Skip to content

Testing User Access

Now that you've set up a program, products, divisions, roles, permissions, and users, you can test users' credentials and RCX access.

How RBAC with ABAC affects users

Effective permissions are determined by the intersection of RBAC privileges and ABAC division matching. Both conditions must be satisfied. Here's an overview of how the combination of RBAC and ABAC affects users:

If the role grants... And the division grants... Users can...
Read Read Read records
Read Read, Create Read records
Read Read, Create, Update Read records
Read Read, Create, Update, Delete Read records
Read, Create Read Read records
Read, Create, Update Read, Create Read and create records
Read, Create, Update Read, Create, Update Read, create, and update records
Read, Create Read, Create, Update Read and create records
Read, Create, Update, Delete Read Read records
Read, Create, Update, Delete Read, Create, Update Read, create, and update records
Read, Delete Read, Create, Update, Delete Read and delete records
Read, Create, Update, Delete Read, Create, Update, Delete Read, create, update, and delete records

Tip

Remember that objects, such as policies, can also have assigned divisions that RCX considers when determining whether the logged-in user is authorized to perform CRUD operations.

Read Only

  1. Click Sign Out.

  2. Sign in as viewer1.

    The AcmePetCS division has create, read, and update abilities, but the user belongs to the AcmePetViewer role, which has only read access. Signed in as viewer1, you can only view data within RCX; you can't create, update, or delete data. The Members list view, for example, has no Add Member button.

  3. Expand Programs in the nav pane.

  4. Expand the program you want to work with, such as Acme Pet Loyalty Rewards.
  5. Click Policies.

  6. Click the Edit icon () in the Actions column for the BOGO Pet Food policy. The Reward Policy dialog box opens.

    Note

    The Delete icon () isn't visible.

  7. Change the description for the policy.

  8. Click OK.

    If you've assigned a division to this policy, RCX displays an error message letting you know you don't have permission to update the policy record. This is because your role, AcmePetViewer, grants only read permissions, even though the division, AcmePetCS, grants create and update permissions.

  9. Click Cancel.

Create and Update

  1. Click Sign Out.

  2. Sign in as editor1.

    The AcmePetEditor role combined with the AcmePetCS division enables you to perform the create, read, and update operations. You can add and update members, for example, but you can't delete members. The Add Member button is present on the Members list view.

  3. Expand Programs in the nav pane.

  4. Expand the program you want to work with, such as Acme Pet Loyalty Rewards.

  5. Click Policies.

    Add Reward Policy is visible, indicating the user has create permissions for this policy. The Actions column also shows the Save As icon (:material-copy-outline:).

  6. Click the Edit icon () in the Actions column for the BOGO Pet Food policy. The Reward Policy dialog box opens.

    Note

    The Delete icon () isn't visible.

  7. Change the description for the policy.

  8. Click OK.

    The policy is updated without errors. Your role, AcmePetEditor, the division you're assigned to, AcmePetCS, and the division assigned to this policy, AcmePetCS, together grant update permissions.

Create, Update, and Delete

  1. Click Sign Out.
  2. Sign in as admin1.
  3. Expand Programs in the nav pane.
  4. Expand the program you want to work with, such as Acme Pet Loyalty Rewards.

  5. Click Policies.

    Add Reward Policy is visible, indicating the user has Create permissions for this policy. The Actions column also shows the Save As icon (:material-copy-outline:).

  6. Click the Delete icon () in the Actions column for the Mix & Match Collar-Leash policy. The Delete Record? dialog box opens.

  7. Click Yes. The policy is deleted. Your role, AcmePetAdmin, your division, AcmePetIT, and the division assigned to this policy, AcmePetIT, together grant delete permissions.

Exploring Further

  1. Signed in as admin1, click your username.
  2. Click Switch Division, select AcmePetCS, and click OK.
  3. Return to the Reward Policies view. The Delete icon () is no longer visible in the Actions column because the AcmePetCS division doesn't grant delete permissions.