topic Re: Two security rules where each rule grants "export data" capability to specific streams in Management & Governance

Two security rules where each rule grants "export data" capability to specific streams?

mwallman — Fri, 16 Aug 2019 12:42:35 GMT

Hello all,

Is it possible to have two security rules where each rule grants "export data" capability to specific streams?

For example, we have to streams:

Monitoring apps
Everyone stream

Currently, we have disabled the ExportAppData security rule and created a custom rule where it provides export data capability on the Monitoring Apps stream where the user has read permissions.

The rule reads like this:

((resource.stream.name="Montoring apps") and resource.hasPrivelege("read"))

New requirement (possible new rule?)

We now have a rule where from the whole population of users who have access to apps in the Everyone stream... some of them need to have export app data capability for the apps in the everyone stream.

So is it possible to have two rules, one like the original above, and another one where some users can export from apps in the Everyone stream?

Re: Two security rules where each rule grants "export data" capability to specific streams

Nicole-Smith — Fri, 16 Aug 2019 19:26:07 GMT

You could probably do it in the one rule if you wrote it something like this (using user.group as example--replace it with whatever determines this access for you):

(resource.stream.name="Montoring apps" and resource.hasPrivelege("read")) OR (resource.stream.name="Everyone" and resource.hasPrivelege("read") and user.group="EveryoneExport")

Re: Two security rules where each rule grants "export data" capability to specific streams

mwallman — Thu, 22 Aug 2019 11:48:11 GMT

This seems good!

Would having two different security rules also work?

Re: Two security rules where each rule grants "export data" capability to specific streams

Nicole-Smith — Thu, 22 Aug 2019 19:35:59 GMT

Because of the OR condition, I believe you need to do it in one.