Configuring token-based access control

If your IBM Master Data Management instance is configured to use token-based access control (TBAC), you must add tokens to the specific data objects that you want to control, and also add the same token to the users or groups who are entitled to access that data.

Defining token-based access control (TBAC) involves defining:

  • Roles
  • Access tokens

To achieve token-based access control, you must:

  1. Create access tokens
  2. Assign access tokens to data (records, entities, groups, hierarchies, or relationships)
  3. Assign access tokens to user roles

Users can only see data if the token associated with their role matches the token associated with data type. When a user does not have the appropriate role to see data, the data is hidden. Any searches the user runs will not return those unauthorized records.

There are two types of tokens:

  • Global - Users who have global tokens have no limits on their access to the specified data.
  • Row level - Users who have row level tokens cannot access data that has a different token defined in its access_token property. They can only access data that either has (a) the same token defined or (b) no token defined.

Access tokens can be associated with your master data at the record, entity, group, hierarchy, or relationship level. Each data element in IBM Master Data Management includes an access_token property that is empty by default. Users who have row level access tokens cannot access data that has a different token defined in its access_token property. They can only access data that either has (a) the same token defined or (b) no token defined.

Required permissions
To configure access control within IBM Master Data Management, you must have Model Manager level access. For more information, see Configuring access to data > Assign model manager role access.

Creating and managing access tokens

When token-based access control is enabled in the system, access tokens define how the system authorizes users to access data.

Remember, there are two types of tokens:

  • Global - Users who have global tokens have no limits on their access to the specified data.
  • Row level - Users who have row level tokens cannot access data that has a different token defined in its access_token property. They can only access data that either has (a) the same token defined or (b) no token defined.

To create and manage access tokens:

  1. Go to the Access tokens tab to review the existing access tokens and their associated roles.

  2. To define a new access token, click Create access token.

    1. Provide a name for the token. As you type the name, the token ID will be automatically generated. You can edit the token ID if necessary.
    2. Optionally, provide a description of the token. It is a good idea to provide a clear description of the purpose of this token.
    3. Select the type of token that you are creating: global or row level.
    4. Click Create.

  3. To edit an existing token, locate its row in the access tokens table, open the Options menu, and select Edit.

  4. To delete an existing token, locate its row in the access tokens table, open the Options menu, and select Delete. You cannot delete tokens that are already assigned to one or more roles.

Assigning access tokens to new data assets

If token-based access control is enabled in your system, you can assign an access token to new data assets as you load them into the system. When you load a new data asset into IBM Master Data Management, you can assign a token at the same time that you define the data type for the asset.

  1. From the Master data navigation menu, click the Assets icon assets icon.
  2. Select the asset in the Asset list panel and then click Set asset content.
  3. In the dialog that opens, select the correct data type for this asset. If you cannot find an appropriate data type in the list, then you might have to customize your data type definitions. For more information, see Customizing your data types.
  4. If token-based access control is enabled for this IBM Master Data Management deployment, select a token to assign to the data contained in this asset. If you cannot find an appropriate token in the list, then you might have to create a new access token. For details, see Managing data tokens.
  5. Click Save.

For more information, see Adding data and mapping it to your data types.

Creating and managing roles

Roles are assigned to users and groups, and define user permissions and access levels. When TBAC is enabled, roles are associated with access tokens that control what data users with that role can see and work with. For each role, define the associated access tokens based on job functions.

If attribute-based access control is also enabled, then roles are also assigned entitlements. For information about working with entitlements, see Configuring attribute-based access control.

To create and manage roles:

  1. From the Master data navigation menu, click Access control access control icon.

  2. Go to the Roles tab and review the roles that are defined for this IBM Master Data Management instance. View the access tokens and entitlements that are associated with each role.

  3. To define a new role, click Create role.

    1. Provide a name for the role. As you type the name, the role ID will be automatically generated. You can edit the role ID if necessary.
    2. Optionally, provide a description of the role. It is a good idea to provide a clear description of the purpose of this role.
    3. Click Create.

  4. To change the users assigned to a role, locate its row in the roles table, open the Options menu, and select Manage users.

    1. Review the list of users and select or deselect users as needed. The list is taken from the list of users who have access to this IBM Master Data Management service instance.
    2. Click Update.

  5. To change the groups assigned to a role, locate its row in the roles table, open the Options menu, and select Manage groups.

    1. Review the list of groups and select or deselect users as needed. The list is taken from the list of groups who have access to this IBM Master Data Management service instance.
    2. Click Update.

  6. To change the access tokens assigned to a role, locate its row in the roles table, open the Options menu, and select Manage tokens.

    1. Review the list of access tokens and select or deselect tokens as needed.
    2. Click Update.

  7. To edit the name or description of an existing role, locate its row in the roles table, open the Options menu, and select Edit.

  8. To delete an existing role, locate its row in the roles table, open the Options menu, and select Delete. You can only delete roles that have no associated tokens, entitlements, or users.

Learn more