In this example, we are not applying access rights based on a user's OnBase user group, but rather their department within the application. For this example, we will define 2 User Security Attributes, both assigned to "All User Groups" and both named "Owner":
<All>
Owner = ~Identity Rights = View, Create, Modify, Delete
Owner = * Rights = View
At runtime, the ~Identity macro is replaced with the list of Identity objects; in our example a list of the Departments to which the logged-in user belongs. When determining access rights for any of the objects above, its list of owner Departments is built. If any of these Departments intersect with the user's list of Departments, the specified rights are assigned. In this case, if the current user is an owner of the data, he or she is given all rights to the object. If the current user is NOT an owner of the data, the next User Security Attribute is evaluated. The "*" denotes an automatic match and provides a default value, which provides read-only access.
If the second Owner attribute was removed, the result would be that users could see only data that they own, and all other data is hidden from them.