Restrictive Conditions
When an account is shared with other actors, you can assign attribute-based restrictive conditions to these actors. These restrictive conditions give you greater control over the actors' access rights.
For example, factory administrators can be restricted by location so they can access only the data scoped to that place. As another example, a brand inspector who's restricted to a specific brand can access only products of that brand.
Any admin Operator who's allowed to manage Operator Access can apply these restrictions to their subordinates. These restrictions can also be applied to Access Tokens.
Do I need to assign conditions to my actors?
Actors who have no restrictive conditions can access all data within a resource.
For example, actors with permission to read products and no conditions may access all products in their accounts. Actors with the same permissions but who have conditions on
productBrand:brand_one
may access only products that havebrand_one
as the brand base field.
See Managing Conditions to learn how to manage restrictive conditions.
Available Restrictive Conditions
The EVRYTHNG Platform currently supports the following restrictive conditions:
Restriction name | Syntax | Supported APIs |
---|---|---|
Access Policy Id | "accessPolicyId:<ACCESS_POLICY_ID>" | Access Policies API , Operator Access API |
Factory Id | "factoryId:<FACTORY_ID>" | None |
These restrictive conditions can be added to an Operator Access payload and is then reflected on each supported API interactions. In some cases, the returned data is filtered, and in others it impacts the update or creation of resources. Find more about how each Restrictive Condition behaves at Access Policies or Operator Access.
Updated almost 2 years ago