IBM Support

Setting up security in MDM CE

Technical Blog Post


Abstract

Setting up security in MDM CE

Body

I have spent the last 3 years playing with MDM CE and trying to figure out how to make this powerful product easy to use and understand.  And I've finally gotten around to how can one set  up an easy to use security framework that can actually simplify the application for users.  And after much talk with Anup Gandhi, our Chief Engineer, and Bryce Crapse who is part of IBM's MDM Services organization, we have come up with an approach that frankly makes this fairly easy.....  or at least you will let me know if you find it so.

  1. Create a role called "ACG Creation" which is only used for creating these ACG's.  Do this from Admin UI which is what we are calling the UI that is used in version 11.6 to maintain the system and is the only UI in earlier versions by
    • Data Model
    • Security
    • Role
  2. The starting point is to set up an ACG that will be related to each Object and name them clearly.  I recommend naming the ACG's with the pattern [Object Name] [Object Type].  So the catalog with the name of "Products" would have an associated ACG called "Product Catalog ACG".
    • Data Model
    • Security
    • Attribute Control Groups
    • Attribute Control Group Console
  3. Assign each ACG to the ACG Creation Role, and select this and nothing else:
    • Catalog List if of type Catalog
    • Hierarchy List if of type Hierarchy
    • Collaboration List if of type Collaboration Area
  4. Assign the related object to the ACG
    • Data Model
    • Security
    • Attribute Control Groups
    • Object to Attribute Control Group Mapping
  5. Create each role and select the ACG's related to the object that role should have access to, then select the additional access privileges if the related object is a Catalog or Hierarchy.  The related privileges for Collaboration Areas are defined by the workflow and workflow steps.  In addition, in order to the person to be able to select from associated lookup tables, settings in the default ACG will also need to be set as follows:
    • Select Catalog List & View
    • Select List View
  6. As part of Version 11.6, we introduced a Business User Experience that leverages these same ACG's, Roles, and Users to control object access and introduced a JSON to simplify access to various buttons on the screen. I'll create a separate blog on this, but suffice it to say that the JSON links a Role in CE with the screen layout in the Business UX.
  7. Create your Users and assign them the appropriate roles, including one or more of the roles releated to the Business UX and all should be well with the world.

Note that this format has the embedded concept of not including the object type in the object name.  Since object names are currently what gets displayed to users, I am not currently aware of why a business user needs to know the difference between a catalog, hierarchy, item or category... but this is for another blog....

 

Let me know what you think and please add your other ideas on how to  simplify.  And please use the forums here to ask me questions.  I will do my best to get you answers.

 

Regards,

Andy Ousterhout

Senior Offering Manager

IBM Master Data Management Collaborative Edition

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWSR9","label":"IBM InfoSphere Master Data Management"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

UID

ibm11142020