Grammar for security rules
As an administrator, you need to understand the
grammar for a security rule formula so that you understand the potential
impact of adding a rule.
condition
Condition is the basic building block for a security rule formula.
|--+-- predicate ---------------------+--|
+-- NOT -- condition --------------+
+--condition -- AND -- condition --+
+--condition -- OR -- condition ---+
+-- path-condition ----------------+
'-- ( -- condition -- ) -----------'
The following
rule applies to condition
:
- If parentheses are not used, the precedence rules are:
- NOT
- AND
- OR
path-condition
v------- AND ---------------.
>>-- FOR ( --+--- path-direction -- path --+--+-- : -- condition -- ) --<<
| v-------- OR ---------------. |
+--- path-direction -- path --+--+
'-- intended-parent -------------'
predicate
|--+-- scalar --+-- = ---+-- scalar --+--|
| +-- < ---+ |
| +-- > ---+ |
| +-- <= --+ |
| +-- >= --+ |
| '-- <> --' |
+-- like-predicate ----------------+
+-- starts-with-predicate----------+
+-- contains-predicate-------------+
+-- ends-with-predicate------------+
+-- in-predicate ------------------+
+-- in-group-predicate-------------+
'-- in-profile-predicate-----------'
scalar-value
|--+-- field-reference -- +--|
+-- end-user-profile --+
+-- boolean -----------+
+-- integer -----------+
+-- decimal -----------+
+-- date --------------+
+-- currency ----------+
+-- simple string -----+
+-- enum-value --------+
'-- function ----------'
field-reference
>>--+-----------------+-- . -- field-group -- . -- field-name --<<
'-- object-type --'
The following rules apply to
the field-reference
:
- If no
object-type
is given, the object type is that of the object to which the rule applies. - If an
object-type
is given, it must either be the subject of the rule or been specified in a path expression that contains the field-reference. - All elements of the field reference must be system names.
- Optional square brackets can be used to assure parsing in case elements of field references contain spaces or other special characters.
end-user-profile
|-- END_USER_PROFILE ( --+-- field-reference --+-- ) --|
'-- string -----------'
function
|--+-- TODAY ----------------------------------------------+--|
+-- TOMORROW -------------------------------------------+
+-- NOW ------------------------------------------------+
| .-- ( 0, 'd' ) ----------------------------. |
| | .-- , ----- 'd' ---. | |
'-- NOW --+-- ( -- offset +------------------+-- ) --+--'
'-- , --+-- 'y' ---+
+-- 'm' ---+
+-- 'd' ---+
+-- 'h' ---+
+-- 'mi' --+
'-- 's' ---'
like-predicate
|-- field-reference -- LIKE -- pattern-string --|
The
following rule applies to the like-predicate
:
- The pattern string must be a string constant.
- For information on what is supported for the
like-predicate
, see Limitations on special characters in filters for long string fields and Using complex logic in a search filter.
starts-with-predicate
|-- field-reference -- STARTS WITH -- string --|
contains-predicate
|-- field-reference -- ENDS WITH -- string --|
ends-with-predicate
|-- field-reference -- ENDS WITH -- string --|
in-predicate
|-- scalar-value -- IN --+-- scalar-value ----------------+--|
| v--- , -----------. |
'-- ( --- scalar-value --+-- ) --'
The
following rules apply to in-predicate
:
- If a single field reference is given, it must be a multivalued field.
- If multivalued fields are used in the list, they are unnested.
in-group-predicate
|-- scalar-value -- IN GROUP --+-- scalar-value ----------------+--|
| v--- , -----------. |
'-- ( --- scalar-value --+-- ) --'
The
following rules apply to in-group-predicate
:
- If a single field reference is given, it must be a multivalued field.
- If multivalued fields are used in the list, they are unnested.
in-profile-predicate
|-- scalar-value -- IN PROFILE --+-- string ----------------+--|
| v--- , -----. |
'-- ( --- string --+-- ) --+
The
following rules apply to in-profile-predicate
:
- If a single field reference is given, it must be a multivalued field.
- If multivalued fields are used in the list, they are unnested.
path
v----------------------.
|-- object-type ----- / -- object-type --+--|
path-direction
.-- ANY ------. .-- CHILD ---.
|--+-- PRIMARY --+---------------+--+-- PARENT --+--|
'-- IMMEDIATE --'
intended-parent
|-- INTENDED PARENT OF TYPE -- object-type -- |
Rules
- Combining multiple paths with
AND
orOR
is semantically equivalent to specifying multiple path expressions with the same condition combined byAND
orOR
. - For combined paths, the end point of all paths in the path expression must have the same object type. The condition can contain references only to the shared starting points and ending points as well as any references to outer paths that lead up to the subject.
- A path expression for a given path of object types is considered true if the condition is true for any instantiation of the path.
- Except for combined paths described earlier, the condition can depend on any object type along the path of the path-expression.
- The condition may also depend on object types along the path of containing path-expressions or the subject object type of the rule.
- When using
intended-parent
, the condition can depend on theobject-type
referenced as intended parent as well as the subjectobject-type
of the rule. A path expression that uses the intended parent clause is considered false if the indented parent is not of the specifiedobject-type
or the operation is not Associate or Create. - Depending on the path-direction specified, the path lists a connected series of object types relative to the current context either following parent or child relationships.
- The outermost path must start with the rule's subject type. Nested paths must start with the endpoint of the immediately containing path.
- If
IMMEDIATE
is specified and the end point of the path is a recursive object type, the path stops at the bottom most parent of that type or the top most child. - If
PRIMARY
is specified, the path will follow only primary parent relationships.