Rule types – Abstract

Purpose: Is considered 'passed' if the Role of session belongs to the Roles that rule configuration defines via the static parameters (multiple selection and the or any child role (all levels) option).

images/download/attachments/201666036/image-2025-3-28_16-24-28-version-1-modificationdate-1743175468373-api-v2.png

A Role rule is considered 'passed' if the role used for in the applicable logon context is one of the Roles that the rule configuration specifies via the static ('Multiple selection' and or any child role (all levels) option) parameters.

If no Roles are specified in the configuration, then the Role rule is always considered as 'failed'.

Configuration

The Role rule refers to the Role of session, which is primarily defined by the session, but can be temporarily changed in the context of event handling by the Ausführen als event action (see also Sitzungsbasiert (Regeln)).

The reference object in the execution context is irrelevant for this rule.

The configuration of the Role rule provides a static multiple selection for Roles via a Multiselect combobox with a search function, which offers all Roles for selection with at least read access in the context of the configuration.

If no Roles are selected, the rule is always considered as 'failed'.

►NOTE◄ If read access is missing for a company that has already been selected, then a label ('Hidden role') appears for this role that has been neutralized except for the internal ID. As long as such an entry is not specifically removed, it will remain in the list even if other entries are added or removed. 'Hidden' entries deselected by 'inversing' an existing selection do not reappear in the selection by 'inversing' again.

images/download/attachments/201666036/image-2025-3-28_16-28-28-version-1-modificationdate-1743175708103-api-v2.png

The option or any child role (all levels), which is deselected by default, expands the selection of roles accepted by the rule to include all child roles of the explicitly selected Roles. Child roles are all roles that belong to the hierarchy below the selected role.

►NOTE◄ The option cannot be selectively applied to specific Roles. Instead, however, two instances of the Role rule can be linked by an OR junction to select roles 'with and without child roles, if required.

images/download/attachments/201666036/image-2025-3-28_16-29-6-version-1-modificationdate-1743175746487-api-v2.png

Example

An association criterion is 'passed' if the current session takes place in the context of a role that is included in the role hierarchy downward from a specific role ('Customer portal admin') but is not part of the subhierarchy for guest users downward from the role ('XF_GUEST') included in it.

To satisfy the described requirements, the association criterion is configured using multiple instances of the Role rule as shown on the right:

The first Role rule is considered 'passed' only if the Role of session is a role in the hierarchy down from the selected role 'Customer portal admin' (including this role).
The second Role rule is connected to the first one by AND junction and is negated by a Not rule signalled by the symbol '!'. It excludes all roles downwards from the role 'XF_GUEST' (including this role) and is only evaluated if the first Role rule is satisfied.

►NOTE◄ In both cases, selecting the or any child role (all levels) option causes the rule to accept (or, in the context of negation, exclude) the Roles subordinate to the respectively selected role from the rule.

images/download/attachments/201666036/image-2025-3-28_16-30-12-version-1-modificationdate-1743175812188-api-v2.png

Runtime example:

The following diagram illustrates the effect of the association criterion configured above in a specific role hierarchy.

The Roles for which the association criterion is considered 'passed' are highlighted here with white text on a green background:

images/download/attachments/201666036/image2021-9-20_11-27-56-version-1-modificationdate-1743174996433-api-v2.png