Sign in

Creating a New MAC Policy

March 11, 2026 03:23 AM
5 min read
  1. You can find MAC Policies in Aras Innovator by clicking Administration --> Access Control --> MAC Policies in the TOC. The following menu appears:

Figure 11.

Only users with Administrative permissions have the ability to create MAC Policies. Once you create a MAC Policy, you must specify the Name and save it. Once you do that, you can create MAC Policy rules. Use the following procedure:

  1. Click Create New MAC Policy. The following screen appears:

    Figure 12.

  2. Enter the Policy Name in the Name field and click . The MAC Policy Editor icon appears in the left margin.

Figure 13.

Creating a MAC Condition

To create a new Condition, switch to the MAC Policy Editor view by clicking on the MAC Policy Editor icon.

Selecting the New Condition icon makes the lower portion of the window available to enter the Condition statement for the Policy Rule:

Figure 14.

The access administrator can create N Conditions within any given policy. The Condition editing is done in the lower pane, and the upper frame displays saved Conditions previously created within this MAC Policy Item.

A MAC Condition is comprised of one or more Boolean expressions combined by Logical Operators AND, OR, and NOT. Boolean expressions can reference CurrentItem, CurrentUser attributes which may be:

  • Property-based attribute obtained from the Item being accessed—CurrentItem.<attribute_name>.
  • Property-based attribute from the User making access request—CurrentUser.<attribute_name>.
  • Environment Attribute—dynamically generated on invocation via Method execution.
  • Derived Multivalued Attribute—created using the Derived Attribute Definition item.
  • xClass or xProperty reference used as an attribute.

Expressions may also use constant values (hard-coded values).

The following syntax rules apply to Policy Rule Condition statements:

  • Values are case sensitive.
  • String literals text must be enclosed between quotation marks (‘text’), quotation escapes with back slash (\').
  • A Constant can act as an operand when you use it in a comparison. Otherwise, a Constant is a string type.
  • Operators and precedence are the same as those used in SQL languages.
  • Operators are not case sensitive.
  • Arithmetic operators are not supported.
  • Parentheses can be used to override operator precedence.
  • Comparing two strings follows Transact-SQL rules.
Note
If the Policy Rule uses a Property on the User ItemType and a user can edit their own User Item, then the user is capable of changing their level of access to any of the ItemTypes that a MAC Policy is applied to. This can also apply if the Edit control is not restricted in a MAC Policy and other Permissions are based on editable Properties.

Adding Supported ItemType Properties

Only properties that are attached to the mp_PolicyAccessItem ItemType can be referenced in a Policy Rule Condition statement. To add additional properties, open the PolicyAccessItem ItemType and add properties that will need to be referenced by the MAC Policy Rules.

Figure 15.

Properties added to the PolicyAccessItem must exactly match the properties of the ItemTypes that the MAC Policies are being applied to. All ItemTypes that the MAC Policy is being applied to must have the property, which is being referenced, otherwise validation will fail when the Admin attempts to save the Policy. The following data types are supported:

  • String
  • Integer
  • Float
  • Decimal
  • Boolean
  • Date
  • Item
  • List

In the previous example, the clearance_level property has been added and thus a Policy Rule can reference the property using the following syntax: CurrentItem.[Clearance Level].

Supported Comparison Operators for Boolean Expressions

Table 4 lists operators that you can in the Condition statement of a Policy Rule.

Table 3: Supported comparison operators for Boolean expressions

Operation Name Usage Meaning
=EqualsvalueRef1 = valueRef2TRUE if left value is equal to right value.
>Greater ThanvalueRef1 > valueRef2TRUE if left value is greater than right value.
<Less ThanvalueRef1 < valueRef2TRUE if left value is less than right value.
>=Greater Than or Equal TovalueRef1 >= valueRef2TRUE if left value is greater than or equal to right value.
<=Less Than or Equal TovalueRef1 <= valueRef2TRUE if left value is less than or equal to right value.
!=Not Equal TovalueRef1 != valueRef2TRUE if left value is not equal to right value.
LIKELikevalueRef1 LIKE valueRef2True is left value matches the right value (pattern). The syntax for the “LIKE” operator is exactly the same as in Transact-SQL.

Available Helper Methods

Table 5 lists available methods that you can use within the Condition statement of a Policy Rule.

Table 4: Available helper methods

Method Response
CurrentUser.IsMemberOf(<Identity Name>)Returns true if the current user is a member of a (non-system) Identity <Identity Name>, otherwise it returns false.
CurrentUser.IsMemberOf(Property<Item>)Returns true if the current user is a member of the Item Property of type Identity. For example: CurrentUser.IsMemberOf(CurrentItem.identity_id)
CurrentUser.IsMemberOf(<multival attribute>)Returns true if the current user is a member of at least one of (non-system) Identities from Collection <multival attribute>
String.Contains(<StringToSearch>, <SearchForString>)Returns true if <SearchForString> is a substring of <StringToSearch>, otherwise it returns false.
CurrentItem.HasUserVisibilityPolicyAccess()Returns true if the current user has access to the current item based on the active User Visibility Rules. This function can only be applied to User, Alias, Identity Item Types.

Using xClasses and xProperties in MAC Policy Conditions

You can use xProperties that are associated with the mp_PolicyAccessItem ItemType as item attributes in MAC Policy conditions. You should specify supported xProperties in the Allowed xProperties relationship tab in the mp_PolicyAccessItem. You can also use xProperties that are associated with the User ItemType as user attributes. Using xProperties in MAC Policy conditions may cause some performance penalties but it has the advantage of being able to specify access control for an item xProperty independently from access control for the item itself (and therefore all the item regular properties).

The rules for calculating a MAC Policy condition that is using an xProperty in cases when the xProperty is undefined follow those for AML. You can explicitly check in a MAC Policy condition to see if an xProperty is defined on an item or a user using the built-in functions described in section Using Methods to Verify Item Classification.

Warning
DO NOT edit xProperty definitions that are being used in active MAC policies. Doing so results in a system failure. To adjust xProperty definitions, you must first disable the MAC policy. When you finish updating the xProperty definition, re-enable the MAC policy.

In MAC Policy conditions you can also check if an item or a user is classified by an xClass using the built-in functions described in section Using Methods to Verify Item Classification.

Using Methods to Verify Item Classification

Table 6 lists methods that enable you to check in MAC policy conditions to see if an item or user is classified using a particular xClass or xProperty.

Table 5: Methods for Item classification verification

Method Response
CurrentItem.IsXPropertyDefined(<xPropertyName>)Returns true only when the <xPropertyName> is defined on CurrentItem.
CurrentItem.IsClassifiedByXClass(<xClassName>)Returns true only when the CurrentItem is classified by <xClassName>.
CurrentUser.IsXPropertyDefined(<xPropertyName>)Returns true only when <xPropertyName> is defined on Current.User.
CurrentUser.IsClassifiedByXClass(<xClassName>)Returns true only when CurrentUser is classified by <xClassName>.

For more information about xClasses and xProperties, refer to the Extended Classification guide.