Examples of Access Rules in text serialization Allow READ access for Anonymous to complete API ACCESSRULE: ATTRIBUTES: GLOBAL(ANONYMOUS) RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: true Allow READ access for Anonymous to list of semanticIDs for submodels ACCESSRULE: ATTRIBUTES: GLOBAL(ANONYMOUS) RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ) Allow EXECUTE of API operations only if machine not-running ACCESSRULE: ATTRIBUTES: GLOBAL(ANONYMOUS) RIGHTS: EXECUTE ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: REFERENCE($sme("SubmodelID-OperationalData").machineState#value) $eq "not-running" Allow READ and UPDATE for specific authenticated users ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ UPDATE ACCESS: ALLOW OBJECTS: IDENTIFIABLE $sm("*") FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), $or( CLAIM("email") $eq "user1@company1.com", CLAIM("email") $eq "user2@company2.com" ) ) Allow READ and UPDATE for specific submodel "submodel1" ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ UPDATE ACCESS: ALLOW OBJECTS: IDENTIFIABLE $sm("https://submodel1.company1.com") FORMULA: CLAIM("email") $eq "user1@company1.com" Reuse of ACL, OBJECT and FORMULA DEFACLS "acl1" ATTRIBUTES: CLAIM("email") GLOBAL(UTCNOW) RIGHTS: READ UPDATE ACCESS: ALLOW DEFOBJECTS "Properties" REFERABLE $sme("https://s1.com").p1 REFERABLE $sme("https://s1.com").p2 DEFFORMULAS "allowSubjectGroup1" $and( GLOBAL(UTCNOW) $gt "15:00", $or( CLAIM("email") $eq "user1@company1.com", CLAIM("email") $eq "user2@company2.com" ) ) ACCESSRULE: USEACLS "acl1" OBJECTS: USEOBJECTS "Properties" FORMULA: USEFORMULAS "allowSubjectGroup1" Example with BusinessPartnerNumber ACCESSRULE: ATTRIBUTES: CLAIM("BusinessPartnerNumber") RIGHTS: READ ACCESS: ALLOW OBJECTS: ROUTE "*" FORMULA: CLAIM("BusinessPartnerNumber") $eq "BPN1234" Allow READ for all authenticated users of a company for submodels Nameplate and TechnicalData ACCESSRULE: ATTRIBUTES: CLAIM("email") RIGHTS: READ ACCESS: ALLOW OBJECTS: IDENTIFIABLE $sm("*") FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), $regex(CLAIM("email"), "[\w\.]+@company\.com") ) Allow READ to all Submodels with ID pattern for all authenticated users of a company for submodels with Nameplate and TechnicalData from 9:00-17:00 ACCESSRULE: ATTRIBUTES: CLAIM("companyName") RIGHTS: READ ACCESS: ALLOW OBJECTS: IDENTIFIABLE $sm("*") FORMULA: $and( $or( $sm#semanticId $eq "SemanticID-Nameplate", $sm#semanticId $eq "SemanticID-TechnicalData" ), CLAIM("companyName") $eq "company1-name", $regex($sm#id, "^https://company1.com/.*$"), GLOBAL(UTCNOW) $ge "09:00", GLOBAL(UTCNOW) $le "17:00" ) Allow only to add elements to the CertificateSet in any Submodel ACCESSRULE: ATTRIBUTES: CLAIM("Role") RIGHTS: CREATE ACCESS: ALLOW OBJECTS: IDENTIFIABLE $sm("*") FORMULA: $and( CLAIM("Role") $eq "person with legitimate interest", $sme#semanticId $eq "CertificateSet" ) Example with FILTER statement ACCESSRULE: ATTRIBUTES: CLAIM("BusinessPartnerNumber") RIGHTS: READ ACCESS: ALLOW OBJECTS: DESCRIPTOR $aasDesc("*") FORMULA: $and( CLAIM("BusinessPartnerNumber") $eq "BPNL00000000000A", $match( $aasdesc#specificAssetIds[].name $eq "manufacturerPartId", $aasdesc#specificAssetIds[].value $eq "99991", $aasdesc#specificAssetIds[].externalSubjectId $eq "PUBLIC_READABLE" ), $match( $aasdesc#specificAssetIds[].name $eq "customerPartId", $aasdesc#specificAssetIds[].value $eq "ACME001" ) ) FILTER: FRAGMENT "$aasdesc#specificAssetIds[]" $or( $match( $aasdesc#specificAssetIds[].name $eq "manufacturerPartId", $aasdesc#specificAssetIds[].value $eq "99991" ), $match( $aasdesc#specificAssetIds[].name $eq "customerPartId", $aasdesc#specificAssetIds[].value $eq "ACME001" ), $aasdesc#specificAssetIds[].name $eq "partInstanceId", $aasdesc#specificAssetIds[].externalSubjectId $eq CLAIM("BusinessPartnerNumber"), $aasdesc#specificAssetIds[].externalSubjectId $eq "PUBLIC_READABLE" )