Creating Complex Constraints

Real examples of authorization rules are complex. Restricting access to an operation is typically not enough. The previous example, where a manager can approve a loan may require additional constraints like "if the amount of the loan is greater than 1000$, then it can only be approved by a senior manager".  Another typical example is that clients can only see requests for the loans that they themselves submitted.

How can we cope with this task? Easily. We create a rule that contains a logical expression like "loan.amount<1000" and attach it to the permission. The model with constraints is shown in the picture below:

We put the constraint on the ApprovePermission so that now users with the role Manager can only approve loans with an amount less than 1000.  However the users with the role Senior Manager don't have any restrictions on the Approve operation and so they can approve any loan.

Constraints on permissions can also have attributes belonging to a specific user. For example, an operation could be restricted for users under the age of 18. In this case, users would have attribute age and the constraint would compare that attribute with the constant. But we'll talk about users later in the next section