In this article:
Discretionary Access Control Method
Mandatory Access Control Method
Access Permissions for MDM Dictionary Elements
Access permissions setup for MDM dictionary elements depends on the selected access control methods.
NOTE. Along with access control methods, one can determine access limit to MDM dictionary elements using ranges of keys, based on which roles are granted to users: vendor, partner, customer. The role allows for adding and editing MDM dictionary elements in proper key range and next ascending key ranges. Elements with keys from descending key range cannot be changed.
If discretionary or mandatory access permissions can be used for MDM dictionary elements, when selecting MDM dictionary in the security manager in the desktop application, the right part of the Navigator section displays dictionary elements, groups of elements, and selection schemas:
Select dictionary elementsDiscretionary Access Control Method
When selecting discretionary access control method, follow the steps:
Make sure, that the Use Discretionary Access Control checkbox is selected in the Policies Editor section of the security manager.
Set up access parameters for a specified user for:
Required MDM dictionary.
Database that stores dictionary data.
Access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box. To open the dialog box, select the Access Permissions item in the MDM dictionary's context menu. Select MDM dictionary in object navigator of security manager in the desktop application, on the Properties side panel in the web application and in object navigator in the desktop application.
Select the checkboxes next to general operations to allow or deny them. To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements have Discretionary Access Permissions checkbox on the Description tab of MDM dictionary in the object navigator in the desktop application.
After the checkbox is selected, and the MDM dictionary is selected in the security manager's navigator in the desktop application, the right part of the window displays dictionary elements, groups of elements and selection schemes.
The Discretionary Access Control checkbox is displayed in the dictionary's context menu:
The checkbox determines the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect the checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled on editing MDM dictionary by application administrator or by the user who holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements tab in the MDM dictionary opened for edit in the object navigator.
Select the Object > Access Permissions main menu item.
Press the ENTER key.
Double-click the dictionary element name.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions of the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. When setting access permissions these permissions are set for all selected elements or objects.
Disabling Discretionary Access Control to Elements
To disable discretionary access to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access do not have parameters added, no keys are added, and the Alternative Hierarchy checkbox is selected in properties.
Deselect the Elements have Discretionary Access Permissions checkbox on the Description tab of MDM dictionary in the object navigator in the desktop application.
After discretionary access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
Mandatory Access Control Method
When mandatory access control method is selected, follow the steps:
Make sure that the Use Mandatory Access Control checkbox is selected in the Policies Editor section of the security manager.
Add a category and levels in the Mandatory Access Control section of the security manager.
Set the maximum security level for a specific user.
Set the maximum security levels for objects:
Folders that contain the required MDM dictionary.
Required MDM dictionary.
Internal MDM dictionary table.
Database that stores dictionary data.
NOTE. Permissions for objects can be set only by the administrator or the user who have permissions to change permissions.
Access parameters can be set up on the Mandatory Access Control tab in the Access Control Settings dialog box in the desktop application and on the Properties side panel in the web application.
To simultaneously set up access to the dictionary and the database, select the Set Up Dependent Object Permissions checkbox, click the OK button and select checkboxes of the objects, which permissions must be changed.
Select the Elements have Discretionary Access Permissions checkbox on the Description tab of MDM dictionary in the object navigator in the desktop application.
After the checkbox is selected, when the MDM dictionary is selected in the object navigator of the security manager, the right part of the desktop application displays dictionary elements, groups of elements and selection schemas. The Mandatory Access Control checkbox is displayed in the dictionary's context menu:
The checkbox determines the displaying of dictionary elements in the security manager's navigator.
On an attempt to deselect the checkbox, the message is displayed that this option can be enabled only by the administrator or application administrator, if role separation is used. If the answer is Yes, the checkbox is deselected, and the dictionary is hidden from the tree if it does not have groups of elements or selection schema.
