Access Permissions for MDM Dictionary Elements

Access permissions setup for MDM dictionary elements depends on the selected access control methods.

If discretionary or mandatory access permissions can be used for MDM dictionary elements, when selecting MDM dictionary in the security manager in the desktop application, the right part of the Navigator section displays dictionary elements, groups of elements, and selection schemes:

Select dictionary elements

Discretionary Access Control Method

When selecting discretionary access control method, follow the steps:

1. Select the Use Discretionary Access Control checkbox in the Policies Editor section in the security manager.

2. Set up access parameters for a specified user for:

• Required MDM dictionary.

• Database that stores dictionary data.

Access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box. To open the dialog box, select the Access Permissions item in the MDM dictionary's context menu. An MDM dictionary can be selected in the object navigator of the security manager in the desktop application, on the Properties side panel in the web application, and in the object navigator of Foresight Analytics Platform in the desktop application.

Select the checkboxes next to general operations to allow or deny them. To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.

3. Select the Elements Have Discretionary Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application.

After the checkbox is selected, and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes.

The Discretionary Access Control checkbox is displayed in the dictionary's context menu.

The checkbox affects the displaying of dictionary elements in the security manager's navigator.

On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.

NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.

4. Set up access permissions for the selected dictionary element:

• Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:

• In the object navigator of the security manager.

• On the Dictionary Elements tab in the MDM dictionary opened for edit in Foresight Analytics Platform.

• Select the Object > Access Permissions main menu item

• Press the ENTER key.

• Double-click the dictionary element name with the main mouse button.

After executing one of the operations:

• The Access Permissions dialog box opens to set up dictionary element access permissions.

• The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.

If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.

Disabling Discretionary Access Control to Elements

To disable discretionary access to MDM dictionary elements:

1. Make sure that element attributes that are responsible for discretionary access do not have parametersadded, no keys added, the Alternative Hierarchy checkbox is deselected in properties.

2. Deselect the Elements Have Discretionary Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application.

After discretionary access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.

Mandatory Access Control Method

When selecting mandatory access control method follow the steps:

1. Select the Use Mandatory Access Control checkbox in the Policies Editor section of the security manager.

2. Add a category and levels in the Mandatory Access Control section of the security manager.

3. Set the maximum security level for a specified user.

4. Set the maximum security levels for objects:

• Folders that contain the required MDM dictionary.

• Required MDM dictionary.

• Internal MDM dictionary table.

• Database that stores dictionary data.

NOTE. Permissions for objects can be set only by the administrator or the user who have permissions to change permissions.

Access parameters can be set up on the Mandatory Access Control tab in the Access Control Settings dialog box in the desktop application and on the Properties side panel in the web application.

To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.

5. Select the Elements Have Mandatory Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application.

After the checkbox is selected and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes. The Mandatory Access Control checkbox is displayed in the dictionary's context menu:

The checkbox affects the displaying of dictionary elements in the security manager's navigator.

On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.

NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.

6. Set up access permissions for the selected dictionary element:

• Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:

• In the object navigator of the security manager.

• On the Dictionary Elements tab in the MDM dictionary opened for edit in Foresight Analytics Platform.

• Select the Object > Access Permissions main menu item.

• Press the ENTER key.

• Double-click the dictionary element name with the main mouse button.

After executing one of the operations:

• The Access Permissions dialog box opens to set up dictionary element access permissions.

• The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.

If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.

Disabling Mandatory Access Control to Elements

To disable mandatory access control to MDM dictionary elements:

1. Make sure that element attributes that are responsible for discretionary access permissions do not have parameters added, no keys added, the Alternative Hierarchy checkbox is deselected in properties.

2. Deselect the Elements Have Mandatory Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application.

After mandatory access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.

Attribute-Based Access Control Method

When selecting attribute-based access control method follow the steps:

1. Select the Use Attribute-Based Access Control checkbox in the Policies Editor section of the security manager.

2. Create a policies and rules set that enables the specified user to access the required MDM dictionary; to do this, create a permission for:

• Specified user.

• Class of folders, if the dictionary is in the root, to read descriptor.

• Database, that stores dictionary data, to read and read object body.

• Internal MDM dictionary table to get full access.

• MDM dictionary to get full access.

3. Add rules for MDM dictionary elements to the policy. To do this, specify the Operation environment attribute in the purpose and set the specific operation value. Available values are specified in the DictionarySpecificRights enumeration.

In the additional condition specify comparison of element attribute with the value corresponding to data type of attribute identifier. The example of the specified purpose to read element with the 1 key:

4. Select the Elements Have Attribute-Based Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application. After the checkbox is selected, MDM dictionary element rules are enabled.

Access permissions for MDM dictionary elements can also be set up in the development environment using the ABAC assembly. The example of denying the user to read table MDM dictionary element is given in the Access Permissions for Table MDM Dictionary Elements section.

Disabling Attribute-Based Access Control to Elements

To disable attribute-based access control to MDM dictionary elements, deselect the Elements Have Attribute-Based Access Permissions checkbox on the Description tab of the MDM dictionary in the object navigator of Foresight Analytics Platform in the desktop application.