Planning your security model

Applies to: All deployment types

Plan your security model. Learn about role-based security and security rules and design your security model with both security and performance in mind.

Follow these general guidelines:
  • Use role-based security to meet as many of your access control requirements as you can.

    The processing overhead for security rules is significantly higher than role-based security. Use role-based security as much as possible.

  • Use security rules to handle exceptions to role-based security.

RESTRICT rules and performance

Security rules can impact performance. When you design security rules, consider how each rule gets processed.

A RESTRICT rule combines role template security and the security rule. A RESTRICT rule is applied after role-based security to further restrict access to an object. With a RESTRICT rule, role-based security significantly reduces the amount of data that the more expensive security rule needs to process. The role-based security controls eliminate a significant amount of data, and then the more expensive security rule processes only the remaining, smaller subset of the overall data.

EXTEND rules and performance

Applies to: On premises On Cloud Cloud Pak for Data

In contrast to RESTRICT rules, an EXTEND rule checks if a user has access through role-based security or by satisfying the security rule. This means that the EXTEND rule must be applied to each and every record to determine whether the user has access or not.

Sometimes an EXTEND rule might be more efficient than a RESTRICT rule, however. For example, you might face a situation where you have two options:

  1. Create a simple EXTEND rule that checks a field on the object that a user is accessing.
  2. Significantly loosen the role-based security access controls, and then put RESTRICT rules in place that do hierarchy walks to check fields on other objects.

In this case, the RESTRICT rules are more expensive in terms of processing than the simple EXTEND rule.

Consider the relative costs of the available strategies. Any security solution must be considered in a holistic manner, and you must carefully evaluate what you are asking the system to do as part of the overall security model.

Read access rules and performance

For performance, the most critical access control for security rules is Read because a Read rule impacts everything that happens in the system (navigation, reporting, and more). The security model for Read access should be as low cost and simple as possible.

Rules for Update, Delete, and Associate have less impact than Read, but they still matter, especially when in areas such as FastMap performance.

Analysis and testing

Use Show rule analysis under Open Administration menu Administration menu > Users and Security > Security Rules to analyze your security rules. Review the metrics to gain insights into the potential performance impact of the security rules.

Test your security rules in a non-production environment. Use realistic data to evaluate the impact of the security rules on performance.

Learn more

Review the following topics to learn more: