Data Access Controls

Overview

Data Access Controls enable restricting the accounts and policies that users can access in the system. Basically, the data in the account or policy is compared to a mask that is assigned to each user. If the mask values are set for the particular values of the data, then the user is granted access, and otherwise access will fail with an HTTP 403 / Forbidden response.

By default, data access controls are disabled, and so users are not restricted based on data, but they may be blocked if they do not have the proper roles or permissions for the opereration.

Enabling Data Access Controls

Data access controls are enabled and disabled in configuration. The top level dataAccessControl property’s enabled property should be set to true to enable:

DataAccessControlRef
required
enabled boolean

Important

Before enabling data access controls, assign masks to users to prevent unintentionally blocking access.

Configuring Data Fields

The following fields can be used as part of the decision whether to grant access to entities:

  • The region of the account or policy

  • The product (for policies only)

  • The extension data for the account, or top (product) element on the policy.

Note

For policy extension data, the data on the product element on the latest issued segment is used.

The particular fields for accounts and policies are set with the account and policy properties on the DataAccessControlRef configuration block. Each field is described as one of region, product, or data.<my_field_name>. The particular values that are used for user access aren’t set here; this only describes which fields are used in the process.

Each of the extension data fields used for data access control must be a string type with an accompanying options list.

Assigning User Data Masks

The Add Data Security Mask endpoint is used to assign a mask to a user. Each user can have multiple masks; an individual mask is needed for every tenant, and separate masks are used for policy and account access.

The fields in the mask are a map from mask field names (region, data.my_field, etc) to arrays of the values that are allowed for that user. Access is granted if, for every field in the mask, the value in the data appears among the values listed. All fields in the mask must match.

A field in a mask can be set to always match with use of the * wildcard. For example, { "customerSegment": ["*"] }.

See Also