In addition to the basic data permission settings in Identity Panel, Service Panel uses audiences to control access to virtual identities, attributes, service forms service form attributes, and dashboard modules (dashboard modules are role based only).
An audience may be relational, such as "Reference: Self", or "Reference: Manager", or role based. Service Panel roles are shared with Identity Panel. You add a new role by creating it in the Identity Panel security settings and associating it to a group.
Audience rules may have Filter Rules to limit the objects which they apply to. For example, it is common to limit a user silo to only show active employees and contractors to the Everyone role.
Sometimes it is desirable to create a Filter Rule that considers attributes of the logged in user. For example, a business unit help desk may only have permission to launch forms for users in their own business unit.
The main prerequisite for this type of rule is to have a Virtual Identity silo with Self claim rules defined (see Designing Virtual Identities).
With a self claim virtual silo defined, the SelfServiceObject() rule can be used to retrieve the full identity and attributes of the logged in user. Then a Filter rule can be written, e.g.
Role: Company Admin, Role: Company Service Desk, Role: Company HR
Filter Rule (for virtual identity attribute):
Attributes.company == SelfServiceObject().Parent.Attributes.company
Filter Rule (for service form):
Identity.Parent.Attributes.company == SelfServiceObject().Parent.Attributes.company