Access Rules
Introduction
The access rules of an entity define what an end-user is allowed to do with objects of the entity. You can allow end-users with specific roles to do one or more of the following things:
- create objects
- delete objects
- view member values
- edit member values
A member is an attribute or an association of an entity.
You can also limit the set of objects available for viewing, editing, and removing using an XPath constraint.
Every entity can have multiple access rules which are applicable to one or more module roles. Each access rule grants certain access rights to those roles. Rules are additive, which means that if multiple access rules apply to the same module role, all access rights of those rules are combined for that module role.
Defining Access Rules
The modernized access rule editor was made generally available in Studio Pro version 10.21.0, replacing the old editor. It was also available from Studio Pro version 10.6.0, as a beta. The old editor is deprecated and will be removed in Studio Pro version 11.0.0, but you can revert to the old editor in the Preferences Dialog
For guidance on using the old editor, see Defining Access Rules Using the Old Editor, below.
You can view access rules in the Access rules tab of the entity properties dialog. Open this by double clicking on an entity in the domain model.
Editor Layout
The access rules editor displays each access rule belonging to the entity as a column. The header shows the module role(s) the access rules apply to. When the module role name is long or there are multiple roles, you can see only part of the label. Hover over the header to show the full module role(s).
You can add access rules by clicking New.
Click on a column to select an access rule. When an access rule is selected, you can click on the buttons to edit, duplicate, or delete it. You can also edit an access rule by double-clicking it.
 
 
    
XPath Constraint
When there is a value shown in the XPath constraint row for a specific access rule, this means it has an XPath constraint. The access rule will only be granted if the XPath constraint is true. When an XPath constraint has a caption, this is shown instead of the XPath constraint itself.
Entity Rights
By setting the appropriate entity rights in an access rule, you can control the ability to create and/or delete objects of the entity. By default, an access rule has no entity rights.
When an access rule has entity rights, this is shown using the Create ( ) and/or Delete ( ) icon in the entity rights row for the specific access rule.
Attribute and Association Rights
In the access rule, access to specific members (attributes or associations belonging to the entity) can be controlled. The access can be None, Read, or Read and Write. When there is no access, no icon is displayed in the row of the member in the access rule column. If there is Read access, a Read icon ( ) is displayed. For Read and Write access, both the Read ( ) and Write ( ) icons are displayed.
Creating or editing an access rule
Access rules can be created from the New Access Rule dialog. This dialog can be opened by clicking New. To edit an existing access rule, select an access rule and click Edit or double-click on the access rule.
 
 
    
Documentation
You can add documentation to describe the access rule.
Module roles
Select the module role(s) this access rule applies to. If there are no module roles selected there will be a consistency error.
XPath Constraints
To edit the XPath constraint, click Edit... next to the XPath constraint field. This will open the XPath editor dialogue to edit the XPath constraint of the access rule.
There are two constraints that can be appended easily with a single button click:
Owner
The Owner button adds an XPath constraint so the access rule is only applied if the object owner is the current end-user.
[System.owner='[%CurrentUser%]']This constraint is only valid when the Store 'owner' checkbox in the System members section of the entity properties is checked.
Path to User
The Path to user... button adds an XPath constraint so the access rule is only applied when a User object which is associated (directly or indirectly) with the current object is the current end-user. When you click Path to user..., you can select a path to an associated entity that is either a System.User or a specialization of System.User. This is then converted into an XPath constraint for the access rule.
For example:
- Assume that the Customer entity is a specialization of the User entity. The Order entity is associated with the Customer entity via the Order_Customer association.
- Assume that a logged-in customer is only allowed to view their orders, but is not allowed to view the orders of other customers.
The XPath constraint can be constructed easily using the Path to user... button by selecting the Customer entity in the Order entity access rule. The created rule will look like this:
[Module.Order_Customer = '[%CurrentUser%]']Because of this XPath constraint, access defined in the access rule is only applied to orders for which the customer is the current end-user.
Entity Rights
You can add or edit entity rights using the Create objects and Delete objects checkboxes next to Entity rights.
XPath constraints are not applied to create operations, meaning that if you enable create access in an access rule which applies to a certain module role, any end-user with this module role can create objects of this entity.
XPath constraints are applied to delete operations, unlike create operations.
Default rights for new members
Specifies the rights which are applied to new attributes or associations of this entity. This option was absent from the new Access Rule Editor before version 10.19 and in these versions the rights always defaulted to no access for any module roles.
Member Rights
Access to the members can be set using the checkboxes in the relevant column next to the member description.
You can also click the Read or Write checkboxes in the Set all to footer to enable or disable 'Read' or 'Read and Write' access for all attributes and associations in this column.
See Attribute Changes and Security Constraints, below, for important considerations about giving access to attributes.
Access Rule Normalization
Older beta versions of the new access rule editor, those in Studio Pro versions 10.6 through 10.16, worked with normalized access rules. A normalized access rule is an access rule that has exactly one module role attached to it. This change was made because the editor used to work with a table where the entity members make use of the rows and module roles (optionally with XPaths) use the columns.
In those versions, access rules were automatically normalized when first using the new editor for an entity. Alternatively, all access rules in a project could be normalized at once by going to App Tools > Normalize access rules.
Access Rule Evaluation
Access rules are defined as part of application development. This section describes the effects access rules have at runtime, under the assumption that the App Security is set to Production.
Access rules are abstract descriptions of access rights. To apply them they need to be evaluated. Given an end-user with certain user roles and the state of the database it can be determined if an access rule applies. The Mendix Runtime stores the result of access rule evaluations in memory. In general, this evaluation happens on retrieval of objects from the database. The results will stay valid for the lifetime of the object, which is usually the request. Access rules are evaluated differently depending on the object state. More details about their evaluation when accessed from and end-user session are given below.
Attribute Changes and Security Constraints
If an end-user cannot view the value of an attribute because of security constraints, that attribute will never be sent to the Mendix Client.
See Basic CRUD Communication Pattern in Communication Patterns in the Mendix Runtime for more information on how data is passed between the Runtime Server and the Mendix Client and what cases may lead to a loss of changes.
New Objects
When a new object is created, or when a new object is sent to the runtime server as part of a request, all XPath constraints are assumed to evaluate as true. This evaluation result is stored in memory and valid for the lifetime of the request. Committing the object does not lead to access rules or XPath rules being re-evaluated.
Objects Stored in the Database
When a persistable object that has been committed before is passed to the runtime server, the access rules are evaluated based on the current state of the object in the database. More precisely, when passing an object, only the 'changes' on the object and an 'object id' are sent. A full object is then reconstructed in two steps. Firstly, the object is retrieved from the database based on its id. At that time the access rules are evaluated based on the values retrieved from the database. Secondly, changes are applied to the object.
As for new objects the result of this access rule evaluation is stored in memory and not changed for the lifetime of the object or request. In particular, changes to attributes or committing the object does not cause re-evaluation of access rules.
Non-Persistable Objects
Non-persistable objects cannot have XPath constraints.
Defining Access Rules using the Old Editor
An example of the access rules properties is represented in the image below:
 
