# Data Access Controls
This feature is currently in beta and may be subject to change. Before using it in production, please contact your Socotra representative.
Overview [#overview]
Data access controls prevent users from viewing, creating, and editing entities based on field values for a given entity type. Policies, quotes, and accounts are the only entity types that currently support data access controls. Policies and quotes share the same data access control configuration.
Data access controls prevent users from accessing entities, unlike [data masking](/features/security/data-masking), which prevents users from accessing specific fields within an entity.
By default, data access controls are disabled, but users will still be prevented from accessing entities if they don't possess the necessary [permissions](/features/security/roles-and-permissions).
Policy Fields [#policy-fields]
The following policy fields currently support data access controls:
* `productName`
* `region`
* Extension `data` fields
Account Fields [#account-fields]
The following account fields currently support data access controls:
* Extension `data` fields
Extension `data` fields must be specified at the root level of the extension `data` object.
Enabling Data Access Controls [#enabling-data-access-controls]
Data access controls can be enabled through the object in the tenant [configuration](/configuration/general-topics/deployment).
To enable data access controls, set the `enabled` flag to `true`.
For example:
```json
{
"dataAccessControl": {
"enabled": true
}
}
```
Before setting the `enabled` flag to `true`, [configure data access controls](#configuring-data-access-controls) to avoid unintentionally blocking access for users.
The `policy` and `account` properties can be used to specify which fields associated with policies or accounts will be used to determine whether a user can access a policy or account.
For example:
```json
{
"dataAccessControl": {
"enabled": true,
"policy": {
"fields": ["productName", "region"]
},
"account": {
"fields": ["data.region"]
}
}
}
```
Only field names can be specified here. Field values can be specified when [configuring data access controls](#configuring-data-access-controls).
Extension `data` fields must be of type `string` with a list of pre-defined `options`.
Configuring Data Access Controls [#configuring-data-access-controls]
The API endpoint can be used to configure data access controls for a user in relation to a specific tenant. Only [admins](/features/security/roles-and-permissions#special_roles) can configure data access controls.
The `accessControlFields` property in the can be used to specify permissible field values for a given entity type.
In order for a user to access an entity, the `accessControlFields` property must contain a matching value for all fields listed under the corresponding entity type. If any of the fields don't have a matching value, the user will be prevented from accessing the entity and will receive a `403 Forbidden` response.
For example:
```json
{
"accessControlFields": {
"policy": {
"productName": ["CommercialProperty"],
"region": ["North", "South"]
},
"account": {
"data.region": ["North", "South"]
}
}
}
```
In the example above, the user would be allowed to access a policy where the `productName` field is set to `CommercialProperty` and the `region` field is set to `North`. The user would not be allowed to access a policy where the `productName` field is set to `CommercialProperty` and the `region` field is set to `West`.
Wildcard Values [#wildcard-values]
Specify all possible values for a given field using the following format:
```json
{
"accessControlFields": {
"account": {
"data.region": ["*"]
}
}
}
```
Next Steps [#next-steps]
* [Data Masking](/features/security/data-masking)
See Also [#see-also]
* [Data Access API](/api/configuration-and-development/data-access)
* [Data Masking](/features/security/data-masking)
* [Role-Based Access Controls](/features/security/roles-and-permissions)
## API Reference
DataAccessControlRef
Properties:
enabled (boolean, required)
dataMasking (boolean, required)
account (DataAccessControlFieldRef, required)
policy (DataAccessControlFieldRef, required)
UserDataAccessRequest
Properties:
maskingLevel (Enum none | level1 | level2, required)
accessControlFields (map>, required)