Mandatory control properties(强制控制属性)¶
Mandatory control properties are object type properties that allow for granular access control to the data stored in objects. You can use mandatory control properties to restrict access to all other properties in the same datasource for a given object, making those properties viewable only by users who satisfy the mandatory controls.
Note: Mandatory control properties are only available on Object Storage V2.
How to use mandatory control properties¶
- First, create your marking-backed restricted view (RV). Learn more about creating marking-backed restricted views.
- Navigate to the Ontology Manager.
- Choose the object type for which you want to restrict property access, then create or select the property you want to set as a mandatory control property.
- On the property sidebar, ensure the property is mapped to the corresponding marking column on your restricted view.
- Set the base type of the property type to Mandatory Control.
- By default a mandatory control property supports markings and/or organizations to restrict access.
- If you have CBAC enabled, you will have the option to choose classification based mandatory controls.
- Select the Allowed markings and/or Allowed organizations on the datasource. For classifications, select the Max classification.
- If the object type has multiple datasources, select a mandatory control property for each of the other datasources to secure their properties as well.
- Save your changes to the ontology and wait for the reindex to be completed.
Types of mandatory control properties¶
There are three types of mandatory controls that can be set on a property:
Markings¶
Markings are mandatory controls that restrict access by requiring a user to have a particular Marking in order to access data. If a resource has multiple markings, the user must have all of them to access the resource. Learn more about markings.
To use markings, you are required to provide a set of allowed markings. Only markings in this set will be permitted on any mandatory control property on the datasource.
Organizations¶
Organizations are access requirements that enforce strict silos between groups of users and resources. Every user is a member of only one organization but can be a guest member of multiple organizations. To access data marked with an organization, a user must be a member of that organization. If a resource has multiple organizations, the user must be a member of at least one of the organizations applied to the resource. Learn more about organizations.
To use organizations, you are required to provide a set of allowed organizations. Only organizations in this set will be permitted on any mandatory control property on the datasource.
Markings and organizations can be used together on the same mandatory control property. In this case, a user must satisfy all the markings and at least one of the organizations to access the resource.
Classifications¶
Classification markings are mandatory controls used to protect sensitive government information. They are used to restrict access to sensitive information where sensitivity of information is defined in a hierarchical way. Every user can only access data that is classified at or below their own classification level.
You can only configure CBAC markings if you have CBAC enabled on your enrollment. Learn more about CBAC (classification based access controls).
To use classifications, you need to provide a max classification. Only markings that satisfy this max classification will be permitted on any classificatoin based mandatory control property on the datasource.
Classifications can not be used together with markings or organizations on the same mandatory control property.
Datasource-level permissioning¶
A mandatory control property secures all other properties in the same datasource. For object types with a single datasource, this means that a user will only be able to view an object if they satisfy the value in the mandatory control property.
However, for multi-datasource-backed object types (MDOs), each datasource could have its own mandatory control property. Only the properties backed by a specific datasource will be secured by the mandatory control in that datasource.
This means that it is possible for a user to only have permission to see a subset of properties on an object, In this case, the user will only be able to see the properties mapped from those datasources. Other properties will appear as null when displaying an object instance to the user.
To use mandatory control properties effectively, the backing datasources should be structured in such a way that only properties that should share a mandatory control are in the same datasource.
Validations¶
The following validations are enforced on mandatory control properties:
- Mandatory control properties must be mapped to a marking column on a restricted view. The mandatory controls are enforced by backing the object type with a restricted view which has a policy that requires users to satisfy the markings in the mapped column to be able to view a row. See Restricted Views for more information.
- Mandatory control properties must be required. This ensures that if an object with a mandatory control property is present on a datasource, the mandatory control must be defined to help maintain data consistency and integrity. All mandatory control properties must not be null. However, markings and organization values can be set to an empty array. In such cases, all users will meet the marking requirements and be able to view the row. Learn more about required properties.
- If you want to add a mandatory control property to an edit-only object type that already has edits, you cannot create the property directly because mandatory control properties cannot be empty. To work around this:
- Add a nullable string array property.
- Backfill its values using an Action.
- Change the property's base type to Mandatory Control.
- Every datasource that contains a mandatory control property must define a constraint on what values can be added to those properties. These constrains come in the form of a max classification for classification based mandatory controls, or a set of allowed markings and/or allowed organizations. Any edits made to the mandatory control properties, as well as the values gotten from the backing dataset, must adhere to the constraint set on the datasource.
