我有3个不同的参与者通过自己的ID识别:提供者,请求者和消费者。提供商应该能够查看请求方的银行帐户,但不能查看消费者的银行帐户。我该如何定义规则?
首先是模型文件:
namespace org.acme.biznet
abstract participant Member identified by memberId {
o String memberId
o String name
o String email
}
// Sensorbesitzer, z.B private Personen, Haushalte etc.
participant Provider identified by providerId extends Member {
o String providerId
--> SDTWallet sdtWallet
--> BTCWallet btcWallet
--> Account account
}
// Sensordatenabnehmer, z.B unabhängiger Dienstleister
participant Requester identified by requesterId extends Member {
o String requesterId
--> SDTWallet sdtWallet
--> Account account
}
// Datenkonsument, der die aufbereitete Sensordaten kauft, z.B Behörden,
Regierung etc.
participant Consumer identified by consumerId extends Member {
o String consumerId
--> Account account
}
// Geldkonto von den Netzwerkteilnehmern.
asset Account identified by accountId {
o String accountId
o Double balance default = 0.0
--> Member owner
}
正如我所提到的,提供商应该能够看到他自己的账户和请求者账户。
rule ProvidersReadAccesstoAccount {
description: "Providers have read access to own Account and Account of
Requester"
participant: "org.acme.biznet.Provider"
operation: READ
resource: "org.acme.biznet.Account"
action: ALLOW
}
根据这个规则,我看到了所有3个。我创建了这个:
rule ProvidersNoAccessToAccount {
description: "Providers have no access to Account of Consumer"
participant: "org.acme.biznet.Provider"
operation: READ
resource(r): "org.acme.biznet.Account"
condition: (r.owner.getIdentifier() == "org.acme.biznet.Consumer")
action: DENY
}
但它不起作用。应该如何定义?
答案 0 :(得分:0)
你应该可以用这个(下面)这样的东西替换你的最后一条规则吗?使用getFullyQualifiedType()获取它如下所示:(仅供参考getIdentifier()获取所有者参与者的实际ID,例如' 123')。
rule DenyProviderAccessToConsumer {
description: "Disallow Provider -> Consumer"
participant(p): "org.acme.biznet.Provider"
operation: READ
resource(r): "org.acme.biznet.Account"
condition: (r.owner.getFullyQualifiedType() == "org.acme.biznet.Consumer")
action: DENY
}
以及 - 这更简洁'规则应该高于你的更广泛的'在permissions.acl文件中的规则ProvidersReadAccesstoAccount,以便在我上面提供的规则之后评估该规则。