User-defined Attributes

In the previous posts we discussed how to create complex constraints and compared the attributes of protected objects with them. However, this does not help solve cases like "users are only allowed to view requests, which they themselves created."  Here we need to compare an attribute of the request with an attribute of the user attempting to perform the operation. The model for such a constraint is shown in the picture below:

Here we have a protected object Loan with an attribute createdBy. This attribute holds the identifier of the user who applied for the Loan. The ViewPermission has an attribute userId with a stereotype user. This means that the value for this attribute is taken from the attributes of the user accessing the object. If the createdBy attribute of the protected object and  the userId of the permission are equal, then access is granted.  

It is possible to define a constraint using any user attribute stored in the user management system and the attribute can be referred to by name. If for some reason it is not desirable to refer to the attribute by name, then mapping between the attributes in Flexess and those in the user management system can be defined.