Configuring attribute-based access control

If your IBM Master Data Management instance is configured to use attribute-based access control (ABAC), you must configure the specific entitlements for each data element that you want to control. You must also assign which roles are associated with which entitlements.

A user's roles and entitlements determine whether they are entitled to complete actions such as read, update, add, delete, and search for different data types. After you define roles and entitlements, IBM Master Data Management enforces them automatically.

The IBM Master Data Management service uses the principle of least privilege for attribute-based access control:

  • When ABAC is enabled, users do not have default access to any master data. Access to data must be explicitly granted, through roles, by creating and assigning entitlements.
  • Permissions can only be granted, not denied.
  • Users are entitled to work with data if there is at least one entitlement rule granting them access. For example, if a user is assigned to two roles and wants to access specific data, where one role permits him to view the data and the other does not permit it, then the user can view the data because they are assigned to at least one role that is permitted to view it.

Defining attribute-based access control (ABAC) involves defining:

  • Roles
  • Entitlements
Required permissions
To configure access control within IBM Master Data Management, you must have Model Manager level access. For more information, see Configuring access to data > Assign model manager role access.

Creating and managing roles

Roles are assigned to users and groups, and define user permissions and access levels. When ABAC is enabled, roles are associated with entitlements that control what data users with that role can see and work with. For each role, define the associated entitlements based on job functions.

If token-based access control is also enabled, then roles are also assigned access tokens. For information about working with access tokens, see Configuring token-based access control.

To create and manage roles:

  1. From the Master data navigation menu, click Access control access control icon.

  2. Go to the Roles tab and review the roles that are defined for this IBM Master Data Management instance. View the entitlements and access tokens that are associated with each role.

  3. To define a new role, click Create role.

    1. Provide a name for the role. As you type the name, the role ID will be automatically generated. You can edit the role ID if necessary.
    2. Optionally, provide a description of the role. It is a good idea to provide a clear description of the purpose of this role.
    3. Click Create.

  4. To change the users assigned to a role, locate its row in the roles table, open the Options menu, and select Manage users.

    1. Review the list of users and select or deselect users as needed. The list is taken from the list of users who have access to this IBM Master Data Management service instance.
    2. Click Update.

  5. To change the groups assigned to a role, locate its row in the roles table, open the Options menu, and select Manage groups.

    1. Review the list of groups and select or deselect users as needed. The list is taken from the list of groups who have access to this IBM Master Data Management service instance.
    2. Click Update.

  6. To edit the name or description of an existing role, locate its row in the roles table, open the Options menu, and select Edit.

  7. To delete an existing role, locate its row in the roles table, open the Options menu, and select Delete. You can only delete roles that have no associated tokens, entitlements, or users.

Creating and managing entitlements

Define entitlements to specify the permissions granted to selected roles. Entitlements are made up of one or more permissions, which allow access based on different actions applied to specified data types (records, entities, groups, hierarcies, or relationships). When you activate an entitlement, it becomes active in the system for all users with the corresponding roles.

When you first create an entitlement, it is inactive by default. You must activate it to apply its configuration to the data.

To manage and define entitlements:

  1. Go to the Entitlements tab to review any existing entitlements. You can see the roles, data types, and actions that each entitlement applies to. Entitlements can be either active or inactive.

  2. To define a new entitlement, click Create entitlement.

    1. Provide a name and desciption for the entitlement.
    2. Select the roles that you want to associate with this entitlement.
    3. Select the action that you want this entitlement to control.
    4. Select the type of data that this entitlement applies to: Record, Entity, Group, Hierarchy, or Relationship. If you selected an add or delete action in the previous step, then you cannot select Entity at this step.
    5. Define the specific data type name that the entitlement applies to, such as Person, Organization, or a different subtype that you have defined in your data type definitions. You can also select All to set the entitlement to apply to all data subtypes within the specified type.
    6. Optionally, select one or more attributes and fields that this entitlement applies to. The list of attributes is gathered from the data type definition of the selected data type. If you do not select any attributes or fields, then the entitlement will be applied to entire records, entities, groups, hierarchies, or relationships of the specified type.
    7. Click Create.

  3. After creating an entitlement, you can activate it by locating its row in entitlements table, opening the Options menu, and selecting Activate. Follow similar steps to mark an entitlement as Inactive.

  4. To edit an existing entitlement, locate its row in the entitlements table, open the Options menu, and select Edit.

  5. To delete an existing entitlement, locate its row in the entitlements table, open the Options menu, and select Delete.

Learn more