By default, all existing data access rules include the read permission.
Based on the permissions you select, users assigned to user roles that are associated with these data access rules can access data in MDM SaaS. You can edit an existing data access rule to set create, read, update, and delete permissions. When you configure a new data access rule, you can set the create, read, update, and delete permissions.
For example, you run a retail company and want to control inventory access to ensure data accuracy and security. Your company has user roles such as Warehouse Staff, Inventory Manager, and Auditor. To provide controlled access to product data, you need to assign different permissions to each user role.
To provide better access control and enhance data security, understand the following permissions that each user role requires:
•Warehouse Staff. A warehouse staff can add new items of the type electronics. They can view records of type electronics and update attributes, such as expiration date, batch number, and storage location for these records. However, they can't delete item records or specific details in the records.
To provide the required access, create a record-level data access rule, set create and read permissions, and configure the rule condition with item type as electronics. To update values in attributes, such as expiration date, batch number, and storage location, create an attribute-level data access rule. In the attribute-level data access rule, select the attributes to protect, set the update permission, and configure the condition with item type as electronics.
•Inventory Manager. An inventory manager can delete all records that have the availability status as out of stock.
To provide delete permission to the inventory manager user role, create record-level data access rule, set the delete permission, and specify the condition with the availability status as out of stock.
•Auditor. An auditor can only read finance-related information in item records from the United States.
To enable only read access, create an attribute-level data access rule, select the attribute to protect, set read permission, and define a condition with country equals to United States.
Note: You can't set create permissions in data access rules that you configure with conditions on relationship assets.
Rules and guidelines for setting permissions in data access rules
Consider the following rules and guidelines when you set permissions in data access rules:
•Ensure that you enable read privilege for records and attributes in a business entity.
If you set create, read, update, and delete permissions in data access rules but don't enable read privilege, or disable the existing read privilege, users can't access data in business applications. However, read privilege isn't required to access data through file import and REST APIs.
•You can't set create, update, delete, or read permissions in data access rules if existing data access rules contain similar values for fields in the Rule Definition section.
•To enable create, update, read, or delete permissions in data access rules, ensure that the user role has the required privilege for records and attributes in a business entity.
•If a business entity has an existing data access rule configuration, you can't edit any permissions for records and attributes in the business entity.
•If a user role doesn't have required permissions to access data in a business entity, MDM SaaS displays an validation error when users with the user role submit records in business applications.
•When you publish draft data access rules with create, update, and delete permissions, MDM SaaS doesn't run the publish data access rules job. However, MDM SaaS runs the job if you include read permission along with other permissions.
A publish data access rules job runs only for data access rules set with the read permission. To reduce loading time when users search for records, the job assigns user roles to records based on the conditions set in data access rules. When users assigned to these user role search for records, MDM SaaS returns records quickly. However, when users create, update, or delete records, MDM SaaS can't assign a user role to records because these actions are performed in real time.
•If you set create permissions for attribute-level data access rules, MDM SaaS evaluates conditions defined in these rules with the existing data. If the existing data doesn't meet the defined conditions, MDM SaaS doesn't allow you to create data.
For example, consider that your organization has an attribute-level data access rule that protects the first name and last name attributes. You define a condition that the middle name equals Mick. When you enter Mick as the middle name, MDM SaaS checks the existing data. The existing data doesn't contain middle name as Mick. When users enter values for first name, last name, and middle name, MDM SaaS doesn't allow you to add data because the condition isn't satisfied.