Permissions
Learn the permissions required to apply data change requests.
Apply DCR with object permissions
With the default physical tenant configuration, to apply a data change request (DCR) you must have modification permission on the objects in the DCR. Speficially, you must have privileges CREATE
, UPDATE
, READ
, DELETE
, and MERGE
on the objects being modified and also ACCEPT_CHANGE_REQUEST
. Different privileges are needed for different types of operations, such as DELETE_ATTRIBUTE
requires DELETE
privilege, while CREATE_ENTITY
requires CREATE
. But, generally, for most operations you need the READ
, UPDATE
, and MERGE
privileges.
UPDATE_ATTRIBUTE
change was generated. Now, DELETE_ATTRIBUTE
and INSERT_ATTRIBUTE
changes are generated instead. You must have CREATE
and DELETE
privileges to apply such a DCR.Apply DCR without object permissions
You eliminate the need for CREATE
, UPDATE
, DELETE
, and MERGE
privileges by setting the applyDcrWithoutPermissions
flag to true in the tenant physical configuration.
..
"applyDcrWithoutPermissions": true,
...
This way, you only need READ
and ACCEPT_CHANGE_REQUEST
. This approach is useful when you need to segregate access between users who can accept change requests but not directly modify objects and those who can directly modify objects. For example, one type of user may have CREATE/UPDATE
privileges to directly modify objects and another type of user ACCEPT_CHANGE_REQUEST
privilege to only modify objects through DCRs. If you don't require this segregation, then we recommend the default behavior whereapplyDcrWithoutPermissions
is false.
Please contact us to enable this option on your tenant, see topic Get help in Support Portal.
For more information on security and roles, see topic Metadata Security and Assign Role-based Tenants to a User.