Basic Concepts

In very simple terms, you implement aPriori Access Control by defining user groups that have permissions which consist of rules regarding the actions that can or cannot be performed on specific resources .

aPriori Access Control does not control access to fields or attributes, only to resources. However, rules can make use of custom attributes to fine-tune access to resources.

Note: For discussion purposes, Access Control definitions in this section are shown as typed statements. However, you typically will be defining Access Control using the aPriori GUI so do not be too concerned about the syntax shown. aPriori will construct the Access Control rules from your input. For more information, see Using the Access Control UI later in this chapter.

To expand on the terms introduced above:

Groups are collections of aPriori users. Groups can have subgroups. (Groups do not need to have users as immediate members; they can have only sub-group members, where users are members of the sub-groups.)

Permissions are associated with groups and consist of rules about the actions that can be granted or denied for a resource.

Resources are the entities to which you want to control access.

Rules consisting of subjects and properties can fine-tune conditions. Rules can be as simple or as complex as required, and you can use Booleans (AND OR) to chain rule segments together. (But when starting out, it is important to keep things simple.)