Inside Activate
Security
Access Rights Strings
14 min
access rights strings are used throughout activate to express permission checks in a compact, declarative way they are evaluated by the activate security engine against access control entries (aces) defined on products, objects, and their parents a common usage of access rights string is on the accessrights property of toolbars, so specific buttons only appear when the specified criteria is met great for cases like the owner of this service is allowed to unpublish the service, but only if they are the owner this guide explains the supported syntax, how expressions are evaluated, and the common pitfalls to avoid when writing access rights strings basic access rights the examples in this document use service permissions for simplicity other object types in activate support different sets of permissions an access rights string always uses the permission code , not the display name shown in activate studio standard rights create (create) read (read) write (write) delete (delete) manage (manage) service specific rights use (use service) add (add user to service) view (view instance) iupd (update instance) idel (delete instance) if an ace grants full control, all standard and service specific rights automatically match combining rights access rights strings support two combination operators with very different behaviour semicolon (;) — and semantics use a semicolon to require that all listed rights must be granted when a semicolon is used, the expression is evaluated as a logical and example idel;iupd meaning the user must have idel and the user must have iupd if any one of the rights is missing, the check fails this form is commonly used when an operation genuinely requires multiple permissions at the same time pipe (|) — or semantics use a pipe character to indicate that any one of the listed rights is sufficient when a pipe is present anywhere in the string, the expression is evaluated as a logical or examples idel|iupd idel|iupd|manage meaning the user may have idel or iupd or manage only one matching right is required for the check to succeed important difference between ; and | although both operators appear similar, they are evaluated very differently semicolon (;) expressions are evaluated together as a single and group pipe (|) expressions are split first and evaluated as independent or options this means the following are not equivalent idel;iupd idel|iupd the first requires both rights the second requires only one order of rights the order of rights in the string does not affect the result examples iupd;idel idel;iupd these evaluate identically the same applies to pipe based expressions iupd|idel idel|iupd owner, self, and target modifiers some rights may be qualified with modifiers that restrict when they apply supported modifiers include +self +owner +target examples iupd+owner user must have iupd and be an owner of the object, non owners with iupd will return false add+self user must have add and be ordering for themselves these modifiers are evaluated as part of the right name and must match the ace configuration exactly if a modifier is present the ace must be defined with the corresponding scope the context object must satisfy the condition (for example, the user must be the owner) unsupported separators commas (,) are not valid logical separators for access rights example iupd,idel this is treated as a single literal right name and will not match iupd or idel individually always use ; for and | for or worked examples the following examples illustrate how to write access rights strings and how they are evaluated each example shows the configured security on the object (aces) the users and their relevant role or ownership context a series of access rights strings and the expected results example 1 — service desk and owner (service) configured security on the object object service "adobe acrobat" local acl (top to bottom) allow role service desk → full control allow role administrators → full control allow owner → view, iupd, idel users jamie member of service desk wendy owner of the service alice member of administrators bob standard user with no special roles expected outcomes true 123,62,75 46651270207852,65 23741927891615,109 97903826069049,231 31702975831487 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type example 2 — extended rights (use) configured security on the object object product feature "customer portal" (illustrative) local acl allow role portal users → view plus special right \[use] allow role administrators → full control users jamie member of portal users wendy owner of the service alice member of administrators bob standard user with no special roles expected outcomes true 123,62,75 46651270207852,65 23741927891615,109 97903826069049,231 31702975831487 left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type left 1 1 unhandled content type summary access rights strings use permission codes, not display names standard and service specific rights are evaluated uniformly ; means all rights are required (and) | means any one right is sufficient (or) commas are not valid separators modifiers such as +self and +owner further constrain matching understanding these rules is essential to writing predictable and secure access checks in activate