Access Permissions for MDM Dictionary Elements
Access permissions setup for MDM dictionary elements depends on the selected access control methods.
If discretionary or mandatory access permissions can be used for MDM dictionary elements, when selecting MDM dictionary in the security manager in the desktop application, the right part of the Navigator section displays dictionary elements, groups of elements, and selection schemes:
Select dictionary elementsDiscretionary Access Control Method
When selecting discretionary access control method, follow the steps:
Make sure, that the Use Discretionary Access Control checkbox is selected in the Policies Editor section of the security manager.
Set up access parameters for a specified user for:
Required MDM dictionary.
Database that stores dictionary data.
Access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box. To open the dialog box, select the Access Permissions item in the MDM dictionary's context menu. Select MDM dictionary in object navigator of security manager in the desktop application, on the Properties side panel in the web application and in object navigator in the desktop application.
Select the checkboxes next to general operations to allow or deny them. To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After the checkbox is selected, and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes.
The Discretionary Access Control checkbox is displayed in the dictionary's context menu.
The checkbox affects the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements in MDM dictionary opened for edit in object navigator.
Select the Object > Access Permissions main menu item
Press the ENTER key.
Double-click the dictionary element name with the main mouse button.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.
Disabling Discretionary Access Control to Elements
To disable discretionary access to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access do not have parametersadded, no keys added, the Alternative Hierarchy checkbox is deselected in properties.
Deselect the Elements Have Discretionary Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After discretionary access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
Mandatory Access Control Method
On selecting mandatory access control method, follow the next steps:
Make sure, that the Use Mandatory Access Control checkbox is selected in the Policies Editor section of the security manager.
Add a category and levels in the Mandatory Access Control section of the security manager.
Set the maximum security level for a specified user.
Set the maximum security levels for objects:
Folders that contain the required MDM dictionary.
Required MDM dictionary.
Internal MDM dictionary table.
Database that stores dictionary data.
NOTE. Permissions for objects can be set only by the administrator or the user who have permissions to change permissions.
Access parameters can be set up on the Mandatory Access Control tab in the Access Control Settings dialog box in the desktop application and on the Properties side panel in the web application.
To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After the checkbox is selected on selecting the MDM dictionary in object navigator of security manager in the desktop application's right side the dictionary elements, groups of elements and selection schemas will be displayed. The Mandatory Access Control checkbox is displayed in the dictionary's context menu:
The checkbox affects the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect this checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled when MDM dictionary is edited by application administrator or by the user that holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements in MDM dictionary opened for edit in object navigator
Select the Object > Access Permissions main menu item.
Press the ENTER key.
Double-click the dictionary element name with the main mouse button.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions for the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. On setting access permissions these permissions are set for all selected elements or objects.
Disabling Mandatory Access Control to Elements
To disable mandatory access control to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access permissions do not have parameters added, no keys added, the Alternative Hierarchy checkbox is deselected in properties.
Deselect the Elements Have Mandatory Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.
After mandatory access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
Attribute-Based Access Control Method
Access permission control for MDM dictionary elements is executed if:
Attribute-based access control method and discretionary access control method are used simultaneously.
Only attribute-based access control method is used.
Access control methods can be selected in the Policies Editor section of the security manager.
When selecting attribute-based and discretionary access control methods, follow the steps:
Make sure that the Use Attribute-Based Access Control and the Use Discretionary Access Control checkboxes are selected in the Policies Editor section of the security manager, and the OR access permission combination option is selected.
Make sure that discretionary access control parameters for a specific user enables all operations with objects:
Folder containing MDM dictionary. If MDM dictionary is not located in the repository root, but in the folder or folder hierarchy, each folder must not have forbidden operations.
Database that stores MDM dictionary data.
Internal MDM dictionary table.
Discretionary access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box for each object.
Create an attribute-based access control structure that determines access permissions for a specific user to MDM dictionary elements, in the Attribute-Based Access Control:
Policies set determines the user for which access permission for MDM dictionary elements is set up.
Policy determines access to the MDM dictionary by key or identifier.
Rules determine access to MDM dictionary elements.
