home

Developer resources

ReltioProductsDeveloper resourcesRolesApplicationsObjectives
ReltioProductsDeveloper resourcesRolesApplicationsObjectives

Unify and manage your data

Show Contents

Show Page Sections

thumbnailDeveloper resources

Role-Based Security

Metadata Security

Reltio platform supports role-based metadata security.

The Reltio Data Cloud platform supports role-based access control with its metadata security framework. Each role has a list of resources with operations that users assigned to the role can do on each resource. Security can be set at an entity/relationship type level or for individual attributes.

Note: For a newly created tenant, metadata security is disabled. It is enabled when any permissions configuration (even an empty configuration) is applied to the tenant. You may require metadata permissions for performing some of the tasks through Hub, such as crosswalk deletion.

Get Tenant Configuration

The tenant configuration API request supports option showAccess. If this option is enabled, the business model configuration of a tenant is returned along with access level specifications for all entity types, relationship types, and attributes.

Getting Tenant Configuration with Access

Request

GET {TenantURL}/configuration?options=showAccess Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

... "attributes": [ { "uri": "configuration/entityTypes/HCP/attributes/Prefix", "label": "Prefix", "name": "Prefix", "description": "", "type": "String", "hidden": false, "important": false, "faceted": true, "searchable": true, "attributeOrdering": { "orderingStrategy": "LUD" }, "access": ["CREATE", "UPDATE", "READ"] }, { "uri": "configuration/entityTypes/HCP/attributes/Name", "label": "Full Name", "name": "Name", "description": "Name", "type": "String", "hidden": false, "important": false, "searchable": true, "attributeOrdering": { "orderingStrategy": "LUD" }, "access": ["READ"] }, ...

Set Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}

This request sets permissions for all specified URIs and roles. All permissions for each specified URI and role are updated recursively.

Tip: An example for {env_uri}/reltio is https://abcd-01.reltio.com/reltio.
Table 1. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
BodyYesJSON Array with new permission records. Each record must have "uri", "role" and a list of access types. This list can contain one or several values or can be empty. Possible access types: CREATE, READ, UPDATE, DELETE, MERGE, UNMERGE, INITIATE_CHANGE_REQUEST, ACCEPT_CHANGE_REQUEST.

Response

The response contains all permissions for all the URIs from the request (same as for _get request for those URIs).

Important: To remove a particular role for a user, you must not resend the Post request without including the to-be-removed role. First, you must delete the entire role configuration for the user by using the Delete configuration option and then resend the Post request to assign only the required roles to the user.

Setting Permissions

Request

POST {env_uri}/reltio/permissions/{tenant} Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Body: [ { "uri":"configuration/entityTypes", "permissions":[ { "role": "API_USER", "access":["READ"] }, { "role": "UI_USER", "access":["READ"] } ] }, { "uri":"configuration/entityTypes/HCP", "permissions":[ { "role": "API_USER", "access":["CREATE", "READ", "UPDATE"] } ] } ]

Response

[ { "uri": "configuration/entityTypes", "permissions": [ { "role": "API_USER", "access": ["READ"] }, { "role": "UI_USER", "access": ["READ"] } ] }, { "uri": "configuration/entityTypes/HCP", "permissions": [ { "role": "API_USER", "access": ["CREATE", "READ", "UPDATE"] } ] } ]

Adding More Permissions

Request

POST {env_uri}/reltio/permissions/{tenant} Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Body: [ { "uri":"configuration/entityTypes", "permissions":[ { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] } ] } ]

Response

[ { "uri": "configuration/entityTypes", "permissions": [ { "role": "API_USER", "access": ["READ"] }, { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] }, { "role": "UI_USER", "access": ["READ"] } ] } ]

Get Permissions for URIs

Returns permissions for specified URIs (with inheritance of URIs) and roles.

Request

POST {env_uri}/reltio/permissions/{tenant}/_get

Contains a list of URIs to get information about allowed operations for the specified user roles.

Note: If no query parameter is passed, then all user roles are considered.
Table 2. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
QueryrolesNoList of roles. Default: all roles which have any privileges for an URI.
BodyYesList of valid URIs. They can have corresponding permissions records or not. In the latter case, permissions will be obtained considering URIs inheritance. For example, "configuration/entityTypes/HCP" extends "configuration/entityTypes".

Response

For each URI from an input list, the response contains information about all privileges for the specified roles.

