This model can be used to control query access to objects. This query filtering is applied centrally, so the filtering is applied any way the user tries to access those objects, including query, quick find, relationship expansion, FTR, and custom code. To restrict a user's access to a class of object, the access group is related to the class definition and a condition applied.
This conditional data access is evaluated centrally on all objects returned from any query.
-
This may slow down query performance.
-
There are specific query filters available on the Query and Quick Find methods and edge expansion that apply the filter as additional SQL as the database is queried and as a result is much faster. This is also detailed in the next section.
-
The query filter condition is only supported in the Desktop Client.
SPFClassDefAccessGroup relationship definition
The SPFClassDefAccessGroup relationship links the access groups to the class for filtering. The link interface on this relationship is used to relate to the query filter condition. This condition can test attributes on the object, such as security level and ownership. A simple condition can be used to test if the user has access to the owning group of the object, for example.
Filtering objects at point of query
The retrieval of data by query or relationship expansion can be filtered based on simple property comparisons. To support filter by ownership, many of the environment variables available in the conditions engine have been made available to this property filtering.
These are configured as follows:
-
Using argument 3 on QFind methods
-
Using argument 8 on Query methods
-
Using the ISimpleCriteria.PropComparisons property on edge definitions
These criteria support the following:
Simple properties on an object
ISPFDocumentRevision~SPFRevState~=~e1CURRENT
Properties on related objects
Using a RelDef with the +/_ directional qualifier:
+SPFFileComposition~ISPFDocumentVersion~SPFIsDocVersionSuperseded~=~False
Environment variables
Owner is current username: +SPFItemOwner~IObject~Name~=~ENV.Username
Multiple criteria can be specified that are AND’d together ~ delimited.
ISPFDocumentRevision~SPFRevState~=~e1WORKING~+SPFFileComposition~ISPFDocumentVersion~SPFIsDocVersionSuperseded~=~False
Alternate values can be tested for one property
ISPFDocumentRevision~SPFRevState~=~e1CURRENT|e1WORKING
Restrictions
-
It is not possible to write OR clauses, but these will be added in the future.
-
No support for testing if an object does not have a relationship, for example, no owner or owning group.
Objects can be retrieved using the query command which can be filtered by class of object or container.