NOTE. If the roles of information security administrator and application administrator are separated, by default only the information security administrator may set up access permissions and disable this option. This option can be enabled on editing MDM dictionary by application administrator or by the user that holds this privilege.
Set up access permissions for the selected dictionary element:
Select the Access Permissions item in the dictionary element's context menu. The command is available for the dictionary element selected:
In the object navigator of the security manager.
On the Dictionary Elements tab in the MDM dictionary opened for edit in the object navigator.
Select the Object > Access Permissions main menu item.
Press the ENTER key.
Double-click the dictionary element name.
After executing one of the operations:
The Access Permissions dialog box opens to set up dictionary element access permissions.
The Access Control Settings dialog box opens to set up access permissions of the Groups of Elements and Selection Schemas object.
If the dialog box is opened for several elements or objects, access permission settings are displayed for the focused element or object. When setting access permissions these permissions are set for all selected elements or objects.
Disabling Mandatory Access Control to Elements
To disable mandatory access control to MDM dictionary elements:
Make sure that element attributes that are responsible for discretionary access permissions do not have parameters added, no keys are added, and the Alternative Hierarchy checkbox is deselected in properties.
Deselect the Elements have Mandatory Access Permissions checkbox on the Description tab of MDM dictionary in the object navigator in the desktop application.
After mandatory access control is disabled for MDM dictionary elements, the user has full access to dictionary elements.
Attribute-Based Access Control Method
Access permission control for MDM dictionary elements is executed if:
Attribute-based access control method and discretionary access control method are used simultaneously.
Only attribute-based access control method is used.
Access control methods can be selected in the Policies Editor section of the security manager.
When selecting attribute-based and discretionary access control methods, follow the steps:
Make sure that the Use Attribute-Based Access Control and the Use Discretionary Access Control checkboxes are selected in the Policies Editor section of the security manager, and the OR access permission combination option is selected.
Make sure that discretionary access control parameters for a specific user enables all operations with objects:
Folder containing MDM dictionary. If MDM dictionary is not located in the repository root, but in the folder or folder hierarchy, each folder must not have forbidden operations.
Database that stores MDM dictionary data.
Internal MDM dictionary table.
Discretionary access parameters can be set up on the Discretionary Access Control tab in the Access Control Settings dialog box for each object.
Create an attribute-based access control structure that determines access permissions for a specific user to MDM dictionary elements, in the Attribute-Based Access Control section.
Policies set determines the user, for whom access for MDM dictionary elements is set up. For example:
Objective: SUBJECT.NAME = <user name>.
Rule combination algorithm: Allow overriding.
Policy determines access to the MDM dictionary by key or identifier. For example:
Objective: OBJECT.KEY = <MDM dictionary key> or OBJECT.ID = <MDM dictionary identifier>.
Rule combination algorithm: Allow overriding.
Rules determine access to MDM dictionary elements. For example:
Objective: OPERATION = <specific operation value>.
Additional condition is set for rules specify comparison of element attribute where the value corresponding to data type of attribute identifier, and effect determining whether it is allowed or denied access by rule execution result.
NOTE. When creating an additional condition, take into account features of MDM dictionary element attribute use.
Examples of rules of access control for MDM dictionary elements are given in the Example section.
Open MDM dictionary for edit in the object navigator.
Select the Elements have Attribute-Based Access Permissions checkbox on the Description tab.
After executing the operations, attribute access control method rules will be applied for MDM dictionary elements. When attribute-based and discretionary access control methods are used at the same time, it is available to apply access control methods to MDM dictionary elements using discretionary access control. For details see the Discretionary Access Control Method section.
When only attribute-based access control method is selected, the built-in authorization should be used. Access permission control for MDM dictionary elements is set up for the users not included in the built-in administrator group. To do this, follow the steps:
Make sure that the Use Attribute-Based Access Control checkbox is selected in the Policies Editor section of the security manager.
