The data access rules can include protected business entity, associated relationships, and business entities related to protected business entity through relationships and business entity record fields.
Effective in the February 2023 release, the option to create conditions for the following assets and attributes is available for preview:
•Attributes of the business entity related to the protected business entity through a business entity record field. For more information about business entity record fields.
•Relationships. Relationships associated with the protected business entity.
•Relationship attributes. Attributes of the relationship associated with the protected business entity.
•Value of related business entity attributes. Attributes of the business entity related to the protected business entity.
Preview functionality is supported for evaluation purposes but is unwarranted and is not supported in production environments or any environment that you plan to push to production. Informatica intends to include the preview functionality in an upcoming release for production use, but might choose not to in accordance with changing market or technical circumstances. For more information, contact Informatica Global Customer Support.
For example, consider a scenario with the following requirements :
Provide access to records of employees from United States and from California or Florida and they are either employees of Informatica or contractors of Informatica.
To achieve the preceding requirement, you can create multiple data access rules which act as rules with both the AND and OR operators. Create multiple data access rules according to your requirement and assign them to multiple user roles. If you assign the user roles to a user in Administrator, the data access rules act as rules with the AND and OR operators and the user gets access to the records in your business application according to the requirement .
Before you create a set of data access rules that act as rules with the AND and OR operators, familiarize the following concepts:
•A data access rule with multiple conditions acts as a rule with the AND operator. For example, if a data access rule has four conditions, the user with the custom user role can view the records that satisfy all the four conditions.
•Multiple data access rules assigned to a custom role behaves as a rule with the AND operator. For example, if you assign two data access rules to a custom user role, the user can view the records that satisfy both the data access rules assigned to the corresponding custom user role.
• If multiple data access rules assigned to different custom user roles and if a user is assigned all the custom user roles in Administrator, the multiple data access rules act as a rule with the OR operator.
The following sample describes a set of rules that acts as rules with OR operator for a user:
1Rule A is associated to custom user role 1, and rule B is associated to custom user role 2.
2Custom user role 1 and custom user role 2 are assigned to a user in Administrator.
3Rule A and Rule B behave as rules with the OR operator for the user. The user can view the records that satisfy both rules or a single rule.
Creating multiple data access rules
You can create multiple data access rules that act as rules with the AND and OR operator to get the results of a complex data access rule.
Consider the following sample rule for a Person business entity:
Employee Country=US (City Name contains California, Florida) AND (Relationship=Employee AND Organization Name=Informatica) OR (Relationship Name=Contractor AND Organization Name=Informatica)
To achieve the results of the preceding rule, you can create multiple data access rules that act as rules with the AND and OR operators.
The rule contains the following attributes, operators, conditions, values, and associated business entities:
Attribute
Operator/Condition
Value
Associated business entity
Type of business entity
Country
Equals to
United States
Person
Predefined business entity, which is the protected asset in your data access rule.
City Name
In
California, Florida
Person
Predefined business entity, which is the protected asset in your data access rule.
Organization Name
Equals to
Informatica
Organization
Predefined business entity that is related to the protected Person business entity.
Relationship 1
Exists
Employee
Organization
Predefined business entity that is related to the protected Person business entity.
Relationship 2
Exists
Contractor
Organization
Predefined business entity that is related to the protected Person business entity.
1 Create multiple data access rules based on the AND operators. Separate the applicable attributes for each rule. The following table lists the separated attributes:
Attributes
Rule 1
Rule 2
Country
Applicable
Applicable
City
Applicable
Applicable
Organization Name
Applicable
Applicable
Relationship 1
Applicable
Not Applicable
Relationship 2
Not Applicable
Applicable
All the attributes in the sample rule is common except the relationships. The two relationships in the sample rule should act as rules that use OR operators. Hence, you need to create two individual data access rules using the AND operator.
2 After you separate the attributes, create individual data access rules with the AND operator in the following format:
- Rule 1.Country=US (City Name in California, Florida) AND (Relationship Employee Exists and Organization Name=Informatica)
- Rule 2.Country=US (City Name in California, Florida) AND (Relationship Contractor Exists and Organization Name=Informatica)
Note: To create a data access rule with the AND operator, define conditional statements for each required attribute within the rule.
3 Assign each rule to individual custom user role. Assign the custom user roles to a single user in Administrator. The set of rules act as data access rules that uses both the AND and OR operators. The following table lists the assignment of data access rules to custom user roles and user:
Data access rule
Custom user role assigned in the data access rule
User assigned in Administrator
Country=US (City in California, Florida) AND (Relationship Employee Exists and Organization Name=Informatica)
Custom user role 1
User 1
Country=US (City in California, Florida) AND (Relationship Contractor Exists and Organization Name=Informatica)
Custom user role 2
User 1
The following image shows a sample rule configured on the Security page:
: