Reference: Access Control Statement Properties

Overview

To create an access control statement, you define its precise scope using the following four properties:

  • Effect: The effect the statement has when it applies to an access request, i.e. whether the statement allows or denies access.

  • Resource: The type of object that the user is requesting to perform the action on, i.e. an activity type.

  • Action: The operation that the user is requesting to perform on the resource, e.g. view, create, etc.

  • Conditions: Additional conditions to define the resource with greater granularity, based on activity attribute values (e.g. activities where a specified activity attribute has a particular value).

To put access control statements into effect, you use an additional property that is linked not to the individual statements, but the policy that contains them:

  • Users: The Uptempo user accounts to which the statements in the policy apply.

Each of these five properties is further organized into types, or subcategories with a specific scope. For example, the Actions object contains types like View or Create.

In practice, you construct an access control statement by using the Statement Editor (or the Raw JSON editor) to select a type for each property: in combination, these types define a complete permissions scope.

This reference guide outlines all of the available types for each property that you can use to create access control statements.

Property: Effect

The Effect property defines the outcome that the access control system applies when a statement takes effect.

Supported Types

  • ALLOW

    • Specifies that the access control system permits access within the scope of the statement. This means the specified user is granted permission to perform the specified action on the specified resource, and if the specified conditions (if present) are met.

  • DENY

    • Specifies that the access control system blocks access within the scope of the statement. This means the specified user is denied permission to perform the specified action on the specified resource, and if the specified conditions (if present) are met.

Property: Resource

The Resource property defines the type of system asset that a User can perform an Action on.

Supported Types

  • Activity

    • Can be specified as:

      • Activity: Scopes the statement to all activities (of all types).

    • In combination with the Conditions property, can be specified as:

      • Activities of a specified activity type

      • Activities of a specified activity type group

      • Activities that have a specified value for a specified attribute

  • Activity Type

    • Can be specified as:

      • Activity Type: Scopes the statement to all activity types and activity type groups. For each activity type, this scope includes:

        • The attributes that exist on activities of that type.

        • The actions that are possible for activities of that type.

        • The activity rules that govern where activities of that type can exist in the activity hierarchy.

        • The layout of the Activity Setup Assistant and the Details panel for activities of that type.

        Important

        The Activity Type resource covers activity types and activity type groups themselves. It does not include the activities within those activity types and type groups. To scope a statement to activities of a particular type or type group, use the Activity resource type.

      • Activity Type > Specified Activity Type Group: Scopes the statement to all activity types within the specified activity type group.

      • Activity Type > Specified Activity Type Group > Specified Activity Type: Scopes the statement to the specified activity type.

        Note

        In the Statement Editor, the Activity Type selection list is split into two levels: the first level displays activity type groups at the top of the list, and the second level displays activity types that belongs to the specified activity type group. All activity types that do not belong to an activity type group are displayed in the first-level list, below the activity type groups.

Unsupported Types

This list is non-exhaustive, and is meant to illustrate ways of specifying resources that are currently unsupported in activity access controls:

  • Specific individual activities

  • Specific attributes (the attribute itself, e.g. to show or hide specific attributes on activities on a per-user basis)

  • Specific attribute values (the attribute value itself, e.g. to show or hide specific attribute values on activities on a per-user basis)

Action

The Action property defines the types of operation that a User can perform on a Resource.

Supported Types

Actions are specific to resource types, so the supported actions are determined by the selected resource.

Resource Type: Activity

  • All Actions

    • Scopes the statement to all possible actions on the specified resource, including view, create, modify, and delete.

  • List

    • Scopes the statement to only the List action. When granted, the List action gives users only access to the name of the specified resource. This means the user can see an activity's full name in the Activity Hierarchy, but can't open the activity's Details Panel to view any other information about the activity.

  • View

    • Scopes the statement to only the View action. When granted, the View action gives users read-only access to the specified resource. This means the user can see an activity's full name, attribute details, etc., but is not able to modify the activity in any way.

  • Set Activity As Child Of

    • Scopes the statement to only the Set Activity As Child Of action. When granted, the Set Activity As Child Of action gives a user the ability to create child activities under the resource scoped in the statement.

Resource Type: Activity Type / Activity Type Group

  • All Actions

    • Scopes the statement to all possible actions on the specified resource, including view, create, modify, and delete.

  • View

    • Scopes the statement to only the View action. When granted, the View action gives users read-only access to the specified resource. This means the user can see activity types or type groups, but not create them.

  • Create

    • Scopes the statement to only the Create action. When granted, the Create action gives users the ability to create new activities in an activity type.

      Note

      This action does not cover the ability to create activity types (or type groups) themselves, only the activities within them.

Unsupported Types

This list is non-exhaustive, and is meant to illustrate actions that are currently unsupported in activity access controls:

All Resource Types

  • Modify

    • Scopes the statement to only the Modify action, which covers the ability to make changes to existing activities, activity types, or activity type groups.

  • View Parent Of

    • Scopes the statement to only the View Parent Of action, which covers the ability to view the parent activity of a specified activity.

  • Delete

    • Scopes the statement to only the Delete action, which covers the ability to delete an activity, type or type group.

Conditions

The Conditions object defines more granular conditions for the Activity resource type, which must be met for the statement to take effect.

Note

Conditions are currently not supported in the Statement Editor, and can only be configured using the Raw JSON editor. For more information on how to use conditions, see Reference: JSON Schema for Access Control Statements.

Supported Types

  • Attribute Values

    • Scopes the statement to only activities which have a specified value (or one of a set of specified values) for a specified attribute.

  • Activity Type

    • Scopes the statement to only activities of a specified activity type.

  • Activity Type Group

    • Scopes the statement to only activities from any activity type within a specified activity type group.

Unsupported Types

This list is non-exhaustive, and is meant to illustrate types of conditions that are currently unsupported in activity access controls:

  • Activity

    • Scopes the statement to only a specified activity

  • Activity Type Has Attribute

    • Scopes the statement to only activities of types that have a specified attribute (regardless of value).

  • Attribute Has Value

    • Scopes the statement to only activities which have any value for a specified attribute.

  • Conditions on any resource type other than Activity, e.g. Users.

Users

The Users object defines the type of entity that can perform an Action on a Resource.

Supported Types

  • Users

    • Scopes all statements in the policy to specific individual Uptempo user accounts used by human users.

  • Teams

    • Scopes all statements in the policy to specific predefined groups containing multiple Uptempo user accounts.

Unsupported Types

This list is non-exhaustive, and is meant to illustrate user types that are currently unsupported in activity access controls:

  • System Users

    • Scopes all statements in the policy to specific individual Uptempo user accounts used by computer users (e.g. APIs or integrations).

  • User Conditions

    • Scopes all statements in the policy to specific Uptempo user accounts (of any type) that meet specific attribute-based conditions (e.g. IP addresses, locations, divisions etc.).