- This constraint is enforced on the object storage level, so even though you may be able to use Ontology Manager to save an object type that violates this constraint, the object type will fail to index if existing values in the dataset do not satisfy the constraints, or if the values in the dataset are updated to include invalid values for the mandatory controls. Also, any edits made that try to set an invalid value to the mandatory control property will be rejected and the Action will fail to submit.
- These allowed markings, allowed organizations or max classification will be used to mark any exported dataset that is materialized from this Object type. This ensures that only users who can view all rows on the Object type will be able to view the materialized dataset.
Note that mandatory control properties are set to Hidden by default. This is because mandatory control properties are meant to be used as markings for other fields, so there is usually no need for mandatory control properties to appear in object views or tables. However, mandatory control property visibility can still be enabled if needed.
Mandatory controls in actions¶
You can add a mandatory control parameter to your action type. This can be a marking parameter, or a classificaton parameter if CBAC is enabled. Organization parameters are currently not supported.
Mandatory control parameters are commonly used to set a mandatory control property on an object that the action creates. In this case, the values provided must adhere to the property's allowed values, if an invalid value is provided, action submission will fail.
You can also add a max classification at the parameter level, for classification based mandatory control parameters. This is an action type validation, and so will prevent the action from being submitted if the provided value does not satisfy the max classification, as opposed to relying on the datasource validation which will allow the action to be submitted but will fail to complete.
Objects created by actions will be secured by the provided value for the mandatory control property, just like objects derived from a backing datasource.
Marketplace usage¶
Object types with mandatory control properties and action types with mandatory control parameters can be packaged and installed through Marketplace.
When packaging an object type with mandatory control properties, the allowed markings or max classification are declared as installation inputs for that product.
Similarly, if packaging an action type with a classification based mandatory control parameter with max classification set, the max classification is declared as installation inputs.
When installing the product, you will be prompted to select the allowed markings or max classification for each mandatory control property. The selected values will be set as allowed markings or max classification of the mandatory control properties upon install.

Note that packaging multiple mandatory control properties and/or parameters with the same values would results in only one mandatory control input being declared.
