Access permissions setup for MDM dictionary elements depends on the selected access control methods.
If discretionary or mandatory access permissions can be used for MDM dictionary elements, when selecting MDM dictionary in the security manager in the desktop application, the right part of the Navigator section displays dictionary elements, groups of elements, and selection schemes:
When selecting discretionary access control method, follow the steps:
Select the Use Discretionary Access Control checkbox in the Policies Editor section of the security manager.
Set up access parameters for a specified user for:
Required MDM dictionary.
Database that stores dictionary data.
Access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box. To open the dialog box, select the Access Permissions item in the MDM dictionary's context menu. Select MDM dictionary in object navigator of security manager in the desktop application, on the Properties side panel in the web application and in object navigator in the desktop application.
Select the checkboxes next to general operations to allow or deny them. To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After the checkbox is selected, and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes.
The Discretionary Access Control checkbox is displayed in the dictionary's context menu.
The checkbox affects the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements in MDM dictionary opened for edit in object navigator.
Select the Object > Access Permissions main menu item
Press the ENTER key.
Double-click the dictionary element name with the main mouse button.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.
To disable discretionary access to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access do not have parametersadded, no keys added, the Alternative Hierarchy checkbox is deselected in properties.
Deselect the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After discretionary access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
On selecting mandatory access control method, follow the next steps:
Select the Use Mandatory Access Control checkbox in the Policies Editor section of the security manager.
Add a category and levels in the Mandatory Access Control section of the security manager.
Set the maximum security level for a specified user.
Set the maximum security levels for objects:
Folders that contain the required MDM dictionary.
Required MDM dictionary.
Internal MDM dictionary table.
Database that stores dictionary data.
NOTE. Permissions for objects can be set only by the administrator or the user who have permissions to change permissions.
Access parameters can be set up on the Mandatory Access Control tab in the Access Control Settings dialog box in the desktop application and on the Properties side panel in the web application.
To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After the checkbox is selected on selecting the MDM dictionary in object navigator of security manager in the desktop application's right side the dictionary elements, groups of elements and selection schemas will be displayed.The Mandatory Access Control checkbox is displayed in the dictionary's context menu:
The checkbox affects the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements in MDM dictionary opened for edit in object navigator
Select the Object > Access Permissions main menu item.
Press the ENTER key.
Double-click the dictionary element name with the main mouse button.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.
To disable mandatory access control to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access permissions do not have parameters added, no keys added, the Alternative Hierarchy checkbox is deselected in properties.
Deselect the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After mandatory access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
When selecting attribute-based access control method follow the steps:
Select the Use Attribute-Based Access Control and Use Discretionary Access Control checkboxes in the Policies Editor security manager section.
NOTE. On using attribute-base access control method, access permission for MDM dictionary elements can be set up only with discretionary access control method.
Create a policies and rules set that enables the specified user to access the required MDM dictionary; to do this, create a permission for:
Specified user.
Class of folders, if the dictionary is in the root, to read descriptor.
Database, that stores dictionary data, to read and read object body.
Internal MDM dictionary table to get full access.
MDM dictionary to get full access.
Add rules for MDM dictionary elements to the policy. To do this, specify the Operation environment attribute in the purpose and set the specific operation value. Available values are specified in the DictionarySpecificRights enumeration.
In the additional condition specify comparison of element attribute with the value corresponding to data type of attribute identifier. The example of the specified purpose to read element with the 1 key:
Open MDM dictionary for edit in the object navigator.
Select the Elements Have Discretionary Access Permissions checkbox on the Description and then theElements Have Attribute-Based Access Permissions checkbox. After the checkboxes are selected, the rules for MDM dictionary elements will be applied and specified access permissions with discretionary access control.
Access permissions for MDM dictionary elements can also be set up in the development environment using the ABAC assembly. The example of denying the user to read table MDM dictionary element is given in the Access Permissions for Table MDM Dictionary Elements section.
To disable attribute-based access control to MDM dictionary elements, deselect the Elements Have Attribute-Based Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
See also: