence in a relationship structure under a Root item. The Root of the structure is the Domain scope—Project X at right. Access to related Document item can be controlled by DAC for the Project Domain. DAC can grant or elevate access to the Items within its domain.

Figure 1.

DAC uses a ‘derived’ representation of existing physical relationships without making any changes to the source items, related items or relationships themselves. Derived Relationships allow DAC to track changes and organize access rules against the corresponding business data.

One or more branches or paths from a Root to a related item can be used to derive relationships. Each path and its endpoints define a DAC Subdomain. A DAC Domain contains all of the Subdomains derived by one Query Definition against a Root item.

A standard Aras Query Definition is used to indicate which parts of an overall ItemType Relationship structure is to be used by DAC in an access control policy.

Specifically, a query is used to extract the relationship ‘paths’ from Root to Leaf items that will implement DAC access control. The Aras Query Builder is used to define a Query Definition for DAC.

Figure 2.

Query Conditions, where-used references, and other Query Builder features are supported, thus providing a powerful method of identifying the specific paths, or ‘Subdomains’ within the Relationship structure where Access Rules will be set by DAC.