Unify and manage your data

Role-based access control (RBAC) for RDM

Learn how Role-based access control (RBAC) for Reference Data Management (RDM) enhances data security by limiting access based on user roles, using custom roles, granular permissions, and API-driven configurations.

Role-based access control (RBAC) for RDM is a security mechanism that works alongside Reltio API permissions to restrict access to RDM tenant data. Data access is limited based on user roles, ensuring that users can only access information related to their responsibilities.

Benefits

Implementing RBAC for RDM enhances data security and compliance by allowing you to define roles and permissions according to your organizational policies. This control is crucial for managing sensitive data, ensuring users access only the information they are authorized to view or modify, thereby maintaining data integrity and security.

Key features

The key features to achieve the benefits of RBAC for RDM are:

Custom Roles
Administrators create custom roles tailored to specific job functions within the organization.
Granular Permissions
Permissions are assigned at a detailed level, including access to specific lookup types and canonical codes.
API-Driven Configuration
All role and permission configurations are managed through a set of robust APIs, allowing for seamless integration and automation.

For the terms of the security model, see topic Terminology.

Best practices

Prefixes for role-based access
To facilitate role-based access, use specific prefixes for canonical codes that correspond to different user roles. This way, users with specific roles can easily be restricted to view or edit only the values relevant to their department. For example:
  • FIN_ for Finance-related data accessible only by users with the ROLE_RDM_FINANCE role.

  • HR_ for HR-related data accessible only by users with the ROLE_RDM_HR role.

Hierarchical or dependent lookup permissions
Set up permissions for parent and child lookups separately. Permissions for a parent lookup type do not automatically grant access to child lookups. Each lookup type should have explicit permissions defined.

Limitations

Property Filter Limitations
The property filter in RBAC configuration does not support the inSameAttributeValue expression.
Data Change Requests (DCRs)
Data Change Requests do not support role-based access.
API and UI Restrictions
RDM RBAC on the MDM side is only applicable to API endpoints that return RDM lookup values and to MDM UI dropdown boxes displaying available attribute values linked with RDM lookups.