<authorization> <action>...</action> <object> <owner> <filter> <q:equal> <q:path>employeeType</q:path> <q:value>fulltime</q:value> </q:equal> </filter> <owner> </object> </authorization>
Object Selection by Tenant
Authorization applies only to objects that have the same tenant as the subject.
<authorization> <action>...</action> <object> <tenant> <sameAsSubject>true</sameAsSubject> </tenant> </object> </authorization>
This authorization can be used to limit users to access objects only inside their own tenant.
This authorization works only if both subject and object are multi-tenant. I.e. it will not work if subject does not have tenant (no
tenantRef) or in case that the object does not have tenant. Ordinary (non-tenant) authorizations should be used for those cases.
Object Selection Combinations
The object selection criteria can be combined in almost any meaningful way. E.g. the following authorization only applies to user objects that have locality set to Caribbean and are in the Org identified by OID