Getting All Permissions for a List of URIs

Request

POST {env_uri}/reltio/permissions/{tenant}/_get Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Body: [ "configuration/entityTypes/HCP", "configuration/entityTypes/Location" ]

Response

[ { "uri": "configuration/entityTypes/HCP", "permissions": [ { "role": "API_USER", "access": ["CREATE", "READ", "UPDATE"] }, { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] }, { "role": "UI_USER", "access": ["READ"] } ] }, { "uri": "configuration/entityTypes/Location", "permissions": [ { "role": "API_USER", "access": ["READ"] }, { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] }, { "role": "UI_USER", "access": ["READ"] } ] } ]

Getting Permissions for Specific Roles

Request

POST {env_uri}/reltio/permissions/{tenant}/_get?roles=API_USER Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Body: [ "configuration/entityTypes/HCP", "configuration/entityTypes/Location" ]

Response

[ { "uri": "configuration/entityTypes/HCP", "permissions": [ { "role": "API_USER", "access": ["CREATE", "READ", "UPDATE"] } ] }, { "uri": "configuration/entityTypes/Location", "permissions": [ { "role": "API_USER", "access": ["READ"] } ] } ]

Get Configuration

Returns full permissions configuration.

Request

GET {env_uri}/reltio/permissions/{tenant}
Table 3. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
QueryrolesNoList of roles. Default: all roles which have any privileges for an URI.

Response

Returns all permissions configuration records for a tenant. If some user roles are specified as a query parameter, irrelevant records will be excluded from the response.

Getting Full Configuration

Request

GET {env_uri}/reltio/permissions/{tenant} Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

[ { "uri": "configuration/entityTypes", "permissions": [ { "role": "API_USER", "access": ["CREATE", "READ", "UPDATE"] }, { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] }, { "role": "UI_USER", "access": ["READ"] } ] }, { "uri": "configuration/entityTypes/HCP", "permissions": [ { "role": "API_USER", "access": ["CREATE", "READ", "UPDATE"] } ] } ]

Getting All Records for Specific Roles

Request

GET {env_uri}/reltio/permissions/{tenant}/_configuration?roles=UI_USER,DATA_STEWARD Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

[ { "uri": "configuration/entityTypes", "permissions": [ { "role": "DATA_STEWARD", "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"] }, { "role": "UI_USER", "access": ["READ"] } ] } ]

Delete Configuration

Removes the entire security configuration for a tenant and disables metadata security.

Request

DELETE {env_uri}/reltio/permissions/{tenant}
Table 4. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.

Response

Returns the status of the request execution.

Disabling Metadata Security

Request

DELETE {env_uri}/reltio/permissions/{tenant} Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

{ "status": "success" }

Check User Permissions

Returns available permissions for roles of a current user and for specified URIs. If a user has more than one role, then they will be able to do the maximum from their roles.

Note: The API is available for all users and is designed to check permissions for their roles.

Request

POST {env_uri}/reltio/permissions/{tenant}/_check

The request contains a list of URIs to check if they are allowed for a user.

Table 5. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
BodyNoList of valid URIs. Permissions will be obtained considering the URIs inheritance and all roles of a user.

Response

For each URI from the input list, contains a set of allowed access types (this list can be empty).

Checking Configured Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}/_check Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Role: API_USER Body: [ "configuration/entityTypes/HCP", "configuration/entityTypes/Location" ]

Response

{ "configuration/entityTypes/HCP": ["CREATE", "UPDATE", "READ"], "configuration/entityTypes/Location": ["READ"] }

Hide Attributes in Reltio UI

Suppose we need to hide some attributes in the UI by using the role-based metadata security. For this purpose, we must post permissions for the attributes with empty access.

Hiding Attributes by Metadata Security

The example below illustrates how to hide the first name of an HCP for role ROLE_HEART_READ.

Request

POST {env_uri}/reltio/permissions/{tenant} Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json Body: [ { "uri": "configuration/entityTypes/HCP/attributes/Name", "permissions": [ { "role": "ROLE_HEART_READ", "access": [] } ] } ]
Note: Metadata security is not compatible with Analytics attributes. You cannot apply the Metadata security rules to analytics attributes.
Was this content helpful?

Updated on December 9, 2024

Related Articles:

Footer

You've found your way to a temporary environment. Content is not complete or final. Looking for Reltio documentation? Go to docs.reltio.com.

Company

Leadership

Careers

Awards

Contact Us

Reltio Newsroom

Press Releases

Media Coverage

Media & Analyst Resources

Customer Support

Support

Reltio Learn

Community

Developer Portal

100 Marine Parkway, Suite 275

Redwood Shores, CA 94065

USA

North America: +1(855)360-3282

Europe: +44(800)368-7643

Email: sales@reltio.com

© 2025 The RELTIO® mark is a registered trademark of Reltio, Inc. in the United States and other countries; DataDriven and Reltio Data Cloud are trademarks of Reltio, Inc. Other names or marks are trademarks of their respective owners.

Terms, Privacy Policy, and