Data Buckets

Data rules are defined in terms of buckets. A bucket is used to group objects together to synchronize these and/or grant access permissions to one or more users.

The following describes the various configuration options for data buckets, which form the basis of both sync rules and data ACLs.

Data buckets are defined in the data_rules.xml file in OXIDE.

Global buckets

The simplest data buckets are global buckets.

These buckets are typically used for data that stays fairly constant over time, e.g. categories used in dropdown lists. This data is typically synced to all users and contains little or no access restrictions.

In the below example, all category and subcategory objects are synched to all users, and all users have unrestricted read and write access to these objects.

<data-rules version="3">
    <global-bucket>
        <model name="category" />
        <model name="subcategory" />
    </global-bucket>
</data-rules>

Models can have conditions to only group a subset of their objects:

    <global-bucket>
        <model name="category" condition="archived != true" />
    </global-bucket>

In some cases, data rules should apply only to some users, e.g. only to admin users or only to technicians. This is possible by specifying a via attribute on the bucket. In the below example, all part_type objects are synced to technicians, and these users have read-only access to these objects.

    <global-bucket via="self[role == 'technician']" write="none">
        <model name="part_type" />
    </global-bucket>

Object-specific buckets

Object-specific buckets each have a bucket root which defines the grouping. All objects inside the group must have a direct belongs-to relationship to the root object.

Users are then linked to the bucket roots by a path that traverses one or more relationships (belongs-to or has-many).

As an example suppose that we want to split data by region. Each user belongs to a specific region, and we only want to provide access to client data to users within the same region.

In this case, we'd define the Region as the root of the bucket. We place clients in the bucket according to the belongs-to relationship, and sync the region bucket to each user with no access restrictions:

<data-rules version="3">
    <!-- 'via' specifies how we get from the user to the region -->
    <bucket via="self/region">
        <!-- The root itself (region in this case) is automatically included in the bucket -->
        <!-- sync all clients in the region according to the has-many relationship -->
        <has-many name="clients" />
    </bucket>
</data-rules>

Suppose clients have additional info that we need to include, e.g. contacts. To include this in the region bucket, it needs an explicit belongs-to relationship to the region.

Here's the updated data model:

<data-model>
    <!-- only relevant fields are listed here -->
    <model name="region">
        <has-many model="user" name="users" />
        <has-many model="client" name="clients" /> 

        <!-- new relationship for contacts -->
        <has-many model="contact" name="contacts" />
    </model>
    <model name="client">
        <belongs-to model="region" />
        <has-many model="contact" name="contacts" />
    </model>
    <model name="contact">
        <belongs-to model="client" />
      
        <!-- New explicit relationship between contact and region.
             Make sure to update this whenever the client changes. -->
        <belongs-to model="region" />
    </model>
</data-model>

And the corresponding data rules:

    <bucket via="self/region">
        <has-many name="clients" />
        <has-many name="contacts" />
    </bucket>

Same as with global buckets, we can add conditions on the models:

    <bucket via="self/region">
        <has-many name="clients" />
        <has-many name="contacts" condition="number != null"/>
    </bucket>

We can also add conditions on the root object:

    <bucket via="self/region[archived != true]">
          <!-- ... -->
    </bucket>

Or on the user:

    <bucket via="self[role == 'manager']/region[archived != true]">
          <!-- ... -->
    </bucket>

Root objects can also be linked to the user via a has-many relationship:

    <bucket via="self/jobs"> <!-- In this case each job is a bucket root -->
        <has-many name="parts" />
        <has-many name="costs" />
    </bucket>

The via attribute

In the case of object-specific buckets, the via attribute indicates the path to take from the user object to the root of the bucket. For each user, this path can result in zero, one or many bucket roots.

The via path can contain any number of belongs-to or has-many relationships, along with an optional condition as a filter on each.

Here are some examples:

For global buckets, the via attribute works similarly. However, instead of having separate bucket roots, there is only a single bucket that will be evaluated if the via field has any results.

Here are some examples:

Conditions

Conditions can be applied to any single field for models or relationships specified inside global buckets or object-specific buckets.

The following operators are available:

==
!=
lt or <
lte or <=
gt or >
gte or >=

The following are valid values to compare against:

true, e.g. "archived == true"
false, e.g. "archived != false"
null, e.g. "region != null"
Numbers (including for single-choice-integer), e.g. "count lte 5"
Text (including for single-choice), e.g. "status != 'completed'"