Define Privileges Grants

This document describes how to define the access policies for the data model.
Those policies are implemented in the form of model and entity privileges. They are enforced when the user accesses the data through the graphical user interface and integration points.

Make sure to define the roles in the platform before the privilege grants for these roles. For more information, see Manage Roles.

Add Privilege Grants

To add a model privilege grant:

  1. Connect to an open model edition.

  2. In the Model Design view, right-click the Model Privilege Grants node and select Add Model Privilege Grant. The Create New Model Privilege Grant wizard opens.

  3. In the Create New Model Privilege Grant wizard, select the Auto Fill checkbox, and then enter the following values:

    • Role Name: select a role defined in Semarchy xDM by the administrator.

    • Name: internal name of the object.

    • Label: user-friendly label for this object. Note that as the Auto Fill box is checked, the Label is automatically filled in. Modifying this label is optional.

    • (Optional) In the Description field, enter a description for the model privilege grant.

    • (Optional) Select Grant full access to the model if you want to give full privileges to this model. This option overrides all privileges granted at the entity or attribute level. Note that this privilege does not include access to the REST API.

    • (Optional) Select Grant access to integration web services to allow this role to connect to the REST API for this model. Note that entity/attribute level privileges are also needed. This option only allows connecting to the API.

    • (Optional) Select Allow Publishing as user in API to allow users with this role to publish data via the REST API on behalf of other users. Users with this privilege can push values for the Creator, Updator, CreateDate, and UpdateDate when publishing data. Users without that privilege will automatically have their own username in Creator/Updator, and the dates set to the current timestamps.

    • (Optional) Select Allow Enrichment Documentation and Allow Data Quality Documentation to let users with this role access the enrichment and data quality components of the application documentation.

  4. Click Next.

  5. On the Entities Privileges Grants screen, select the entities for which you want to grant privileges and click the Add >> button to add them to the Selected Entities panel.

  6. Click Next.

  7. On the next screen, select the default privileges for the selected entities:

    • Default Grant: select None, Read or Read/Write.

    • Allow Creation: select this option to allow this role to create new entity records in a stepper.

    • Allow Checkout: select this option to allow this role to edit entity records in a stepper.

    • Allow Export: select this option to allow this role to export entity records.

    • Allow Removal: select this option to allow this role to remove entity records from a stepper.

    • Allow Delete: select this option to allow this role to delete entity records.

  8. Click Finish to close the wizard. The Model Privilege Grant editor opens.

  9. Press Control+S (or Command+S on macOS) to save the editor.

From the Model Privilege Grant editor, you can refine the default privileges in the Entity Privileges table:

  • You can modify the access type for each entity.

  • You can expand the entities and modify the access type for specific attributes.

  • You can change the Creation, Checkout, Removal, Delete, and Export privileges on entities.

  • You can add privilege grants for more entities, or new privilege grants for entities already included in the grant.

  • You can set a filter for each privilege grant to enable row-level security.

Allow creating records within an entity with a row-level security filter

By default, adding a row-level security filter prevents end-users from creating new records. To allow a specific role to create data records within an entity with a row-level security filter enabled, model designers can proceed as follows:

  1. Grant the role a Read privilege on the entity and select the Allow Creation option.

  2. Grant the role a Read/Write privilege on the same entity and select Allow Checkout to permit updating records (selecting Allow Creation is optional).

  3. In the Entities Privileges table, select the table row with the newly created Read/Write privilege, and click the Edit expression Edit expression button in the Filter column to specify a row-level security filter using the SemQL editor.

Since model privilege grants are cumulative, this configuration gives the role the permissions to:

  • Create records and submit them to the data hub if they meet the filter criteria.

  • Update the subset of records that is defined by the filter, while the other records remain non-editable.

Be cautious when selecting the Grant full access to the model option in a privilege grant, as it overrides all privileges granted at the entity or attribute level.
Row-level security is not supported when accessing data from UG and UM views.
At run-time, xDM automatically ignores the conditions from model privilege grant filters that use one or several unavailable attributes in the current view. The -Dcom.semarchy.mdm.security.dataAccessAuthorizations.skipAdaptRowScopeToAvailableAttributes system property is available and must be set to true to disable this behavior and keep model privilege grant filters unmodified.