C3 AI Documentation Home

Add Access Controls to a Type Using ConfigAclEnabled

You can use the ConfigAclEnabled or AclEnabled Types to enable access control authorization on a given Type, so that the object maps a path from itself to a user.

See Define Permissions to learn more about access controls in the C3 Agentic AI Platform.

ConfigAclEnabled compared to AclEnabled

Use the ConfigAclEnabled Type to add access controls to a non-entity Type and store the record as a configuration. The record is accessible across applications and suits less frequent updates.

Use the AclEnabled Type to add access controls to an entity Type and upsert the configuration in your application database. The record is only accessible within the application and suits more frequent updates.

This topic shows you how to use the ConfigAclEnabled Type to add access controls to a Type.

To learn how to use the AclEnabled Type, see Add Access Controls to a Type Using AclEnabled.

Add access controls using ConfigAclEnabled

The following Types allow you to enable and manage access control on a user-defined Type:

  • AclPrivilege: Use to create an object that defines a Type, access to the object itself, and a path to reference users, roles, or groups.
  • EnableAclPrivilege: Use to create an object that enables access controls for a given Type.
  • ConfigAclEnabled: Mix this Type with the Type you want to add access controls to.
  • AclEntry: An implicitly created record that defines various actions an authorized user can perform on the ACL-enabled Type.
  • AclEnabledTypes: Use to enable or disable access controls for Types that mix AclEnabled.

To set up access controls in an object-to-user approach, complete the following steps:

  1. Create an AclPrivilege object.
  2. Create an EnableAclPrivilege object.
  3. Enable access control on a Type.

After you set up access controls for a user-defined Type, a user can then create an instance of the Type, set the configuration, and access the object.

Create an AclPrivilege object

Complete the steps at "Create an AclPrivilege object" in Add Access Controls to a Type Using AclEnabled.

Create an EnableAclPrivilege object

Complete the steps at "Create an EnableAclPrivilege object" and see "The system implicitly creates an AclEntry record" in Add Access Controls to a Type Using AclEnabled.

Enable access control on an entity Type

Create a user-defined Type as the target object and mix the ConfigAclEnabled Type. Add the Type to your application package in <pkgname>/src/<Type>.c3typ. This example uses the Foo Type:

Type

type Foo mixes ConfigAclEnabled {
    id: !string
    name: !string
    description: string
}

Demonstrate access controls on a Type

The following example demonstrates access to the Foo object for your own user and userB.

  1. Run the following code in C3 AI Console to set a configuration for Foo:
JavaScript
Foo.make({
    id: '<yourUserId>', // Replace with your username
    name: '<name>',
    description: '<description>'
}).setConfig()

This creates an AclEntry object for your user. Your user has access to your own instance of the Foo object according to the expression (id == _context.userName) defined in the AclPrivilege object.

  1. Create a role for userB and add it to <pkgname>/metadata/Role/<Role>.json:
JSON
{
    "id" : "Foo.Role",
    "permissions": [
        "allow:Foo::*"
    ]
}
  1. Run the following code in C3 AI Console to create a test user for userB and assign the role Foo.Role:
JavaScript
TestIdp.createTestUser("userB",  "Password1!",  ["Foo.Role"])

Run the following code in C3 AI Console to set a configuration for Foo:

JavaScript
TestIdp.executeAsUser("userB", () => Foo.make({
    id: 'userB',
    name: '<name>',
    description: '<description>'
}).setConfig())

This creates an AclEntry object for userB. userB has access to their own instance of the Foo object according to the expression (id == _context.userName) defined in the AclPrivilege object.

  1. To demonstrate access controls, run the following code in C3 AI Console as userB to attempt to update your user's instance Foo:
JavaScript
TestIdp.executeAsUser("userB", () => Foo.make({id: '<yourUserID>'}).get().withName("<newname>").getConfig())

This code throws an authorization error because userB does not have access to update another user's Foo object according to the expression (id == _context.userName) defined in the AclPrivilege object. This code would run successfully if the id field matches the username userB.

Similarly, run the following code in C3 AI Console as userB to list Foo configurations:

JavaScript
TestIdp.executeAsUser("userB", () => Foo.listConfigs({filter: "id == <yourUserID>"}));

This code returns zero Foo objects because userB does not have access to fetch another user's Foo object according to the expression (id == _context.userName) defined in the AclPrivilege object. This code would run successfully if the id field matches the username userB.

Was this page helpful?