Action script with a security trigger

This example script demonstrates how to enforce custom security policies by automatically restricting or granting access to specific entities or properties based on a user's roles and permissions. The script is connected to a security trigger that enforces access control by validating user permissions before executing actions.

Before you begin

  • Confirm that security policies are defined for the entity types involved in the script, such as M.Asset or M.Content.

  • Ensure the schema includes properties required for security checks, such as Owner or UserGroup.

  • Test the permissions of the user or role to validate the enforcement of security rules.

Script

RequestResponse
var loadConfig = new EntityLoadConfiguration
{
  CultureLoadOption = CultureLoadOption.None,
  RelationLoadOption = new RelationLoadOption("UserGroupToUser"),
  PropertyLoadOption = PropertyLoadOption.None
};

var user = await MClient.Entities.GetAsync(Context.TriggeringUserId.Value, loadConfig);
if (user == null) throw new InvalidOperationException("Triggering user could not be found.");

var webAgencyGroup = await MClient.Users.GetUserGroupAsync("Web agency users");
if (webAgencyGroup == null) throw new InvalidOperationException("Web agency usergroup not found.");

var userGroups = await user.GetRelationAsync<IChildToManyParentsRelation>("UserGroupToUser");

if (!userGroups.Parents.Contains(webAgencyGroup.Id.Value))
{
  throw new ForbiddenException("Only users of usergroup 'Web agency users' are allowed to create or modify assets of image-type 'Web'.");
}

Script explanation

The script first creates an EntityLoadConfiguration object to specify which properties should be loaded with the entity. In this example, we only need to load the UserGroupToUser relation, which specifies which groups the user belongs to.

RequestResponse
var loadConfig = new EntityLoadConfiguration
{
  CultureLoadOption = CultureLoadOption.None,
  RelationLoadOption = new RelationLoadOption("UserGroupToUser"),
  PropertyLoadOption = PropertyLoadOption.None
};

Next, it retrieves the user entity by specifying the user's ID ( Context.TriggeringUserId.Value ) and the load configuration.

RequestResponse
var user = await MClient.Entities.GetAsync(Context.TriggeringUserId.Value, loadConfig);
Note

The MClient object is always available and can be used by all script types. For more information about MClient, please refer to the SDK API reference guide. Entities (a property of MClient with type IEntitiesClient ) has a GetAsync method that accepts an entity ID and optionally a load configuration object, and then returns the entity object.

If no user object is returned, the script throws an InvalidOperationException.

RequestResponse
if (user == null) throw new InvalidOperationException("Triggering user could not be found.");

Next, it attempts to fetch the Web agency users group. If that group isn't found, it throws an InvalidOperationException.

RequestResponse
var webAgencyGroup = await MClient.Users.GetUserGroupAsync("Web agency users");
if (webAgencyGroup == null) throw new InvalidOperationException("Web agency usergroup not found.");

It then gets the user groups of the user is part of.

RequestResponse
var userGroups = await user.GetRelationAsync<IChildToManyParentsRelation>("UserGroupToUser");
Warning

In order to retrieve a relation object using GetRelationAsync, you need to specify the relation's type. In this case, it is IChildToManyParentsRelation. For more information about the relation's types, refer to Stylelabs.M.Sdk.Contracts.Base in the API reference.

Then the script checks if the current user belongs to webAgencyGroup before allowing them to create or modify certain assets. If the user is not in this group, the script throws a ForbiddenException. This means that only members of the Web agency user group can create or modify image-type web assets.

RequestResponse
if (!userGroups.Parents.Contains(webAgencyGroup.Id.Value))
{
  throw new ForbiddenException("Only users of usergroup 'Web agency users' are allowed to create or modify assets of image-type 'Web'.");
}

Setup

  1. Add a new class to the the M.AssetType taxonomy with the label Web.

  2. Create, publish, and enable an Action script.

  3. Create an action of type Action script and link it with the script.

  4. Create a new trigger and set its objectives to Entity creation and Entity modification.

    • In the trigger conditions, add the entity definition Asset and add a new condition. Set that condition to Type (AssetTypeToAsset) current value contains any Web.

    • In the trigger actions, add the new action under Security actions.

  5. Save and activate the trigger.

Do you have some feedback for us?

If you have suggestions for improving this article,