EXTEND rules

Applies to: On premises On Cloud Cloud Pak for Data

When you create a record level security formula, you can use an EXTEND rule.

An EXTEND rule is applied in addition to role-based security. An EXTEND rule grants access to an object for which role-based security does not grant access. The following formula illustrates how an EXTEND rule is evaluated:

If (RBS=True OR EXTEND_RULE_RESULT=True), then grant access

Notice the OR operator. Either role-based security must give access or the EXTEND rule result must be true. The result is that users get access to the object if role-based security gives them access or if the EXTEND rule result is true. Which means users gain access to the object in all of the following scenarios:

  • Role-based security is granted and the EXTEND rule result is true, OR
  • Role-based security is granted and the EXTEND rule result is false, OR
  • Role-based security is not granted and the EXTEND rule result is true.

For example, suppose role-based security grants all users in the Finance group READ and UPDATE access on Control objects. However, you also want users to be able to READ and UPDATE if they are the owner of the control object, regardless of whether they belong to the Finance group. In this case, you can add an EXTEND rule on READ and UPDATE that checks the END_USER against the owner field of the object.

Figure 1. An EXTEND rule grants access to users who are owners of a control, regardless of their group membership
Flow diagram of the EXTEND rule example

For a more detailed example, see the record level security scenarios, such as Scenario: Access for business administrators.

When users view an object, they can see the associated child objects only under the following circumstances:
  • The associated child objects are included in a role template.
  • The associated child objects are not included in a role template, but a record level security rule that extends role-based security is applied to the parent object.