Default Access Determination

Every object type has a defined default access. For example, the default access for data areas, product lines, and business classes is no access.

Securable objects belong to a hierarchy, or tree, of objects. For example, a business object such as the Company business class belongs to the containing objects module and product line. The content of the business object--its persistent fields, for example--reside below the object on the tree. If a contained objects has access granted, then the containing object has the same access by default.

When the security engine does rule evaluation, it evaluates the rules and defaults in this order:

  1. Rules written against the explicit object name (direct rule)
  2. Rules written against any applicable ontological names (does the object exist in the context of another object, and are there rules written against that object)
  3. Rules written against that object type (does the object extend another object, and are there rules written against that object)
  4. Default access for that object type