Defining relationships

A relationship provides the ability to grant a user access to a resource that is based on the user's relationship with the resource. If a relationship is defined in the policy, for a user to have access to the resource, the user must also satisfy the relationship with the resource in addition to satisfying the User Group, Action Group and Resource Group definitions. For example, an administrator may want to define a policy that only allows the creator of an order to update it. This type of policy definition is done through relationships.

About this task

Access control policies have an optional relationship element. This relationship can only be created by loading an XML policy file with the relationship definition seen below:

  <Relation Name="value">

The Name attribute is the name of the relationship used in any policy, and is added to the ACRELATION table. Name corresponds to the relationship parameter of the fulfills() method on the protectable resource.

The following example displays the definition of a relationship called creator.

<Relation Name="creator">