Hi John,
To answer your 2nd question, you can implement a custom script in UI configuration to define which sources must be hidden for selected user Roles. Please, see our documentation for more details and examples - Hide/Show Profile Information Based on User Roles
Example of custom script:
{
"point": "com.reltio.plugins.ui.custom_script",
"id": "com.reltio.plugins.entity.org.CheckEntityScript",
"class": "com.reltio.plugins.ui.CustomScript",
"sources": [
{
"roles": ["ROLE_AE", "ROLE_DS"],
"includeSources": null,
"excludeSources": ["configuration/sources/AHA", "configuration/sources/ABC"]
},
{
"roles": ["ROLE_USER"],
"includeSources": ["configuration/sources/ABC"],
"excludeSources": null
},
{
"roles": ["ROLE_ADMIN"],
"includeSources": null,
"excludeSources": []
}
]
}
Please, note:
- If a user has several roles assigned, then, Reltio platform combines all the inclusions/exclusions of sources, specified for each role.
Based on the example given above, please note the following points:
- Usage of null translates to not defining any configuration; whereas, usage of [ ] (empty square brackets) indicates that no sources are excluded.
- "ROLE_AE" and "ROLE_DS" roles provide access to all sources, except AHA and ABC.
- "ROLE_USER" role provides access only to the ABC source.
- If both include and exclude properties are defined in a single block, then only the include property is used (the exclude property is ignored).
Best,
Alex Gudkov
Technical support engineer
------------------------------
Alex Gudkov
------------------------------
Original Message:
Sent: 05-18-2022 10:19
From: John Sargunam C D
Subject: How to restrict access based on Business Role
Thanks Ashley for your quick response. I have one more query regarding to the 1st point.
I have an attribute called Identifier which is declared as Nested Attribute and I have the following attributes as sub-attributes Type, Value.
Now I am restricting the DS1 role based on Type Attribute in Metadata security. The rule is "(equals(attributes.Identifiers.Type , "SSN")
The next day, Admin added one more Type as a Passport for the same profile. Now the profile has 2 types as "SSN" & "Passport".
In this case, can the DS1 role see SSN type or both types of profile?
There is a Typo in the second question. Please find the updated one.
2. How to restrict the attribute information based on the Source system for the specific Business Role? ( Example DS1 role can see Source1 crosswalk information whereas DS1 role should not see Source2 crosswalk information)
Regards,
John
------------------------------
John Sargunam C D
Associate Consultant
Tata Consultancy Service
Original Message:
Sent: 05-17-2022 17:24
From: Ashley Branham
Subject: How to restrict access based on Business Role
Hey John,
We can apply metadata security to the tenant via the permissions API. It's important to note that applying metadata permissions will affect any non-admin user, so we need to account for all roles logging into the tenant.
Official Reltio Documentation
1. Create the business role via the Reltio User Management Console
2. Create the metadata permissions via JSON. In the example attached we have the below scenario...
- ROLE_A can read/initiate change requests on ALL organizational data EXCEPT the DateOfBirth attribute.
- We do this by granting ROLE_A access to the Organization, the Organization/Attributes, then restricting access to the Organization/Attributes/DateOfBirth
- ROLE_B has full CRUD access to organizational data **within the US (using a filter on Organization.Addresses.Country
3. We apply the metadata permissions to the tenant using the below POST API.
GET/POST/DELETE https://{{env}}.reltio.com/reltio/permissions/{{tenantID}}
NOTE:
Reltio follows the least privilege policy when it comes to security, so this means that if we create metadata security for ROLE_A to read Organizational data, they will not see any other entity data unless we specify it within the permission config.
**I will follow up with a response for #2 :)
------------------------------
Ashley Branham
Original Message:
Sent: 05-15-2022 15:21
From: John Sargunam C D
Subject: How to restrict access based on Business Role
I would appreciate it if anyone here could guide me to the requirements below.
1. How to restrict the attribute view based on Business Role? (Example DS1 Role can see SSN attribute where DS2 Role can not see SSN attribute)
2. How to restrict the attribute information based on the Source system for the specific Business Role? ( Example DS1 role can see Source1 crosswalk information whereas DS1 role should not see Source1 crosswalk information)
------------------------------
John Sargunam C D
Associate Consultant
Tata Consultancy Service
------------------------------