The table contains structure parameters of attribute-based access control:
| Attribute-based access control structure | Objective |
Rule combination algorithm |
| Policies set | SUBJECT.NAME = <user name> | Allow overriding |
| Policy | OBJECT.KEY = <MDM dictionary key> or OBJECT.ID = <MDM dictionary identifier> |
Allow overriding |
| Rule | OPERATION = <specific operation value> | - |
Additional condition is set for rules specify comparison of element attribute where the value corresponding to data type of attribute identifier, and effect determining whether it is allowed or denied access by rule execution result.
NOTE. On creating an additional condition, take into account features of MDM dictionary element attribute use.
Examples of rules of access control for MDM dictionary elements are given in the Example section.
Open MDM dictionary for edit in the object navigator.
Select the Elements Have Attribute-Based Access Permissions checkbox on theDescription tab.
After executing the operations, attribute access control method rules will be applied for MDM dictionary elements. When attribute-based and discretionary access control methods are used at the same time, it is available to apply access control methods to MDM dictionary elements using discretionary access control. For detailed information, see the Discretionary Access Control Method section.
When only attribute-based access control method is selected, the built-in authorization should be used. Access permission control for MDM dictionary elements is set up for the users not included in the built-in administrator group. To do this, follow the steps:
Make sure that the Use Attribute-Based Access Control checkbox is selected in the Policies Editor section of the security manager.
Create an attribute-based access control structure that determines access permissions for a specific user to MDM dictionary elements, in the Attribute-Based Access Control section. The attribute-based access control structure should contain:
Access permissions for MDM dictionary and the following objects:
Folder containing MDM dictionary. If MDM dictionary is not located in the repository root, but in the folder or folder hierarchy, each folder must not have forbidden operations.
Database that stores MDM dictionary data.
Internal MDM dictionary table.
Access denials for MDM dictionary elements.
Open MDM dictionary for edit in the object navigator.
Select the Elements Have Attribute-Based Access Permissions checkbox on the Description tab.
After executing the operations, attribute-based access control method rules will be applied for MDM dictionary elements.
Access permissions for MDM dictionary elements can be set up in the development environment using the ABAC assembly. The example of denying the user to read table MDM dictionary element is given in the Access Permissions for Table MDM Dictionary Elements section.
Example
The example displays the attribute-based access control structure when only the attribute-based access control method is used. The structure contains two policies sets that limit access of a specific user for MDM dictionary elements:
The first policies set contains a policy and a rule that determine full access of a specific user for all repository objects:
| Attribute-based access control structure | Objective |
Rule combination algorithm |
| Policies set | SUBJECT.NAME = <user name> | Allow overriding |
| Policy | - |
Allow overriding |
| Rule | - |
- |
Rule parameters:
| Objective | Condition | Effect |
| - | - | Allow |
The second policies set determines an object class, for which access is set up, a policy determines access to a specific MDM dictionary by key or identifier, rules determine access to MDM dictionary elements:
| Attribute-based access control structure | Objective |
Rule combination algorithm |
| Policies set | OBJECT.CLASS = <object class: MDM dictionary> | Allow overriding |
| Policy | OBJECT.KEY = <MDM dictionary key> or OBJECT.ID = <MDM dictionary identifier> |
Allow overriding |
| Rule | OPERATION = <specific operation value> | - |
Additional condition is set for rules specify comparison of element attribute where the value corresponding to data type of attribute identifier, and effect determining whether it is allowed or denied access by rule execution result.
Examples of rules for access control for MDM dictionary elements, for example:
| Rule | Objective | Condition | Effect |
| Deny read elements of one-level MDM dictionary with 1 and 2 keys | OPERATION = 1048576 | (OBJECT.ELEMENT.KEY >= 0) And (OBJECT.ELEMENT.KEY <= 2) | Deny |
| Deny to edit MDM dictionary element with 3 key | OPERATION = 2097152 | OBJECT.ELEMENT.KEY = 3 | Deny |
Disabling Attribute-Based Access Control to Elements
To disable attribute-based access control to MDM dictionary elements, deselect the Elements Have Attribute-Based Access Permissions checkbox on the Description of MDM dictionary in object navigator in the desktop application.