A Scope may contain at most one AccessControlHandler. All access to elements within this Scope, or its children Scopes, must first satisfy the AccessControlHandler. A AccessControlHandler must have at least one outgoing RequiresEdge, and each RequiresEdge must connect to either a Role or Permission.
A RequiresEdge may be connected to another RequiresEdge with a ConstraintEdge in order to support the composition of complex conditions. The composition of these outgoing RequiresEdges with any connecting ConstraintEdges represent the access requirements of the AccessControlHandler.
A AccessControlHandler has an associated user instance DomainIterator, which will only be populated when the current user satisfies the access requirements of the handler.
A AccessControlHandler may have an outgoing ECARule named ``login''. If the current user does not satisfy the access requirements of this AccessControlHandler, the ECARule is executed.
[AccessControlHandler.html]DOMAIN_OBJECT
or USER
, but the
AccessControlHandler requires
a Permission
without a Role,
and which does not specify a SelectEdge,
will use the same DomainSource
as the DomainType
used as a Parameter
to the AccessControlHandler.
[login-handler]
DOMAIN_OBJECT
or USER
, but the handlers both use
different DomainTypes
(for example, with inheritance),
and which does not specify a SelectEdge,
will use the same DomainSource
as the DomainType
used as a Parameter
to the AccessControlHandler.
[login-handler]
DOMAIN_OBJECT
or USER
, but the handlers both use
the same DomainTypes,
and which does not specify a SelectEdge,
will use the same DomainSource
as the DomainType
used as a Parameter
to the AccessControlHandler.
[login-handler]
true
if the current element has been generated.