Manage User Roles and Privileges > Managing data access rules > Defining data access rules

Defining data access rules

Before you define a data access rule, ensure that you have set the required privileges for the custom user roles.

After you a define data access rule, if you rename a custom user role in Administrator, the data access rule isn't valid for the user role.

To define a data access rule, perform the following steps:

1Create a data access rule.
2Configure conditions for the rule.

Step 1. Select the asset to protect

You can create a data access rule to protect an asset, its attributes, and the user roles to which you want to apply the rule.

1Click Security > Data Access Rules.

2Click Add Data Access Rule.

The New Data Access Rule page appears.

3Enter a unique name and a description for the data access rule.

For more information about the guidelines to add name and description for data access rules, see Rules and guidelines for adding rule name and description .

4Select an asset to protect. Currently, you can only protect business entities.

5Select one of the following permissions for the selected asset:

- Allow. Allows the user role access to asset data.
- Deny. Denies the user role access to asset data.

6In the Affected User Roles section, click Add User Role, and select the user roles to which you want to apply the data access rule.

The Add User Roles page appears.

7Select the user roles, and click Add.

The selected user roles are added to the Affected User Roles section.

8Click Next.

The Conditions page appears.

Step 2. Configure the rule conditions

Define conditions based on which rules must be applied. You can define conditions based on attributes and field group values that are configured as searchable.

You can configure conditions for the following assets and attributes:

•Business Entity. To configure conditions for business entity attributes, see Configure the rule conditions for business entity attributes.
•Relationship. To configure conditions for relationship, see Configure the rule conditions for relationships.

Note: The more the conditions, the longer it takes to process search requests. If you have performance issues after adding conditions, consider reducing the number of conditions.

Configure the rule conditions for business entity attributes

You can create conditions only for business entity attributes that you configure as searchable.

1On the Conditions page, select the level to which you want to apply the rule in the Rule Applies To: list.

- Record Level. Applies the rule to the entire record data.
- Attribute Level. Applies the rule to attributes or field groups within the record.

2If you select Attribute Level, select the attributes you want to protect.

3To add conditional statements, enter the required details in the Condition Details section.

4In the Asset Type list, select Business Entity to create conditions for attributes of the protected business entity or attributes of the business entity related to the protected business entity through the business entity record field.

Note: The conditions on attributes of related business entity in the business entity record field controls access to these attributes in the record details page and the related records component in your business application.

Effective in the February 2023 release, the option to create conditions for the following assets and attributes is available for preview:

You can create conditions for the following assets and attributes:

- Attributes of the business entity related to the protected business entity through a business entity record field.

For more information about business entity record fields, see Add business entity record fields.

- Relationships. Relationships associated with the protected business entity.
- Relationship attributes. Attributes of the relationship associated with the protected business entity.
- Value of related business entity attributes. Attributes of the business entity related to the protected business entity.

Preview functionality is supported for evaluation purposes but is unwarranted and is not supported in production environments or any environment that you plan to push to production. Informatica intends to include the preview functionality in an upcoming release for production use, but might choose not to in accordance with changing market or technical circumstances. For more information, contact Informatica Global Customer Support.

5Select an attribute, and an applicable operator, and then enter a value. For more information about the supported operators, Operators.

The conditional statement is listed in the Conditions section.

6To add another condition, click Add a condition and repeat the steps 3 to 5.

7Click Save.

When you save the data access rule, the rule is saved as a draft after creation.

8To review and publish draft data access rules, on the Data Access Rules tab, click Publish Drafts.

For more information about reviewing and publishing data access rules, see Reviewing and publishing data access rules.

Configure the rule conditions for relationships

You can configure conditions for relationships, relationship attributes, and related business entity attributes.

Effective in the February 2023 release, the option to create conditions for the following assets and attributes is available for preview:

•Attributes of the business entity related to the protected business entity through a business entity record field.

For more information about business entity record fields, see Add business entity record fields.

•Relationships. Relationships associated with the protected business entity.
•Relationship attributes. Attributes of the relationship associated with the protected business entity.
•Related business entity attributes. Attributes of the business entity related to the protected business entity through relationships.

1On the Conditions page, select the level to apply the rule in the Rule Applies To: list.

- Record Level. Applies the rule to the entire record data.
- Attribute Level. Applies the rule to attributes or field groups within the record.

2If you select Attribute Level, select the attributes you want to protect.

3To add conditional statements, enter the required details in the Condition Details section.

4In the Asset Type list, select Relationship to create conditions on relationships associated with the protected business entity and the relationship attributes.

5Select a relationship that's associated with the protected business entity in the Relationship Name field.

The Direction field that shows the relationship direction and the Condition list appears.

