1. Using Advanced Controls
  2. Arrange Filters in an Access Model

Arrange Filters in an Access Model

Position access-point filters and entitlement filters vertically or horizontally to each other to determine how they relate to one another as they're processed.

  • A vertical arrangement indicates an AND relationship: A conflict exists for users identified by filters at all levels.

    For example, an access model may contain three filters, one above another. The uppermost filter identifies users assigned one access point, the filter at the middle level identifies users assigned a second access point, and the bottommost filter identifies users assigned a third access point. A conflict exists for each user assigned all three access points, and so identified by all three filters.

  • A horizontal arrangement indicates an OR relationship: Records are valid if returned by any filter or combination of filters in a horizontal set.

    For example, two filters alongside one another may be positioned above a third filter. Each filter specifies its own access point. A conflict would exist for each user assigned either the first and third access points, or the second and third access points.

A model can include access-point filters, entitlement filters, or both. There's no limit to the number of access-point filters, but for performance reasons, you can't include more than three entitlement filters.

  • If a model contains access-point or entitlement filters at a single level, it performs what's known as sensitive-access analysis: Filters identify access points whose assignment is inherently worthy of review, such as super user job roles.

  • If a model contains access-point or entitlement filters at two or more vertical levels, access points at all levels combine to define a conflict (as in the examples above).

Condition filters work differently. Each condition filter has an OR relationship to all other filters. In effect, all condition filters are applied when a model is run.

Keep these concepts in mind:

  • When you add an access-point or entitlement filter, it appears by default below the lowest access-point or entitlement filter in your model hierarchy.

  • When you add condition filters, they appear by default in a horizontal row beneath the access-point and entitlement filters. You can't move them from that position.

  • Arrows connect the filters, indicating the flow from one filter to another as they're evaluated.

  • You can drag and drop existing access-point and entitlement filters to new positions within the model: Drag a filter so that it overlays another access-point or entitlement filter. A dialog box appears; in it, click And or Or.

    If you select Or, the filter you dragged moves alongside the other filter. If you select And, the filter you dragged moves beneath the other filter. The arrows connecting the filters adjust themselves to reflect the new AND or OR relationship.

    You can't move a filter above the top filter in your model hierarchy, but you can move that top filter below any other.

  • You can edit or delete a filter. Click on it and select the Edit or Delete icon in the Model Logic panel.

  • You can incorporate filters into groups: First select those you want to include. You must select all the filters in a horizontal set, or adjacent filters in a vertical set. Hold down the Ctrl key as you click the filters you want. Then select Create Group. You can drag and drop groups in the same ways as individual filters.

    By default, each group you create is named "Group." To rename it, select it and click the Edit icon in the Model Logic panel.

    To dissolve a group but retain its contents as individual filters, select it and click the Remove Group button. To delete a group and the filters that belong to it, select it and click the Delete icon in the Model Logic panel.