Reltio Connect

 View Only

  • 1.  Permissions for entity types based on the value of specific attribute

    Reltio Partner
    Posted 03-06-2024 09:56

    I'm figuring out a way in understanding the feasibility of achieving this in Reltio.

    Consider, we have an entity called MyEntity. Within which BusinessDomain is an attribute that can hold either of the 3 values. Eg: Finance, Audit and Health.

    In user management, we have separate user groups for Finance, Audit and Health.

    Now, let's consider only Health as a public BusinessDomain and Finance and Audit as private BusinessDomain. That is, for a specific user group (considered as Finance user group), only those data of MyEntity that has BusinessDomain as Finance should be visible. And, Health BusinessDomain, being a public domain should also be visible, but in read-only mode. And the data of MyEntity from different BusinessDomain should not be visible for any user of that usergroup.

    How is this achievable in Reltio? Is there an approach/workaround that can help achieving this feature?

    Please advice.



    ------------------------------
    Nidheesh R
    EPAM Systems
    ------------------------------


  • 2.  RE: Permissions for entity types based on the value of specific attribute
    Best Answer

    Reltio Employee
    Posted 03-07-2024 09:34

    Hi @Nidheesh R

    You can try it this way - 

    1. Create 6 roles ( or more depending on granularity of operations you will do in Reltio) one for read only access to each domain of data and one for edit access to each domain. You can check the config I have pasted below for different roles.
    2. In your Finance User group, add ROLE_CUSTOMER_FINANCE_EDIT and ROLE_CUSTOMER_HEALTH_READ_ONLY. Now all the user associated to this group will have 1. Read-only access to Health Business Domain data, Edit access to Finance Business domain data and no visibility to Audit Business domain data. 

    3. Create a metadata security configuration like below ( Reltio doc - https://docs.reltio.com/en/explore/get-going-with-apis-and-rocs-utilities/reltio-rest-apis/engage-apis/configuration-api/role-based-security/metadata-security) 

    [
      {
        "uri": "configuration/entityTypes/MyEntity",
        "permissions": [
          {
            "role": "ROLE_CUSTOMER_FINANCE_EDIT",
            "filter": "equals(attributes.BusinessDomain ,'Finance')",
            "access": [
              "READ",
              "CREATE",
              "UPDATE"
            ]
          },
          {
            "role": "ROLE_CUSTOMER_FINANCE_READ_ONLY",
            "filter": "equals(attributes.BusinessDomain ,'Finance')",
            "access": [
              "READ"
            ]
          },
          {
            "role": "ROLE_CUSTOMER_HEALTH_READ_ONLY",
            "filter": "equals(attributes.BusinessDomain ,'Health')",
            "access": [
              "READ"
            ]
          },
          {
            "role": "ROLE_CUSTOMER_HEALTH_EDIT",
            "filter": "equals(attributes.BusinessDomain ,'Health')",
            "access": [
              "READ",
              "CREATE",
              "UPDATE"
            ]
          },
          {
            "role": "ROLE_CUSTOMER_AUDIT_READ_ONLY",
            "filter": "equals(attributes.BusinessDomain ,'Audit')",
            "access": [
              "READ"
            ]
          },
          {
            "role": "ROLE_CUSTOMER_AUDIT_EDIT",
            "filter": "equals(attributes.BusinessDomain ,'Audit')",
            "access": [
              "READ",
              "CREATE",
              "UPDATE"
            ]
          }
        ]
      }
    ]

    4. You can add more levels to the permissions based on your full use case, but using metadata security config should help you achieve this use-case.



    ------------------------------
    Aditi Verma
    ------------------------------



  • 3.  RE: Permissions for entity types based on the value of specific attribute

    Reltio Partner
    Posted 03-11-2024 16:12

    Thanks much Aditi. You response has helped a long way in shaping our feature. I'm however stuck at a point now.

    For any change is metadata permission, it is demanding a DELETE API call to erase the existing metadata configuration. And it is only then the new metadata permissions are able to update. Would like to know if this is expected.

    Also, it would be of great help if you can share a sample custom role Json(similar to the the existing Reltio System Roles) to create basic permissions for any user to have a READONLY view of all the UI data and features in a Reltio tenant. Because, I think it is a good approach to have basic/minimum default role that is required for a user to access a read-only mode of Reltio UI data and, all features the UI offers, then create custom roles and apply custom metadata role permissions on top of it based on the metadata security we are discussing here.

    Tried doing this myself but ending up with this error.

    "Permission denied. Access to object entities/* is forbidden. Required privileges: READ"



    ------------------------------
    Nidheesh R
    EPAM Systems
    ------------------------------

    Original Message


  • 4.  RE: Permissions for entity types based on the value of specific attribute

    Reltio Employee
    Posted 03-12-2024 06:30

    Hi @Nidheesh R

    I am glad this was helpful!

    To your first question, we do not have an API to update the metadata security configuration at the moment. So the only way to update this config, will be to Delete and post the new version of it. APIs are available here - Metadata security APIs

    Regarding the permissions in each of these roles, I would suggest you start by creating these roles without any specific service permissions. Create Roles API

    So each of the roles mentioned above, would be created empty without any services attached to them. Next, when you are creating user Groups, you can add these OOB roles -  ROLE_API and ROLE_USER along with the new empty roles that you have created in previous steps. Example - Finance Group will have - ROLE_API + ROLE_USER + ROLE_CUSTOMER_FINANCE_EDIT + ROLE_CUSTOMER_HEALTH_READ_ONLY .

    ROLE_API and ROLE_USER should give enough permissions for a user to access tenant and data and then your custom roles will be able to filter the data and make only the applicable data visible/editable to the users. 

    Let me know, if it helps. 

    Thanks.



    ------------------------------
    Aditi Verma
    ------------------------------

    Original Message


  • 5.  RE: Permissions for entity types based on the value of specific attribute

    Reltio Partner
    Posted 03-13-2024 06:12

    Makes sense. Thanks much Aditi. !!



    ------------------------------
    Nidheesh R
    EPAM Systems
    ------------------------------

    Original Message


Related Content