Unify and manage your data

Permissions

Learn the permissions required to apply data change requests.

Apply DCR with object permissions

With the default physical tenant configuration, to apply a data change request (DCR) you must have modification permission on the objects in the DCR. Speficially, you must have privileges CREATE, UPDATE, READ, DELETE, and MERGE on the objects being modified and also ACCEPT_CHANGE_REQUEST. Different privileges are needed for different types of operations, such as DELETE_ATTRIBUTE requires DELETE privilege, while CREATE_ENTITY requires CREATE. But, generally, for most operations you need the READ, UPDATE, and MERGE privileges.

Note: Previously, when a value of a simple attribute was modified, the UPDATE_ATTRIBUTE change was generated. Now, DELETE_ATTRIBUTE and INSERT_ATTRIBUTE changes are generated instead. You must have CREATE and DELETE privileges to apply such a DCR.

Apply DCR without object permissions

You eliminate the need for CREATE, UPDATE, DELETE, and MERGE privileges by setting the applyDcrWithoutPermissions flag to true in the tenant physical configuration.

..
"applyDcrWithoutPermissions": true,
...

This way, you only need READ and ACCEPT_CHANGE_REQUEST. This approach is useful when you need to segregate access between users who can accept change requests but not directly modify objects and those who can directly modify objects. For example, one type of user may have CREATE/UPDATE privileges to directly modify objects and another type of user ACCEPT_CHANGE_REQUEST privilege to only modify objects through DCRs. If you don't require this segregation, then we recommend the default behavior whereapplyDcrWithoutPermissions is false.

Please contact us to enable this option on your tenant, see topic Get help in Support Portal.

For more information on security and roles, see topic Metadata Security and Assign Role-based Tenants to a User.