Security rule: Create
This API is extremely reliable and will not be broken unless absolutely necessary.
Method
POST
Path
/qrs/systemrule/
Description
Create and configure a custom security rule. The following example shows only a basic configuration. Properties that are not configured will be set to system defaults.
Rule properties and resource filters
There are numerous combinations and customizations of conditions that can be expressed in a security rule. The same applies to the resource filter that is used to narrow down the types of resources that the rule should be applied to. The best way to determine the proper condition and resource syntax is to configure them in the QMC and then call GET /qrs/systemrule to retrieve the applicable security rule entity.
Action properties
Every security rule is associated with one or more actions that can be performed on a resource. The following table lists the available security actions and corresponding values.
Action | Value |
---|---|
None |
0 |
Create | 1 |
Read | 2 |
Update | 4 |
Delete | 8 |
Export | 16 |
Publish | 32 |
Change owner | 64 |
Change role | 128 |
Export data | 256 |
Offline access | 512 |
Distribute | 1024 |
Duplicate | 2048 |
Approve | 4096 |
If you want to specify a combination of allowable actions for a new security rule, you need to calculate the sum of the desired action values. For example, if you want to assign create, read, and update actions to a security rule, the action value would be 7.
Context properties
The rule context determines the scope of the security rule, which can apply to the hub, QMC, or both. The following table lists the corresponding value for each context.
Context | Value |
---|---|
Hub & QMC |
0 |
Hub | 1 |
QMC | 2 |
Body
In this example, a security rule is assigned to the Stream1 Admin role, which gives users with this role the ability to perform specific actions on the stream, as well as on the apps, sheets, and stories in the stream. These specific actions include create, read, update, delete, export, publish, change owner, and export data.
{ "category": "Security", "name": "Stream admin", "rule": "user.roles = \"Stream1Admin\" and ((resource.resourcetype=\"Stream\" and resource.name=\"Stream 1\") or (resource.resourcetype=\"App\" and resource.stream.name=\"Stream 1\") or (resource.resourcetype=\"App.Object\" and resource.objectType=\"sheet\" and resource.app.stream.name=\"Stream 1\") or (resource.resourcetype=\"App.Object\" and resource.objectType=\"story\" and resource.app.stream.name=\"Stream 1\") or (resource.resourcetype=\"ReloadTask\" and resource.app.stream.name=\"Stream 1\"))", "actions": 383, "resourceFilter": "Stream_*, App_*, App.Object_*, ReloadTask_*", "comment": "Admin for the Stream 1 stream should have full access rights to the stream, and apps, sheets, and stories in the stream", "ruleContext": 0 }
Return value
{ "id": "38a8e12a-6362-48ba-ad1d-4241f987156c", "createdDate": "2017-03-10T19:37:13.429Z", "modifiedDate": "2017-03-10T19:37:13.429Z", "modifiedByUserName": "INTERNAL\\sa_repository", "category": "Security", "type": "Custom", "name": "QMC content admin", "rule": "user.roles = \"Stream1Admin\" and ((resource.resourcetype=\"Stream\" and resource.name=\"Stream 1\") or (resource.resourcetype=\"App\" and resource.stream.name=\"Stream 1\") or (resource.resourcetype=\"App.Object\" and resource.objectType=\"sheet\" and resource.app.stream.name=\"Stream 1\") or (resource.resourcetype=\"App.Object\" and resource.objectType=\"story\" and resource.app.stream.name=\"Stream 1\") or (resource.resourcetype=\"ReloadTask\" and resource.app.stream.name=\"Stream 1\"))", "resourceFilter": "Stream_*, App_*, App.Object_*, ReloadTask_*", "actions": 383, "comment": "Admin for the Stream 1 stream should have full access rights to the stream, and apps, sheets, and stories in the stream", "disabled": false, "ruleContext": 0, "seedId": "00000000-0000-0000-0000-000000000000", "version": 0, "tags": [], "privileges": null, "impactSecurityAccess": false, "schemaPath": "SystemRule" }
Optional parameters
-