Combining RESTRICT and EXTEND rules

Applies to: On premises On Cloud Cloud Pak for Data

You can combine RESTRICT rules with EXTEND rules. Each rule is evaluated within the context of role-based security, and then an OR condition is applied. However, do not combine RESTRICT and EXTEND rules on the same object for the same privilege.

For example, you can combine a RESTRICT rule for READ and UPDATE with an EXTEND rule for DELETE:
Restrict Rule on READ, UPDATE
Extend Rule on DELETE
The rules are evaluated in the following manner:
If evaluating READ access:
If ((RBS=True AND RESTRICT_RULE_RESULT=True), then grant access
If evaluating UPDATE access:
If ((RBS=True AND RESTRICT_RULE_RESULT=True), then grant access
If evaluating DELETE access:
If (RBS=True OR EXTEND_RULE_RESULT=True)), then grant access
Attention: Do not use the same access privilege in both rules. This can lead to results that might not be-in-line with the behavior that you expect.
Here is an example of combined RESTRICT and EXTEND rules to help illustrate the point:
Restrict Rule on READ 
Extend Rule on READ

The formula is evaluated in the following manner:

If ((RBS=True AND RESTRICT_RULE_RESULT=True) OR 
(RBS=True OR EXTEND_RULE_RESULT=True)), then grant access

The result is that a user gets READ access in all of the following scenarios:

  • Role-based security is granted and the RESTRICT rule result is true, OR
  • Role-based security is granted and the EXTEND rule result is true, OR
  • Role-based security is granted and the EXTEND rule result is false, OR
  • Role-based security is not granted and the EXTEND rule result is true.

In other words, the user will have READ access with role-based security.