Before you define a data access rule, ensure that you have set the required privileges for the custom user roles. If you rename a custom user role in Administrator, the data access rule isn't valid for the user role.
You can create and publish up to 50 record-level and 50 attribute-level data access rules for a business entity.
4Select an asset to protect. Currently, you can only protect business entities.
5Select one of the following permissions for the selected asset:
- Allow. Allows the user role access to asset data.
- Deny. Denies the user role access to asset data.
6In the Affected User Roles section, click Add User Role, and select the user roles to which you want to apply the data access rule.
The Add User Roles page appears.
7Select the user roles, and click Add.
The selected user roles are added to the Affected User Roles section.
8Click Next.
The Conditions page appears.
Step 2: Configure the rule conditions
Define conditions based on which rules must be applied. You can define conditions based on attributes and field group values that are configured as searchable.
You can configure conditions for the following assets and attributes:
Note: The more the conditions, the longer it takes to process search requests. If you have performance issues after adding conditions, consider reducing the number of conditions.
Configure the rule conditions for business entity attributes
You can create conditions only for business entity attributes that you configure as searchable.
1On the Conditions page, select the level to which you want to apply the rule in the Rule Applies To: list.
- Record Level. Applies the rule to the entire record data.
- Attribute Level. Applies the rule to attributes or field groups within the record.
2If you select Attribute Level, select the attributes you want to protect.
3To add conditional statements, enter the required details in the Condition Details section.
4In the Asset Type list, select Business Entity to create conditions for attributes of the protected business entity or attributes of the business entity related to the protected business entity through the business entity record field.
Note: The conditions on attributes of related business entity in the business entity record field controls access to these attributes in the record details page and the related records component in your business application.
You can create conditions for the following assets and attributes:
- Attributes of the business entity related to the protected business entity through a business entity record field.
•Relationships. Relationships associated with the protected business entity.
•Relationship attributes. Attributes of the relationship associated with the protected business entity.
•Related business entity attributes. Attributes of the business entity related to the protected business entity through relationships.
1On the Conditions page, select the level to apply the rule in the Rule Applies To: list.
- Record Level. Applies the rule to the entire record data.
- Attribute Level. Applies the rule to attributes or field groups within the record.
2If you select Attribute Level, select the attributes you want to protect.
3To add conditional statements, enter the required details in the Condition Details section.
4In the Asset Type list, select Relationship to create conditions on relationships associated with the protected business entity and the relationship attributes.
5Select a relationship that's associated with the protected business entity in the Relationship Name field.
The Direction field that shows the relationship direction and the Condition list appears.
6Select one of the following conditions:
- Exist. Allows or denies access to attributes when the relationship exists for the records.
- Does Not Exist. Allows or denies access to attributes when the relationship doesn't exist for the records.
- Value of Relationship Attributes. Enables you to create conditions on values of relationship attributes.
- Value of Related Business Entity Attributes. Enables you to create conditions on values of related business entity attributes.
7Select an attribute for one of the following conditions:
- Value of Relationship Attributes. The Attribute list displays the list of attributes of the selected relationship. Select the required attribute and specify an operator and a value.
- Value of Related Business Entity Attributes.The Attribute list displays the attributes of the business entity related to the protected business entity through relationships. Select required attribute and specify an operator and a value.
Note: If you select a picklist attribute, select a value from the list instead of entering a value.
Note: The Exist and Does Not Exist conditions do not require an operator and value.
After you specify all the required details, the condition is listed in the Conditions section.
8To add another condition, click Add a condition and repeat steps 3 through 6.
9Click Save.
When you save the data access rule, the rule is saved as a draft after creation.
10To review and publish draft data access rules, on the Data Access Rules tab, click Publish Drafts.
You must review and publish the existing and draft record-level data access rules in your organization. When you add, update, or delete a data access rule, the rule is saved as a draft after you create or update it. When you update data access rules that are in the draft state, users retain access to records based on the previously set conditions until you publish the drafts.
1On the Data Access Rules tab, view the existing and draft data access rules.
The following image shows the Data Access Rules tab with draft data access rules:
2To publish the draft data access rules, click Publish drafts.
The Review and Publish Data Access Rules dialog box appears.
3In the Review and Publish Data Access Rules dialog box, view the total number of draft data access rules in each business entity.
4To publish draft data access rules in a business entity, select the required business entity.
Note: If an existing job is in progress or a publish data access rules job that ran earlier failed for a business entity, the business entity appears disabled.
To publish draft data access rules for a business entity that appears disabled, wait until the current job completes or restart the failed publish data access rules job from the My Jobs page.
5Click Publish.
A publish data access rules job is automatically created to publish draft data access rules for the business entity. After the publish data access rules job completes, users can access records based on the data access rules.
Note: To efficiently use resources, ensure that you review and publish all draft data access rules in a business entity at once.
When you delete a data access rule, Business 360 Console marks the rule for deletion and changes it to the draft state. When you publish the draft, Business 360 Console permanently deletes the data access rule. After deletion, you can't recover the data access rule.
1Click Security > Data Access Rules.
2Hover over the required data access rule that you want to delete, and select Delete from the Actions menu.
A confirmation dialog box appears.
3Click Delete.
When you delete the data access rule, MDM SaaS marks the rule for deletion. You can view the rule marked for deletion as a draft on the Data Access Rules tab.
4To permanently delete the data access rule, on the Data Access Rules tab, click Publish drafts.
You can publish the draft data access rule to permanently delete it.
You can create and publish up to 50 record-level and 50 attribute-level data access rules for a business entity. The maximum limit includes both published and draft data access rules.
For example, consider that the Person business entity already has 50 record-level and 50 attribute-level data access rules. Out of the 50 record-level data access rules, 30 are published and 20 are in the draft state.
Consider the following rules and guidelines when you create or publish data access rules for the business entity:
•You can't create record-level and attribute-level data access rules because the business entity has exceeded the maximum limit of 50 record-level and 50 attribute-level data access rules.
•You can update the existing published and draft data access rules in the business entity.
•You can publish the 20 draft record-level data access rules for the business entity.
•After you publish the 20 draft record-level data access rules, you can update the existing 50 record-level data access rules and publish them.
If you modify the rule type of an existing record-level data access rule to attribute-level data access rule, the rule moves to the draft state. However, you can't publish the draft data access rules because the business entity exceeds the maximum limit of 50 attribute-level data access rules.
•You can update the existing 50 attribute-level data access rules and publish them.
If an existing business entity has more than 50 record-level and 50 attribute-level rules, you can no longer create data access rules for the business entity.
Additionally, when you import the authorization asset, if the data access rule names in the asset from the source organization match the rule names in the target organization, MDM SaaS ignores the maximum limit and overwrites the existing data access rules in the target organization.
If the asset that you import contains new data access rules, MDM SaaS checks the maximum limit for each business entity in the target organization. If the maximum limit exceeds, the import of the asset fails.
