Predicate Security

[lucafrosini]

I'm using OrientDB 3.2.5.
I'm migrating from the deprecated Record-level Security to the new Predicate Security.

https://orientdb.org/docs/3.2.x/security/Database-Security.html#predicate-security

After some attempts, I was able to create the scenario sharing records with different users.
For example, I added as reading/writing conditions the following:

• $currentUser IN reader
• $currentUser IN writer

E.g.

CREATE SECURITY POLICY allowRead SET CREATE = (FALSE), READ = ($currentUser IN reader), BEFORE UPDATE = (FALSE), AFTER UPDATE = (FALSE), DELETE = (FALSE), EXECUTE = (FALSE)

CREATE SECURITY POLICY allow SET CREATE = (TRUE), READ = ($currentUser IN writer), BEFORE UPDATE = (TRUE), AFTER UPDATE = (TRUE), DELETE = ($currentUser IN writer), EXECUTE = ($currentUser IN writer)

Where reader and writer are the names of the fields I use to keep track of the audience of the records.

If I need to share records with different roles in place of users is it possible to use a variable such as $currentRole in place of $currentUser to evaluate the condition? More in general, what are the available variables? Is it possible to get other information about the current user and his roles?

PS: For any interested users. If you want to share a record with different users you must be sure that the type of the fields you use to track the audience is a Linkset with OIdentity as LinkedClass otherwise it fails.