Create an attribute-based access control structure that determines access permissions for a specific user to MDM dictionary elements, in the Attribute-Based Access Control section. The attribute-based access control structure should contain:
Access permissions for MDM dictionary and the following objects:
Folder containing MDM dictionary. If MDM dictionary is not located in the repository root, but in the folder or folder hierarchy, each folder must not have forbidden operations.
Database that stores MDM dictionary data.
Internal MDM dictionary table.
Access denials for MDM dictionary elements.
Open MDM dictionary for edit in the object navigator.
Select the Elements have Attribute-Based Access Permissions checkbox on the Description tab.
After executing the operations, attribute-based access control method rules will be applied for MDM dictionary elements.
Access permissions for MDM dictionary elements can be set up in the development environment using the ABAC assembly. The example of denying the user to read MDM dictionary element is given in the Access Permissions for MDM Dictionary Elements section.
Example
The example displays the attribute-based access control structure when only the attribute-based access control method is used. The structure contains two policies sets that limit access of a specific user for MDM dictionary elements:
The first policies set contains a policy and a rule that determine full access of a specific user for all repository objects:
Policies set parameters:
Objective: SUBJECT.NAME = <user name>.
Rule combination algorithm: Allow overriding.
Policy parameters:
Objective: OBJECT.KEY >= 0.
Rule combination algorithm: Allow overriding.
Rule parameters:
Objective: OPERATION IN 1.
Effect: Allow.
Rule combination algorithm: Allow overriding.
The second policies set determines an object class, for which access is set up, a policy determines access to a specific MDM dictionary by key or identifier, rules determine access to MDM dictionary elements:
Policies set parameters:
Objective: OBJECT.CLASS = <object class: MDM dictionary>.
Rule combination algorithm: Allow overriding.
Policy parameters:
Objective: OBJECT.KEY = <MDM dictionary key> or OBJECT.ID = <MDM dictionary identifier>.
Rule combination algorithm: Allow overriding.
Rule parameters:
Objective: OPERATION = <specific operation value> section.
Additional condition is set for rules specify comparison of element attribute where the value corresponding to data type of attribute identifier, and effect determining whether it is allowed or denied access by rule execution result.
Examples of rules for access control for MDM dictionary elements, for example:
Deny reading elements of one-level MDM dictionary with the 1 and 2 keys:
Objective: OPERATION = 1048576.
Condition: (OBJECT.ELEMENT.KEY >= 0) And (OBJECT.ELEMENT.KEY <= 2).
Effect: Deny.
Deny editing MDM dictionary element with the 3 key.
Objective: OPERATION = 2097152.
Condition: OBJECT.ELEMENT.KEY = 3.
Effect: Deny.
Disabling Attribute-Based Access Control to Elements
To disable attribute-based access control to MDM dictionary elements, deselect the Elements have Attribute-Based Access Permissions checkbox on the Description tab of MDM dictionary in the object navigator in the desktop application.
Limiting Elements Access Using Range of Keys
In the desktop application, along with access control methods, one can determine access limit to MDM dictionary elements using ranges of keys, based on which roles are granted to users: vendor, partner, customer. The role allows for adding and editing MDM dictionary elements in proper key range and next ascending key ranges. Elements with keys from descending key range cannot be changed.
For example, if the user role is partner, MDM dictionary provides access to elements with keys from the corresponding key range and from customer key range. Elements with keys from vendor key range will not be available for modifications.
To determine a range of keys, create the PlatformUserType parameter of the REG_DWORD type and set its value in the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Foresight\Foresight Analytics Platform\10.0] on local computers of all users.
Available parameter values:
0. All elements are available. Role is not allocated.
1. Available range for elements keys is from 0 to 1 billion. User role is vendor.
2. Available range for elements keys is from 0 to 1.5 billion. User role is partner.
3. Available range for elements keys is from 0 to 2 billions. User role is customer.
For details about system registry settings see the Settings in System Registry section.