In this article:

Discretionary Access Control Method

Mandatory Access Control Method

Attribute-Based Access Control Method

Access Permissions for MDM Dictionary Elements

Access permissions setup for MDM dictionary elements depends on the selected access control methods.

If discretionary or mandatory access permissions can be used for MDM dictionary elements, when selecting MDM dictionary in the security manager in the desktop application, the right part of the Navigator section displays dictionary elements, groups of elements, and selection schemes:

Select dictionary elements

Discretionary Access Control Method

When selecting discretionary access control method, follow the steps:

  1. Select the Use Discretionary Access Control checkbox in the Policies Editor section of the security manager.

  2. Set up access parameters for a specified user for:

Access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box. To open the dialog box, select the Access Permissions item in the MDM dictionary's context menu. Select MDM dictionary in object navigator of security manager in the desktop application, on the Properties side panel in the web application and in object navigator in the desktop application.

Select the checkboxes next to general operations to allow or deny them. To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.

  1. Select the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.

After the checkbox is selected, and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes.

The Discretionary Access Control checkbox is displayed in the dictionary's context menu.

The checkbox affects the displaying of dictionary elements in the security manager's navigator.

On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.

NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.

  1. Set up access permissions for the selected dictionary element:

After executing one of the operations:

If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.

Disabling Discretionary Access Control to Elements

To disable discretionary access to MDM dictionary elements:

  1. Make sure that element attributes that are responsible for discretionary access do not have parametersadded, no keys added, the Alternative Hierarchy checkbox is deselected in properties.

  2. Deselect the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.

After discretionary access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.

Mandatory Access Control Method

On selecting mandatory access control method, follow the next steps:

  1. Select the Use Mandatory Access Control checkbox in the Policies Editor section of the security manager.

  2. Add a category and levels in the Mandatory Access Control section of the security manager.

  3. Set the maximum security level for a specified user.

  4. Set the maximum security levels for objects:

NOTE. Permissions for objects can be set only by the administrator or the user who have permissions to change permissions.

Access parameters can be set up on the Mandatory Access Control tab in the Access Control Settings dialog box in the desktop application and on the Properties side panel in the web application.

To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.

  1. Select the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.

After the checkbox is selected on selecting the MDM dictionary in object navigator of security manager in the desktop application's right side the dictionary elements, groups of elements and selection schemas will be displayed.The Mandatory Access Control checkbox is displayed in the dictionary's context menu:

The checkbox affects the displaying of dictionary elements in the security manager's navigator.

On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.

NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.

  1. Set up access permissions for the selected dictionary element:

After executing one of the operations:

      • The Access Permissions dialog box opens to set up dictionary element access permissions.

      • The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.

If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.

Disabling Mandatory Access Control to Elements

To disable mandatory access control to MDM dictionary elements:

  1. Make sure that element attributes that are responsible for discretionary access permissions do not have parameters added, no keys added, the Alternative Hierarchy checkbox is deselected in properties.

  2. Deselect the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.

After mandatory access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.

Attribute-Based Access Control Method

When selecting attribute-based access control method follow the steps:

  1. Select the Use Attribute-Based Access Control and Use Discretionary Access Control checkboxes in the Policies Editor security manager section.

NOTE. On using attribute-base access control method, access permission for MDM dictionary elements can be set up only with discretionary access control method.

  1. Create a policies and rules set that enables the specified user to access the required MDM dictionary; to do this, create a permission for:

  1. Add rules for MDM dictionary elements to the policy. To do this, specify the Operation environment attribute in the purpose and set the specific operation value. Available values are specified in the DictionarySpecificRights enumeration.

In the additional condition specify comparison of element attribute with the value corresponding to data type of attribute identifier. The example of the specified purpose to read element with the 1 key:

  1. Open MDM dictionary for edit in the object navigator.

  2. Select the Elements Have Discretionary Access Permissions checkbox on the Description and then theElements Have Attribute-Based Access Permissions checkbox. After the checkboxes are selected, the rules for MDM dictionary elements will be applied and specified access permissions with discretionary access control.

Access permissions for MDM dictionary elements can also be set up in the development environment using the ABAC assembly. The example of denying the user to read table MDM dictionary element is given in the Access Permissions for Table MDM Dictionary Elements section.

Disabling Attribute-Based Access Control to Elements

To disable attribute-based access control to MDM dictionary elements, deselect the Elements Have Attribute-Based Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.

See also:

Setting Up Object Access | Access Control Settings