Active Roles enhances its authorization model by introducing conditional Access Template links, and takes advantage of conditional links by inserting user claims, device claims, and target object properties, into conditional expressions specified in access rules. An access rule can be applied to an Access Template link, causing the link to have an effect only if the access rule’s condition evaluates to TRUE. During permission check, Active Roles inserts the claims and properties into conditional expressions found in the access rule, evaluates these expressions, and enables or disables the Access Template link based on results of the evaluation. In this way, the access rule determines the results of the permission check.
Access rules, along with conditional Access Template links, enable Active Roles to leverage claims for authorization to securable objects. This authorization mechanism (known as claims-based access control) supplements Access Template based access control to provide an additional layer of authorization that is flexible to the varying needs of the enterprise environment.