6Select one of the following conditions:

- Exist. Allows or denies access to attributes when the relationship exists for the records.
- Does Not Exist. Allows or denies access to attributes when the relationship doesn't exist for the records.
- Value of Relationship Attributes. Enables you to create conditions on values of relationship attributes.
- Value of Related Business Entity Attributes. Enables you to create conditions on values of related business entity attributes.

7Select an attribute for one of the following conditions:

- Value of Relationship Attributes. The Attribute list displays the list of attributes of the selected relationship. Select the required attribute and specify an operator and a value.
- Value of Related Business Entity Attributes.The Attribute list displays the attributes of the business entity related to the protected business entity through relationships. Select required attribute and specify an operator and a value.

Note: If you select a picklist attribute, select a value from the list instead of entering a value.

Note: The Exist and Does Not Exist conditions do not require an operator and value.

After you specify all the required details, the condition is listed in the Conditions section.

8To add another condition, click Add a condition and repeat steps 3 through 6.

9Click Save.

When you save the data access rule, the rule is saved as a draft after creation.

10To review and publish draft data access rules, on the Data Access Rules tab, click Publish Drafts.

For more information about reviewing and publishing data access rules, see Reviewing and publishing data access rules.

Operators

The list of operators varies based on the type of attribute.

The following table lists the operators that you can use in the conditions within data access rules:

Attribute Type	Operator
Boolean	- equals to - not equal to
Date	- date equals to - date is not equal to - date greater than - date lesser than - date greater than or equal to - date lesser than or equal to - date between
Date and Time	- date equals to - date is not equal to - date greater than - date lesser than - date greater than or equal to - date lesser than or equal to - date between
Decimal	- equals to - not equal to - in - not in - exists - not exists - greater than - lesser than
Double	- equals to - not equal to - in - not in - exists - not exists - greater than - lesser than
Integer	- equals to - not equal to - in - not in - exists - not exists - greater than - lesser than
Text	- equals to - not equal to - starts with - ends with - in - not in - exists - not exists - contains - does not contain
Picklist	- equals to - not equal to - in - not in - exists - not exists

Rules and guidelines for adding rule name and description

Consider the following rules and guidelines when you add the data access rule name and description:

•Rule name can include the following special characters: ! * ~ _ -
•Rule name can't include characters from languages other than English.
•Rule name can't begin with the * character.
•Rule description can include the following special characters: ! * ~ _ - . ,

Editing a data access rule

You can edit a data access rule based on your business needs. Your user role must have the required privileges to edit a data access rule.

1Click Security > Data Access Rules.

2Click the data access rule that you want to edit and click Edit.

3Alternatively, hover over the required data access rule that you want to edit, and select Edit from the Actions menu.

The Data Access Rules Details page appears.

4Make the changes based on your requirements, and select Save.

When you save the data access rule, the rule is saved as a draft after you update it.

5To review and publish draft data access rules, on the Data Access Rules tab, click Publish Drafts.

For more information about reviewing and publishing data access rules, see Reviewing and publishing data access rules.

Reviewing and publishing data access rules

You must review and publish the existing and draft record-level data access rules in your organization. When you add, update, or delete a data access rule, the rule is saved as a draft after you create or update it. When you update or delete data access rule that are in the draft state, users retain access to records based on the previously set conditions until you publish the drafts.

1On the Data Access Rules tab, view the existing and draft data access rules.

The following image shows the Data Access Rules tab with draft data access rules: The Data Access Rules tab displays the draft data access rules.

2To publish the draft data access rules, click Publish drafts.

The Review and Publish Data Access Rules dialog box appears.

3In the Review and Publish Data Access Rules dialog box, view the total number of draft data access rules in each business entity.

4To publish all the data access rules in a business entity, select the required business entity.

You can publish data access rules for one business entity at a time.

5Click Publish.

After the draft data access rules are published, users can access records based on the conditions set.

Deleting a data access rule

When you delete a data access rule, Business 360 Console marks the rule for deletion and changes it to the draft state. When you publish the draft, Business 360 Console permanently deletes the data access rule. After deletion, you can't recover the data access rule.

1Click Security > Data Access Rules.

2Hover over the required data access rule that you want to delete, and select Delete from the Actions menu.

A confirmation dialog box appears.

3Click Delete.

When you delete the data access rule, MDM SaaS marks the rule for deletion. You can view the rule marked for deletion as a draft on the Data Access Rules tab.

4To permanently delete the data access rule, on the Data Access Rules tab, click Publish drafts.

You can publish the draft data access rule to permanently delete it.

For more information about reviewing and publishing the draft data access rules, see Reviewing and publishing data access rules.