中文翻译¶
强制控制属性¶
强制控制属性是对象类型属性,用于对存储在对象中的数据进行细粒度访问控制。您可以使用强制控制属性来限制对同一数据源中给定对象的所有其他属性的访问,使这些属性仅对满足强制控制条件的用户可见。
注意: 强制控制属性仅在对象存储V2(Object Storage V2)上可用。
如何使用强制控制属性¶
- 首先,创建基于标记的受限视图(RV)。了解更多关于创建基于标记的受限视图的信息。
- 导航到本体管理器(Ontology Manager)。
- 选择要限制属性访问的对象类型,然后创建或选择要设置为强制控制属性的属性。
- 在属性侧边栏中,确保该属性已映射到受限视图上的相应标记列(marking column)。
- 将属性类型的基础类型设置为强制控制(Mandatory Control)。
- 默认情况下,强制控制属性支持使用标记(markings)和/或组织(organizations)来限制访问。
- 如果已启用CBAC,您将可以选择基于分类(classification)的强制控制。
- 在数据源上选择允许的标记(Allowed markings)和/或允许的组织(Allowed organizations)。对于分类,请选择最大分类(Max classification)。
- 如果对象类型有多个数据源,请为每个其他数据源选择一个强制控制属性,以同样保护其属性。
- 保存对本体的更改,等待重新索引完成。
强制控制属性的类型¶
可以在属性上设置三种类型的强制控制:
标记(Markings)¶
标记是一种强制控制,要求用户拥有特定标记才能访问数据。如果资源有多个标记,用户必须拥有所有标记才能访问该资源。了解更多关于标记(markings)的信息。
要使用标记,您需要提供一组允许的标记。只有此集合中的标记才允许出现在数据源的任何强制控制属性上。
组织(Organizations)¶
组织是一种访问要求,在用户组和资源之间强制执行严格的隔离。每个用户是且仅是一个组织的成员(member),但可以是多个组织的访客成员(guest member)。要访问标记了组织的数据,用户必须是该组织的成员。如果资源有多个组织,用户必须是应用于该资源的至少一个组织的成员。了解更多关于组织(organizations)的信息。
要使用组织,您需要提供一组允许的组织。只有此集合中的组织才允许出现在数据源的任何强制控制属性上。
标记和组织可以在同一个强制控制属性上一起使用。在这种情况下,用户必须满足所有标记条件以及至少一个组织条件才能访问资源。
分类(Classifications)¶
分类标记是一种强制控制,用于保护敏感的政府信息。它们用于限制对敏感信息的访问,其中信息的敏感性以分层方式定义。每个用户只能访问其自身分类级别或以下级别的数据。
只有在您的注册中启用了CBAC时,才能配置CBAC标记。了解更多关于CBAC(基于分类的访问控制)的信息。
要使用分类,您需要提供一个最大分类。只有满足此最大分类的标记才允许出现在数据源的任何基于分类的强制控制属性上。
分类不能与标记或组织在同一个强制控制属性上一起使用。
数据源级权限¶
强制控制属性保护同一数据源中的所有其他属性。对于具有单个数据源的对象类型,这意味着用户只有在满足强制控制属性中的值时才能查看对象。
然而,对于多数据源支持的对象类型(MDO),每个数据源可以有自己的强制控制属性。只有由特定数据源支持的属性才会受到该数据源中强制控制的保护。
这意味着用户可能只有权限查看对象上的部分属性。在这种情况下,用户只能看到从这些数据源映射的属性。当向用户显示对象实例时,其他属性将显示为null。
要有效使用强制控制属性,支持数据源的结构应确保只有应共享同一强制控制的属性才位于同一数据源中。
验证¶
强制控制属性强制执行以下验证:
- 强制控制属性必须映射到受限视图上的标记列(marking column)。强制控制通过使用受限视图支持对象类型来实施,该视图的策略要求用户满足映射列中的标记才能查看行。有关更多信息,请参见受限视图(Restricted Views)。
- 强制控制属性必须是必需的。 这确保如果数据源中存在带有强制控制属性的对象,则必须定义强制控制,以帮助维护数据一致性和完整性。所有强制控制属性不能为null。但是,标记和组织值可以设置为空数组。在这种情况下,所有用户都将满足标记要求,能够查看该行。了解更多关于必需属性(required properties)的信息。
- 如果您想向已有编辑的仅编辑对象类型添加强制控制属性,则不能直接创建该属性,因为强制控制属性不能为空。要解决此问题:
- 添加一个可为空的字符串数组属性。
- 使用操作(Action)回填其值。
- 将属性的基础类型更改为强制控制(Mandatory Control)。
- 每个包含强制控制属性的数据源必须定义可以添加到这些属性的值的约束。这些约束以基于分类的强制控制的最大分类形式,或一组允许的标记和/或允许的组织形式出现。对强制控制属性所做的任何编辑,以及从支持数据集获取的值,都必须遵守数据源上设置的约束。
- 此约束在对象存储级别强制执行,因此即使您可以使用本体管理器保存违反此约束的对象类型,如果数据集中的现有值不满足约束,或者数据集中的值更新为包含强制控制的无效值,对象类型将无法索引。此外,任何试图将无效值设置为强制控制属性的编辑都将被拒绝,操作将无法提交。
- 这些允许的标记、允许的组织或最大分类将用于标记从此对象类型物化的任何导出数据集。这确保只有能够查看对象类型上所有行的用户才能查看物化数据集。
请注意,强制控制属性默认设置为隐藏(Hidden)。这是因为强制控制属性旨在用作其他字段的标记,因此通常不需要强制控制属性出现在对象视图或表格中。但是,如果需要,仍然可以启用强制控制属性的可见性。
操作中的强制控制¶
您可以将强制控制参数添加到操作类型中。这可以是标记参数,或者如果启用了CBAC,也可以是分类参数。目前不支持组织参数。
强制控制参数通常用于设置操作创建的对象上的强制控制属性。在这种情况下,提供的值必须遵守属性的允许值,如果提供了无效值,操作提交将失败。
您还可以在参数级别添加最大分类,用于基于分类的强制控制参数。这是一个操作类型验证,因此如果提供的值不满足最大分类,将阻止操作提交,而不是依赖数据源验证(数据源验证允许操作提交但会失败)。
由操作创建的对象将受到强制控制属性提供的值的保护,就像从支持数据源派生的对象一样。
Marketplace 使用¶
带有强制控制属性的对象类型和带有强制控制参数的操作类型可以通过Marketplace打包和安装。
在打包带有强制控制属性的对象类型时,允许的标记或最大分类被声明为该产品的安装输入。
类似地,如果打包带有设置了最大分类的基于分类的强制控制参数的操作类型,则最大分类被声明为安装输入。
在安装产品时,系统会提示您为每个强制控制属性选择允许的标记或最大分类。安装时,所选值将被设置为强制控制属性的允许标记或最大分类。

请注意,打包多个具有相同值的强制控制属性和/或参数将导致只声明一个强制控制输入。