Segmentation
Segmentation is the capability to restrict information access to a limited set of users based on their location, business area, and function within an organization. Create and use segments to control access to the content that might be sensitive or requires to be granted limited access due to regulatory needs. Create segments based on your organization requirements such as geography, business area, business function, and legal entity.
In an organization, you can make information available to users for simplicity, security, or regulatory reasons. Some Axon objects are made available to everyone, while some objects are restricted based on the work profile or location of an individual user. For example, a bank in Singapore with offices in Malaysia wants a common platform for data governance, but the regulations might not allow the information from Singapore to be shared with the employees of Malaysia. Similarly, two business areas might want to maintain their own content without sharing it to others for security reasons.
You can restrict access to sensitive information based on rules and regulations. You can update access control capabilities to allow information access based on the role type, profile, and organization structure. You can restrict the data access for the some of the following reasons:
- •To prevent access to sensitive information.
- •To ensure compliance with country-specific regulations.
- •To provide a way of driving multitenancy.
The following image describes different segments and users that are part of the segments:
You can assign an object to the Enterprise segment or a specific restricted segment that you create. An Enterprise segment is a public segment that all users can access. In the example, you can see that the operating entities are defined as segments. Each segment has assigned users and contains Axon objects. Though the operating entity governance users belong to different segments, they can access the Enterprise segment.
You can create multiple segments as per your requirements. You can assign a user to a single or multiple segments. You can associate an object to a segment. The object and its related or dependent objects must be part of the same segment. Only the users with access to a segment can view the objects that belong to the segment.
A SuperAdmin user can create a segment and assign a Segment Admin user to the segment. You can assign only Admin users as a Segment Admin. Segment Admin users are responsible to manage access to segments. A segment can have one or more Segment Admin users.
A SuperAdmin or Segment Admin user can associate users to the segments in the following ways:
- •Assign individual users to a segment.
- •Assign an org unit to a segment. All members of the org unit can access the segment.
- •Assign users to a segment via Single Sign-on (SSO).
Segmentation Example
Consider a car manufacturing company that has several subsidiaries, such as Car ABC, Car PQR, and Car XYZ. Each unit manages their own finance data. To restrict information access, you can create a segment for each car subsidiary.
The following image shows an example of different segments for a car company:
All users of each segment can access the Enterprise segment. Assign Segment Admin users and other users for each segment.
The following image shows a segment that is associated to different users and objects:
In the example, a SuperAdmin user creates a segment for the subsidiary Car ABC and adds Segment Admin users. You can add an org unit and individual users to the segment. Create glossaries for the Car ABC subsidiary and add the glossaries to the Car ABC segment. When you access the ABC - Series A1 and ABC - Series A5 glossaries from the Unison search, you can see that the glossaries belong the Car ABC segment.
Create a Segment
Create and manage segments from the Admin Panel. A SuperAdmin user assigns Segment Admin users to a segment.
1. From the Axon toolbar, click your user name and click Admin Panel.
2. From the navigation pane, click Meta-Model Administration > Segments.
You can view a list of the existing segments.
3. To create a segment, click Create.
The Summary tab appears.
4. In the Definition section, enter a name and description for the segment.
5. In the Segment Admin Users section, click Assigned Manually to assign a Segment Admin user to the segment.
The page displays the list of Segment Admin users that are manually assigned.
6. Click Add to add a Segment Admin user.
You must assign at least one Segment Admin user to a segment. The Segment Admin user that you add must be a user with an Admin profile.
7. Configure the following properties to assign users to the segment manually:
Property | Description |
|---|
Name | Name of the Axon user. |
Org Unit | Organizational unit name of the Axon user. |
Profile | User profile that Axon assigns to all the users. |
Function | Function of the Axon user in the organization |
8. You can click the name and org unit to modify existing segment users.
9. In the Segment Admin Users section, click Assigned via SSO to assign a Segment Admin user to the segment through SSO.
The page displays the list of the SSO properties assigned to the segment for Segment Admin users.
10. Click Add to configure the SSO properties to assign users to the segment.
11. Configure the following SSO properties:
Property | Description |
|---|
Property | SSO properties to retrieve users according to values you specify. For example, email. To retrieve users that match the email address that you specify, enter email. |
Value | Value associated with the property. For example, enter John@yourorganization.com to assign user with the email address "John@yourorganization.com". |
12. You can click the assigned SSO property to modify the configured property and value.
13. Click Save and Close.
You can view the segment that you created.
Assign Users to a Segment
The SuperAdmin or Segment Admin user can assign Axon users to a segment.
