Creating and Activating a DAC Domain Policy
Copy
The procedure for creating and activating a DAC policy is described in detail in the following sections. As described earlier it is a bottom-up process.
Creating a Query Definition:
The Query Definition specifies the paths from the Root item through one or more Relationships to Leaf Items. It is accessed from the TOC folder Administration/Configuration.
Creating a Derived Relationship Family (DRF):
A Derived Relationship Family is an ItemType that contains a Query Definition and one or more relationship paths derived from this query known as Derived Relationships. It can also be found in the TOC folder Administration/Configuration.
Defining Derived Relationships:
Derived Relationships are related items on the “Derived Relationships” tab on the DRF. Each has a Name identifier and start/end points of the DAC Subdomain in the columns “Departure Item Type […]” and “Destination Item Type […]”.
Persisting DAC Access Control Table (unidr_Relationships table):
Once a Derived Relationship Family and its subdomain definitions are completed, the ‘unidr_Relationships’ table is populated with data to track all instances of the specified subdomain in the database. This may take quite a bit of time for large databases.
Creating a DAC Definition (Policy):
Once the Derived Relationship Family is persisted, we create a DAC Definition that applies DAC Access Rules for each DRF subdomain conditionally based on root item permissions and leaf item life cycle states.
An active DAC Definition automatically creates DAC Domains for all instances of the root item. Access is based on the Team attached to the root item and governed by the permissions set in the DAC Definition. DAC access is calculated based on the table of unidr_Relationship items which are automatically synchronized with the results of the Derived Relationship Family’s Query Definition.