2022 April Release

app.ducx Organizational Structure LanguagePermanent link for this heading

With app.ducx organizational structure language access elements can be modelled.

An organizational structure model block consists of import declarations and organizational structure elements. The orgmodel keyword denotes an organizational structure model block. It must be followed by the reference of your software component and curly braces.

Syntax

orgmodel softwarecomponent
{
  // Import declarations
  import softwarecomponent;

  // Organizational structure model elements (positions, organizational
  // units)

  ...
}

Defining an Access Control ListPermanent link for this heading

Syntax

acl reference {
  ace {
    audience = {
    };
    rights = [];
  }
}

Access control lists (ACLs) are used to specify the access rights of a user to a given object. An access control list can assign different lists of access types to different user groups. In these user groups the users belonging to this group are specified by their relation to the current object, their position in the current organization or their location in the domain.

Note: Software component COOSYSTEM@1.1 already provides a set of access control lists that can be reused for protecting your properties and use cases.

The acl keyword is used to define an access control list. It must be followed by a reference and curly braces.

Within an acl block, there is a sequence of ace, specifying a unique set of access rights to a list of user groups, called audience. In the resulting access control list there is a line for each user group and the specified access types.

Each audience entry can define something that depends on the user, on a group the user belongs to and on the domain where the user is located. These three possibilities of specifying the user are modelled with the keywords user, group and domain. For each of these keywords, there are different possibilities to define the fitting user group.

If one or more of the keywords are omitted, the line is filled up with default values.

A user can be specified with:

  • ACLUSER_NORMAL
    default
  • ACLUSER_OWNER
    the user is the owner of the object
  • <Position>
    the user currently holds the specified position
  • <attrdef>{.<attrdef>}
    an attribute path to a list of authorized users

A group can be specified with:

  • ACLGROUP_NORMAL
    default
  • ACLGROUP_OWNER
    the user belongs to the objowngroup
  • <OrgUnitType>
    the user currently is member of the group with the type <OrgUnitType>
  • <attrdef>{.<attrdef>}
    an attribute path to a list of authorized groups
  • A group can be further refined by adding one of the lines
    • if parent
      the current group of the user is a parent group of the own group of the object
    • if child
      the current group of the user is a child group of the own group of the object
    • and parents
      the user is member of the given group or a parent group of this group
    • and children
      the user is member of the given group or a child group of this group

A domain can be specified with:

  • ACLDOMAIN_NORMAL
    default
  • ACLDOMAIN_OBJECT
    the user belongs to the domain of the object
  • ACLDOMAIN_OWNER
    the user belongs to the domain of the owner
  • <DomainType>
    the current domain is of the specified domain type
  • <attrdef>{.<attrdef>}
    an attribute path to a list of authorized domains

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  acl SampleACL {
    ace {
      audience = {
         user SysAdm;
      };
      rights = [AccTypeRead, AccTypeChange];
    }
    ace {
      audience = [
        {
           user ACLUSER_DEFAULT;
           group ACLGROUP_OWNER if parent;
           domain ACLDOMAIN_DEFAULT;
        },
        {
        }
      ];
      rights = [AccTypeRead];
    }
  }
}

Audience elements can also be declared as constants and reused in all ACLs.

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  const audience[] OwnerAudience = [
    { user ACLUSER_OWNER; },
    { group ACLGROUP_OWNER; }
  ];

  const audience[] AdminAudience = {
    user SysAdm;
  }

  const audience[] ChefAudience = [
    #OwnerAudience,
    #AdminAudience,
    { domain ACLDOMAIN_OWNER; }
  }

  acl SampleACL {
    ace {
      audience = OwnerAudience;
      rights = [AccTypeRead, AccTypeChange, AccTypeReadSec, AccTypeChangeSec];
    }
    ace {
      audience = AdminAudience;
      rights = [AccTypeRead, AccTypeChange];
    }
  }
}

Extending an Access Control ListPermanent link for this heading

Syntax

extend acl reference {
  ace {
    audience = {
    };
    rights = [];
  }
}

With the extend acl keywords, additional ace can be added to existing access control lists.

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  extend acl DefaultDeveloperACL {
    ace {
      audience {
        user = SyAdm;
      }
      rights = [AccTypeRead, AccTypeChange];
    }
  }
}

Updating an Access Control ListPermanent link for this heading

Syntax

update acl reference {
  ace {
    audience = {
    };
    rights = [];
  }
}

With the update acl keywords, the access control list is redefined with the ace listed.

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;

  update acl DefaultDeveloperACL {
    ace {
      audience {
        user = SyAdm;
      }
      rights = [AccTypeRead, AccTypeChange];
    }
  }
}

Access Control List TemplatesPermanent link for this heading

By using an existing access control list as template, it is much simpler to create a new access control list. The template is listed after the name of the new access control list with a colon as separator.

The new access control list is initialized by copying all access control entries of the template. Using the keywords add, delete and replace the list of access control entries can be modified, using the audience as key:

  • add
    add new access control entries
  • delete
    delete the specified access control entries
  • replace
    replace the specified access control entries by the new list of rights

Example

orgmodel APPDUCXSAMPLE@200.200
{
  import COOSYSTEM@1.1;
  acl NewDeveloperACL : DefaultDeveloperACL {
    add ace {
      audience = { user SysAdm; };
      rights = [
        AccTypeRead, AccTypeChange
      ];
    }
    delete ace {
      audience = { user ACLUSER_NORMAL; };
    }
    replace ace {
      audience = {user ACLUSER_OWNER; };
      rights = [
        AccTypeRead, AccTypeChange, AccTypeReadSec, AccTypeChangeSec
      ];
    }
  }
}