Action script with a security trigger

This example shows how to enforce custom security policies by automatically restricting or granting access to specific entities or properties based on a user's roles and permissions. The web script is connected to a security trigger that enforces access control by validating user permissions before executing actions.

Before you begin

  • Confirm that security policies are defined for the entity types involved in the script, such as M.Asset or M.Content.

  • Ensure the schema includes properties required for security checks, such as Owner or UserGroup.

  • Test the permissions of the user or role to validate the enforcement of security rules.

Script

RequestResponse
var loadConfig = new EntityLoadConfiguration
{
  CultureLoadOption = CultureLoadOption.None,
  RelationLoadOption = new RelationLoadOption("UserGroupToUser"),
  PropertyLoadOption = PropertyLoadOption.None
};

var user = await MClient.Entities.GetAsync(Context.TriggeringUserId.Value, loadConfig);
if (user == null) throw new InvalidOperationException("Triggering user could not be found.");

var webAgencyGroup = await MClient.Users.GetUserGroupAsync("Web agency users");
if (webAgencyGroup == null) throw new InvalidOperationException("Web agency usergroup not found.");

var userGroups = await user.GetRelationAsync<IChildToManyParentsRelation>("UserGroupToUser");

if (!userGroups.Parents.Contains(webAgencyGroup.Id.Value))
{
  throw new ForbiddenException("Only users of usergroup 'Web agency users' are allowed to create or modify assets of image-type 'Web'.");
}

Script explanation

This section steps through the script in execution order, explaining each part. The numbered items describe the sequence, not instructions to perform.

  1. Create an EntityLoadConfiguration object to specify which properties should be loaded with the entity. In this example, we only need to load the UserGroupToUser relation, which specifies which groups the user belongs to.

    RequestResponse
    var loadConfig = new EntityLoadConfiguration
{
  CultureLoadOption = CultureLoadOption.None,
  RelationLoadOption = new RelationLoadOption("UserGroupToUser"),
  PropertyLoadOption = PropertyLoadOption.None
};

  2. Retrieve the user entity by specifying the user's ID ( Context.TriggeringUserId.Value ) and the load configuration.

    RequestResponse
    var user = await MClient.Entities.GetAsync(Context.TriggeringUserId.Value, loadConfig);
    Note

    The MClient object is always available and can be used by all script types. For more information about MClient, please refer to the SDK API reference. Entities (a property of MClient with type IEntitiesClient ) has a GetAsync method that accepts an entity ID and optionally a load configuration object, and then returns the entity object.

  3. If no user object is returned, the script throws an InvalidOperationException.

    RequestResponse
    if (user == null) throw new InvalidOperationException("Triggering user could not be found.");

  4. Get the Web agency users group. If that group isn't found, it throws an InvalidOperationException.

    RequestResponse
    var webAgencyGroup = await MClient.Users.GetUserGroupAsync("Web agency users");
if (webAgencyGroup == null) throw new InvalidOperationException("Web agency usergroup not found.");

  5. Get the user groups of the user is part of.

    RequestResponse
    var userGroups = await user.GetRelationAsync<IChildToManyParentsRelation>("UserGroupToUser");
    Warning

    To retrieve a relation object using GetRelationAsync, you need to specify the relation's type. In this case, it is IChildToManyParentsRelation. For more information about the relation's types, refer to Stylelabs.M.Sdk.Contracts.Base in the API reference.

  6. Verify if the current user belongs to webAgencyGroup before allowing them to create or modify certain assets. If the user is not in this group, the script throws a ForbiddenException. This means that only members of the Web agency user group can create or modify image-type web assets.

    RequestResponse
    if (!userGroups.Parents.Contains(webAgencyGroup.Id.Value))
{
  throw new ForbiddenException("Only users of usergroup 'Web agency users' are allowed to create or modify assets of image-type 'Web'.");
}

Setup

  1. Add a new class to the the M.AssetType taxonomy with the label Web.

  2. Create, publish, and enable an Action script.

  3. Create an action of type Action script and link it with the script.

  4. Create a new trigger and set its objectives to Entity creation and Entity modification.

    • In the trigger conditions, add the entity definition Asset and add a new condition. Set that condition to Type (AssetTypeToAsset) current value contains any Web.

    • In the trigger actions, add the new action under Security actions.

  5. Save and activate the trigger.

Do you have some feedback for us?

If you have suggestions for improving this article,