Configuring access to data in IBM Master Data Management

Configure how your IBM Master Data Management instance controls access to certain data. Access control ensures that only authorized users can access sensitive or confidential information, such as personally-identifiable information (PII).

IBM Master Data Management supports two types of access control:

  • Attribute-based access control (ABAC) - Attribute-based access control evaluates user access to data at the attribute or field level. The purpose of ABAC is to protect specific data characteristics, across all data, from unauthorized users. If you define an attribute as requiring special access, ABAC controls access to all instances of that attribute across your data.

  • Token-based access control (TBAC) - Token-based access control evaluates access in a more finely-grained way by using specially-defined tokens. Access tokens define specific user access at the row level for each record. Assign tokens to users or groups to allow them access to certain data elements. To see data that is protected by TBAC, a user's token must match the token that is embedded in the specific data element.

Regardless of the access control style you choose, you can associate IBM Master Data Management user roles with specific access entitlements. These entitlements define the data that a user or group can access, based on the role they are assigned.

Required permissions
To configure access control for master data, you must have Model Manager level access for the IBM Master Data Management service.

For information about how to assign Model Manager access to a user or group, see Assigning model manager role access.

Configuring the access control method that IBM Master Data Management uses

When you initially set up your IBM Master Data Management service instance, you can choose whether to support attribute-based or token-based access control. You can enable either access control method, or both. For more information about setting up your IBM Master Data Management instance, see Creating a master data configuration asset for IBM Master Data Management.

After initial setup, you can change the form of access control that your master data instance uses from the service's Instance settings page. However, this is a highly disruptive change and can expose protected data to unauthorized users. Be extremely cautious about changing the access control method if you already have been using the alternate method.

To change the type of access control that your service uses:

  1. From the Master data navigation menu, click Instance settings instance settings icon.

  2. Under Access control, choose the access control method that you want to use for this master data instance.

    Use ABAC when:

    • You need to protect specific attributes across all records
    • Access rules apply uniformly to data types
    • You want simpler administration

    Use TBAC when:

    • You need row-level access control
    • Different users need access to different records
    • You require fine-grained permissions

Configuring access control

Depending on the access control method that you choose, you must complete some configuration steps to enable user authentication. For information about configuring access control for your master data instance, see the following topics:

Learn more