Configuring conditions
Conditions can be used to further specify the policy on an element in Valtimo. When a condition is used in the policy it will match the conditions against the element it is trying to access. If the element matches the conditions it will be loaded, if a condition fails it will not be loaded.
This page requires:
Knowledge of JSON
Use case
Use case: An implementation has 5 case types. 2 of those 5 case types should only be accessible to managers.
Solution:
Give the managers
ROLE_MANAGER.Configure with conditions in PBAC that only
ROLE_MANAGERcan view these cases based on their Case Definition Name.Users without
ROLE_MANAGERwill no longer be able to view the 2 cases in Valtimo.
Supported conditions
The following conditions can be used with their respective structures:
container
Allows more complex conditions by denoting the related entity the nested conditions should apply to.
Field
type
The type of condition. In this case field.
field
field
The field the value should be compared against.
assigneeId, documentDefinitionId.name
operator
The operator for the comparison.
==, <
value
The value to compare the field against.
20000, ${currentUserId}
Expression
type
The type of condition. In this case expression.
expression
field
The field used to start the path from.
content.content
path
The path that points to the field to compare to.
$.height
operator
The operator for the comparison.
==, <
value
The value to compare the field against.
20000, ${currentUserId}
clazz
The name of the class that is found at the path.
java.lang.Integer
Container
type
The type of condition. In this case container.
container
resourceType
The related resource type the conditions should apply to.
com.ritense.document.domain.impl.JsonSchemaDocument
Operators
==
Equal to.
!=
Not equal to.
>
Greater than.
>=
Greater than or equal to.
<
Smaller than.
<=
Smaller than or equal to.
list_contains
Checks if a collection contains the given value.
in
Checks if a value is contained in the given collection.
Special values for the value field
${currentUserId}
The identifier assigned to the current user.
${currentUserEmail}
The email address the current user has.
${currentUserRoles}
The list of roles the current user has.
Examples
Below a number of examples of applying conditions in Access control policies.
Expression permission with contains operator
In the example below, the list_contains operator is used to check if a specific flower is present inside the JsonSchemaDocument. Where the JsonSchemaDocument content could look like this: {"flowers": ["lily", "rose", "daisy"]}.
If the flower 'rose' is present in the JsonSchemaDocument, any user with the role ROLE_USER will be able to view that document.
Create case permissions
The following example demonstrates how to allow any user with ROLE_USER to create a case of type leningen. When trying to create a case, the case itself does not yet exist. So in order for conditions to be evaluated, they have to be defined based on the relation between the two resources,JsonSchemaDocument and JsonSchemaDocumentDefinition.
Create process instance permissions
The example below shows how to allow users with ROLE_USER to create a process instance of process definition type GenericProces. When trying to create a process instance, the execution itself does not yet exist. So in order for conditions to be evaluated, they have to be defined based on the relation between the two resources, CamundaExecution and CamundaProcessDefinition.
User task candidate groups permissions
Access to a user task is usually controlled by setting the 'Candidate groups' to a role. To make sure that the user task candidate groups work together with PBAC, an additional permission should be set. The example below shows how that can be done.
Last updated