I'm trying to write a little complexer logic in the condition of an ACL Rule as always the p.getIdentifier() == r.getIdentifier(), because in my fault it isn't possible.
These are my models:
participant Customer identified by customerID {
o String customerID
o String name
...
}
asset A identified by aID {
o String aID
--> Customer customer
}
asset B identified by bID {
o String bID
--> A a
}
Now I want to give the Customer access to see all B assets, but only where the relationship to A references to an asset, which have a relatinship to the actual participant of Customer, who is "logged in".
Summarized logic: From asset B to A, and then from A to Customer.
So in this case I can't compare the identifiers of Customer and B directly and have to go over A. Therefore I wanted to evaulate the access with a function which is called in the script.js file:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: (evaluateAccess(p,r))
action: ALLOW
}
Here is the function of the script.js:
async function evaluateAccess(p,r) {
try {
const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
const b = await bRegistry.get(r.getIdentifier());
const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
const a = await aRegistry.get(b.a.getIdentifier());
if (p.getIdentifier() === a.customer.getIdentifier()) {
return true;
}
} catch (error) {
console.log(error);
}
}
But I get an error Error: The runtime API is not available.
Do I think the wrong way, isn't it possible to evaluate access with a function? How did you handle access rule if you can't just compare the identifiers?
