Examples of Access Rules in text serialization Allow READ access for Anonymous to complete API ACCESSRULE: ATTRIBUTES: GLOBAL(ANONYMOUS) RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: true Allow READ access for Anonymous to list of semanticIDs for submodels ACCESSRULE: ATTRIBUTES: GLOBAL(ANONYMOUS) RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ) Allow READ and UPDATE for specific authenticated users ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ UPDATE ACCESS: ALLOW OBJECTS: IDENTIFIABLE "(Submodel)*" FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), $or( CLAIM("email") $eq "user1@company1.com", CLAIM("email") $eq "user2@company2.com" ) ) Allow READ and UPDATE for specific submodel "submodel1" ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ UPDATE ACCESS: ALLOW OBJECTS: IDENTIFIABLE "(Submodel)https://submodel1.company1.com" FORMULA: CLAIM("email") $eq "user1@company1.com" Reuse of ACL, OBJECT and FORMULA DEFACLS "acl1" ATTRIBUTES: CLAIM("email") GLOBAL(UTCNOW) RIGHTS: READ UPDATE ACCESS: ALLOW DEFOBJECTS "Properties" REFERABLE "(Submodel)https://s1.com, (Property)p1" REFERABLE "(Submodel)https://s1.com, (Property)p2" DEFFORMULAS "allowSubjectGroup1" $and( GLOBAL(UTCNOW) $gt "15:00", $or( CLAIM("email") $eq "user1@company1.com", CLAIM("email") $eq "user2@company2.com" ) ) ACCESSRULE: USEACLS "acl1" OBJECTS: USEOBJECTS "Properties" FORMULA: USEFORMULAS "allowSubjectGroup1" Example with BusinessPartnerNumber ACCESSRULE: ATTRIBUTES: CLAIM("BusinessPartnerNumber") RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: CLAIM("BusinessPartnerNumber") $eq "BPN1234" Allow READ for all authenticated users of a company for submodels Nameplate and TechnicalData ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ ACCESS: ALLOW OBJECTS: IDENTIFIABLE "(Submodel)*" FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), $regex(CLAIM("email"), "[\w\.]+@company\.com") ) Allow READ to all Submodels with ID pattern for all authenticated users of a company for submodels with Nameplate and TechnicalData from 9:00-17:00 ACCESSRULE: ATTRIBUTES: CLAIM("companyName") RIGHTS: READ ACCESS: ALLOW OBJECTS: IDENTIFIABLE "(Submodel)*" FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), CLAIM("companyName") $eq "company1-name", $regex(REFERENCE("(Submodel)*#Id"), "^https://company1.com/.*$"), GLOBAL(UTCNOW) $ge "09:00", GLOBAL(UTCNOW) $le "17:00" ) Example with FILTER statement ACCESSRULE: ATTRIBUTES: CLAIM("BusinessPartnerNumber") RIGHTS: READ ACCESS: ALLOW OBJECTS: DESCRIPTOR "(aasDesc)*" FORMULA: $and( CLAIM("BusinessPartnerNumber") $eq "BPNL00000000000A", $match( $aasdesc#specificAssetIds[].name $eq "manufacturerPartId", $aasdesc#specificAssetIds[].value $eq "99991", $aasdesc#specificAssetIds[].externalSubjectId.keys[0].value $eq "PUBLIC_READABLE" ), $match( $aasdesc#specificAssetIds[].name $eq "customerPartId", $aasdesc#specificAssetIds[].value $eq "ACME001" ) ) FILTER: FRAGMENT "$aasdesc#assetInformation.specificAssetIds[]" $or( $match( $aasdesc#specificAssetIds[].name $eq "manufacturerPartId", $aasdesc#specificAssetIds[].value $eq "99991" ), $match( $aasdesc#specificAssetIds[].name $eq "customerPartId", $aasdesc#specificAssetIds[].value $eq "ACME001" ), $aasdesc#specificAssetIds[].name $eq "partInstanceId", $aasdesc#specificAssetIds[].externalSubjectId.keys[0].value $eq CLAIM("BusinessPartnerNumber"), $aasdesc#specificAssetIds[].externalSubjectId.keys[0].value $eq "PUBLIC_READABLE" )