Metadata Security
Reltio platform supports role-based metadata security.
The Reltio Data Cloud platform supports role-based access control with its metadata security framework. Each role has a list of resources with operations that users assigned to the role can do on each resource. Security can be set at an entity/relationship type level or for individual attributes.
Get Tenant Configuration
The tenant configuration API request supports option showAccess
. If this option is enabled, the business model configuration of a tenant is returned along with access level specifications for all entity types, relationship types, and attributes.
Getting Tenant Configuration with Access
Request
Response
Set Permissions
Request
This request sets permissions for all specified URIs and roles. All permissions for each specified URI and role are updated recursively.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Body | Yes | JSON Array with new permission records. Each record must have "uri", "role" and a list of access types. This list can contain one or several values or can be empty. Possible access types: CREATE, READ, UPDATE, DELETE, MERGE, UNMERGE, INITIATE_CHANGE_REQUEST, ACCEPT_CHANGE_REQUEST. |
Response
The response contains all permissions for all the URIs from the request (same as for _get
request for those URIs).
Setting Permissions
Request
Response
Adding More Permissions
Request
Response
Get Permissions for URIs
Returns permissions for specified URIs (with inheritance of URIs) and roles.
Request
Contains a list of URIs to get information about allowed operations for the specified user roles.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Query | roles | No | List of roles. Default: all roles which have any privileges for an URI. |
Body | Yes | List of valid URIs. They can have corresponding permissions records or not. In the latter case, permissions will be obtained considering URIs inheritance. For example, "configuration/entityTypes/HCP" extends "configuration/entityTypes". |
Response
For each URI from an input list, the response contains information about all privileges for the specified roles.
Getting All Permissions for a List of URIs
Request
Response
Getting Permissions for Specific Roles
Request
Response
Get Configuration
Returns full permissions configuration.
Request
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Query | roles | No | List of roles. Default: all roles which have any privileges for an URI. |
Response
Returns all permissions configuration records for a tenant. If some user roles are specified as a query parameter, irrelevant records will be excluded from the response.
Getting Full Configuration
Request
Response
Getting All Records for Specific Roles
Request
Response
Delete Configuration
Removes the entire security configuration for a tenant and disables metadata security.
Request
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . |
Response
Returns the status of the request execution.
Disabling Metadata Security
Request
Response
Check User Permissions
Returns available permissions for roles of a current user and for specified URIs. If a user has more than one role, then they will be able to do the maximum from their roles.
Request
The request contains a list of URIs to check if they are allowed for a user.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Body | No | List of valid URIs. Permissions will be obtained considering the URIs inheritance and all roles of a user. |
Response
For each URI from the input list, contains a set of allowed access types (this list can be empty).
Checking Configured Permissions
Request
Response
Hide Attributes in Reltio UI
Suppose we need to hide some attributes in the UI by using the role-based metadata security. For this purpose, we must post permissions for the attributes with empty access.
Hiding Attributes by Metadata Security
The example below illustrates how to hide the first name of an HCP for role ROLE_HEART_READ.
Request