Skip to content

Boolean expression Lock Strings (secBoolExpr DLS plugin)

Overview

A DLS plugin which resolves a boolean expression (lock string) on a document against user's keys where those values define what is true.

For example the lock string on a document could be

AUTHOR|EDITOR

And so the user would need to have either AUTHOR or EDITOR as values within their user keys. For example if the user had user keys:

collection_name;AUTHOR,collection_name;VIEWER

Then that user would have access to the above document.

When evaluating an expression all values the user has are set to true while all missing values are set to false, for the above example it would become:

true|false

Which evaluates to true.

Enabling the Plugin

To enable the plugin set in collection.cfg

security.earlybinding.locks-keys-matcher.name=secBoolExpr

and set

-lock_string_mod_mode=raw

on the indexer.

For example in collection.cfg:

indexer_options=-lock_string_mod_mode=raw

Operators

This plugin supports the following logical operators ordered in lowest to highest precedence:

  • or: can be represented as 'OR', '|' and ','.
  • and: can be represented as 'AND', '.' and '&'.
  • not: can be represented as 'NOT', '!', '-'
  • (): can be represented as '(' and ')'.

Operator types can be mixed in a single lock string, the follow are a valid Lock Strings for this plugin:

a OR b | c , d
NOT!-a
a AND b . c & d

Word operators are case sensitive and are currently are only understood in their upper case form.

Values

Values are case sensitive non-zero ASCII strings consisting of the following characters:

  • 0-9
  • a-z
  • A-Z
  • _ and must not be any operator including NOT, OR, AND. Additionally values must not be the lowercase or any case form any operator. For example, values should not be and, And, not, or, etc. Values may contain operators within them e.g. NOT_A, that will be processed like any other value.

Missing Lock Strings

Documents with missing, empty or zero length boolean expression will be treated as a lock string that does not permit access by any user.

Multiple Lock Strings Per Document

You should ensure that each document has exactly one lock string. Documents which have multiple lock strings will cause undefined behavior.

See also

top

Funnelback logo
v15.18.0