Before you assign Axon users to a segment from an LDAP server or Single Sign-On (SSO) identity provider, you must configure Axon to retrieve users from an LDAP directory or SSO identity provider.
To configure Axon to access the LDAP directory, refer to
Retrieve Users from LDAP Directory to Axon. To configure Axon to use SSO to authenticate users based on the Identity Provider (IDP) credentials, refer to
Configure Single Sign-On.
1. From the Axon toolbar, click your user name and click Admin Panel.
2. From the navigation pane, click Meta-Model Administration > Segments.
The page displays the existing segments configured in your axon instance.
3. Click the segment in which you want to add users.
The Summary tab appears.
4. Click the Assigned Users tab.
5. To assign users based on organizational units, go to the Assigned by Org Units sub-tab.
- a. Click Add to add organizational units to the segment.
The Select Org Units dialog box appears.
- b. Select an organizational unit from the list, and click Select.
All the users in the selected org unit is part of the segment.
6. To assign users individually, go to the Assigned Manually sub-tab.
- a. Click Add to add a new user.
The Add Manually dialog box appears.
- b. Enter the name of the user.
- c. Select an org unit from the list.
- d. Select a profile from the list.
- e. Enter the function of the user.
- f. Click Add.
7. To assign users from the Single Sign-On (SSO) identity provider, go to the Assigned via SSO sub-tab.
- a. To assign users from the SSO identity provider, click Add.
The Add SSO Property dialog box appears.
- b. In the Property field, select the SSO property for which you want to retrieve users from the identity provider.
- c. In the Value field, add the value of the SSO property for which you want Axon to retrieve SSO users.
You can also specify a regular expression as the value of the SSO property. The supported regular expression characters are ? and *.
- d. Click Add.
The SSO property is configured. Axon retrieves SSO users based on the configuration.
- e. To modify the assigned SSO property, click the SSO property.
The Edit SSO Property dialog box appears.
- f. You can change the property and value associated with the selected SSO property.
- g. Click Save.
8. Click Save and Close.
Delete a Segment
When you delete a segment, you need to move all the objects from the segment to the Enterprise segment or another segment. You need to be a SuperAdmin user to delete a segment.
1. From the Axon toolbar, click your user name and click Admin Panel.
2. From the navigation pane, click Meta-Model Administration > Segments.
You can view a list of existing segments.
3. Click the segment that you want to delete.
4. Click Delete.
The Delete Segment dialog box appears.
5. Choose one of the following options:
- - Move all objects from this segment to the default Enterprise segment that all users can access.
- - Move all objects from this segment to another segment. Select a target segment in which you want to move the objects. Ensure that stakeholders of all the objects from the segment that you want to delete have access to the target segment.
6. Click OK.
The segment is deleted after the objects are moved to an existing target segment.
Configure Default Segments
You can configure a default segment for a user who logs in to Axon.
1. From the Axon toolbar, click your user name and click Admin Panel.
2. From the navigation pane, click Customize & Configure > System Settings.
3. In the Group list, select Default Segment.
4. Click Edit.
5. Choose the following options:
Option | Description |
|---|
Enterprise Segment | Enable to set Enterprise Segment as the default segment for a user to view Axon content. |
Assigned Segments | Enable to set Assigned Segments as the default segment for a user to view Axon content. |
Note: If you choose either the Enterprise or assigned segment as the default segment for a user, the segments list on the Unison search page shows the default segment when the user logs in to Axon for the first time. If the user updates the segments selection list, the default segment that you configured does not persist when the user logs in again.
6. Click Save.
7. In the Linux environment, run the following command to clear the Axon cache and restart the necessary services:
sh <INSTALLATION_DIR>/axonhome/third-party-app/scripts/paramsync
When you run the paramsync script, Axon restarts the HTTPD, Memcached, and email notification services.
Note: When you clear the cache and restart the Axon services, the Axon web interface might be disrupted for some users that are logged into Axon. Informatica recommends that you update the cache after you save your changes in all the System Settings pages. Additionally, perform this action during a maintenance period when very few users use Axon.
Disable or Re-enable Segmentation
After you install or upgrade Axon, segmentation is automatically enabled, and you can restrict Axon objects by various segments. To make all Axon objects available to all Axon users, disable segmentation.
You must have the Super Admin profile to perform this task.
If you want to disable segmentation after the segments are created, delete all segments, and then disable segmentation.
1. To disable segmentation, go to the <INSTALLATION_DIR>/bin directory in the Linux environment, and run the following command:
disable_authorization.sh
2. To enable segmentation again, go to the <INSTALLATION_DIR>/bin directory in the Linux environment, and run the following command:
enable_authorization.sh