 
    
Access rules properties consist of the following sections:
Documentation Section
In Documentation, you can describe the intention of the access rule. This helps to keep access rules comprehensible, especially in the case of non-trivial XPath constraints.
Rule Applies to the Following Module Roles Section
To apply an access rule to an entity, you need to have at least one of the following Access rights selected:
- Allow creating new objects
- Allow deleting existing objects
- An Entity Member (attribute or association) with ReadorRead, Writerights
Roles
All module roles are listed, and those to which this access rule applies are checked. All end-users that have at least one of the checked module roles get the access rights that the rule defines.
Select / Deselect All
You can easily select, or deselect, all module roles using this checkbox.
Access Rights
The Access rights tab allows you to assign rights to end-users with the selected module roles.
Create and Delete Rights Section
Allow Creating New Objects
If Allow creating new objects is checked, end-users are allowed to create new objects of this entity. This is not restricted by any configured XPath constraints.
Allow Deleting Existing Objects
If Allow deleting existing objects is checked, end-users are allowed to delete existing objects of this entity.
The set of objects that can be deleted can be limited by using an XPath constraint.
Member Read and Write Rights Section
Member read and write rights define the access rights for every member (attribute or association) of the entity. These access rights indicate whether end-users are allowed to view and/or edit the member's value. The set of objects to which these rights apply can be limited by using an XPath constraint.
| Value | Description | 
|---|---|
| - | End-users are not allowed to view or edit the value of the member. | 
| Read | End-users are allowed to view the value of this member, but cannot edit it. | 
| Read, Write | End-users are allowed to view and edit the value of this member. | 
Default rights for new members specifies the rights which are applied to new attributes or associations of this entity.
Set all to allows you to quickly set all the access rights for members to None, Read, or Read, Write.
For example, a customer is allowed to view the discount, but is not allowed to edit it. The access rights for the discount attribute are Read.
 
 
    
See Attribute Changes and Security Constraints, below, for important considerations about giving access to attributes.
XPath Constraint
An XPath constraint can be used to constrain the set of objects to which the access rule applies. If the constraint rule is true, the rule applies to that object. If the XPath constraint is empty, the rule applies to all objects of the entity.
Click Edit… to edit the XPath constraint.
 
 
    
There are two constraints that can be appended easily with a single button click.
Owner
The Owner button adds an XPath constraint so the access rule is only applied if the current end-user is the object owner.
[System.owner='[%CurrentUser%]']This constraint is only valid when the Store 'owner' checkbox in the System members section of the entity properties is checked.
Path to User
The Path to user... button adds an XPath constraint so the access rule is only applied when a User object which is associated (directly or indirectly) with the current object is the current end-user. When you click Path to user..., you can select a path to an associated entity that is either a System.User or a specialization of System.User. This is then converted into an XPath constraint for the access rule.
For example:
- Assume that the Customer entity is a specialization of the User entity. The Order entity is associated with the Customer entity via the Order_Customer association.
- Assume that a logged-in customer is only allowed to view their orders, but is not allowed to view the orders of other customers.
The XPath constraint can be constructed easily using the Path to user... button by selecting the Customer entity in the Order entity access rule. The created rule will look like this:
[Module.Order_Customer = '[%CurrentUser%]'] 
 
    
Because of this XPath constraint, access defined in the Access rights tab is only applied to orders for which the customer is the current end-user.