Define privileges grants

This page describes how to define the access policies for the data model.
Those policies are implemented in the form of model and entity privileges. They are enforced when the user accesses the data through the graphical user interface and integration points.

Make sure to define the roles in the platform before the privilege grants for these roles. See Manage roles for more information.

Add privilege grants

To add a model privilege grant:

  1. Connect to an open model edition.

  2. In the Model Design view, right-click the Model Privilege Grants node and select Add Model Privilege Grant…. The Create New Model Privilege Grant wizard opens.

  3. In the Create New Model Privilege Grant wizard, check the Auto Fill option and then enter the following values:

    • Role Name: Select a role defined in Semarchy xDM by the administrator.

    • Name: Internal name of the object.

    • Label: User-friendly label for this object. Note that as the Auto Fill box is checked, the Label is automatically filled in. Modifying this label is optional.

    • In the Description field, optionally enter a description for the Model Privilege Grant.

    • Select Grant full access to the model if you want to give full privileges to this model. This option overrides all privileges granted at the entity or attribute level. Note that this privilege does not include access to the REST API.

    • Select Grant access to integration web services to allow this role to connect to the REST API for this model. Note that entity/attribute level privileges are also needed. This option only allows connecting to the API.

    • Select Allow Publishing as user in API to allow users with this role to publish data via the REST API on behalf of other users. Users with this privilege can push values for the Creator, Updator, CreateDate and UpdateDate when publishing data. Users without that privilege will automatically have their own username in Creator/Updator, and the dates set to the current timestamps.

    • Select Allow Enrichment Documentation and Allow Data Quality Documentation to let users with this role access the enrichment and data quality components of the application documentation.

  4. Click Next.

  5. In the Entities Privileges Grants page, select the Entities for which you want grant privileges and click the Add >> button to add them to the Selected Entities.

  6. Click Next.

  7. In the next page, select the default privileges for the selected entities:

    • Default Access Type: Select None, Read or Read/Write

    • Allow Creation: Select this option to allow this role to create new entity records in a stepper.

    • Allow Checkout: Select this option to allow this role to edit entity records into a stepper.

    • Allow Export: Select this option to allow this role to export entity records.

    • Allow Removal: Select this option to allow this role to remove entity records from a stepper.

    • Allow Delete: Select this option to allow this role to delete entity records.

  8. Click Finish to close the wizard. The Model Privilege Grant editor opens.

  9. Press Control+S (or Command+S on macOS) to save the editor.

In the Model Privilege Grant editor, you can refine the default privileges in the Entity Privileges table:

  • You can modify the Access Type for each entity.

  • You can expand the entities and modify the Access Type for specific attributes.

  • You can change the Creation, Checkout, Removal, Delete and Export privileges on entities.

  • You can add privilege grants for more entities, or new privilege grants for entities already present in the grant.

  • You can set a filter for each privilege grant to enable row-level security.

Be cautious when checking the Grant full access to the model option in a privilege grant, as it overrides all privileges granted at the entity or attribute level.
Row-level security is not supported when accessing data from UG and UM views.
At run-time, xDM automatically ignores the conditions from model privileges grant filters that use one or several unavailable attributes in the current view. The -Dcom.semarchy.mdm.security.dataAccessAuthorizations.skipAdaptRowScopeToAvailableAttributes system property is available and must be set to true to disable this behaviour and keep model privileges grant filters unmodified.