# Data Access Controls



<Callout type="warn">
  This guide has been deprecated. For information about current data security capabilities, see the [Data Access Controls](/features/security/data-access-controls), [Data Masking](/features/security/data-masking), and [Data Anonymization](/features/security/data-anonymization) guides in the [Security Topic](/features/security/security-overview).
</Callout>

Overview [#overview]

*Data Access Controls* enable restricting the accounts and policies that users can access in the system. Basically, the data in the account or policy is compared to a mask that is assigned to each user. If the mask values are set for the particular values of the data, then the user is granted access, and otherwise access will fail with an `HTTP 403 / Forbidden` response.

By default, data access controls are disabled, and so users are not restricted based on data, but they may be blocked if they do not have the proper [roles or permissions](/features/security/roles-and-permissions) for the operation.

Enabling Data Access Controls [#enabling-data-access-controls]

Data access controls are enabled and disabled in configuration. The top level `dataAccessControl` property's `enabled` property should be set to true to enable:

<ApiSchema name="DataAccessControlRef" />

<Callout type="warn">
  Before enabling data access controls, assign masks to users to prevent unintentionally blocking access.
</Callout>

Configuring Data Fields [#configuring-data-fields]

The following fields can be used as part of the decision whether to grant access to entities:

* The `region` of the account or policy
* The `product` (for policies only)
* The extension data for the account, or top (product) element on the policy.

<Callout>
  For policy extension data, the data on the product element on the latest issued segment is used.
</Callout>

The particular fields for accounts and policies are set with the `account` and `policy` properties on the <ApiLink name="DataAccessControlRef" /> configuration block. Each field is described as one of `region`, `product`, or `data.<my_field_name>`. The particular values that are used for user access aren't set here; this only describes which fields are used in the process.

Each of the [extension data fields](/configuration/data-extensions/overview) used for data access control must be a `string` type with an accompanying `options` list.

Assigning User Data Masks [#assigning-user-data-masks]

The <ApiLink name="addDataSecurityMask" /> endpoint is used to assign a mask to a user. Each user can have multiple masks; an individual mask is needed for every tenant, and separate masks are used for policy and account access.

The `fields` in the mask are a map from mask field names (`region`, `data.my_field`, etc) to arrays of the values that are allowed for that user. Access is granted if, for *every* field in the mask, the value in the data appears among the values listed. All fields in the mask must match.

A field in a mask can be set to always match with use of the `*` wildcard. For example, `{ "customerSegment": ["*"] }`.

See Also [#see-also]

* [Data Access Controls API Guide](/api/configuration-and-development/data-access-controls)


## API Reference

DataAccessControlRef
Properties:
  enabled (boolean, required)
  dataMasking (boolean, required)
  account (DataAccessControlFieldRef, required)
  policy (DataAccessControlFieldRef, required)