Unify and manage your data

Metadata Security

Reltio platform supports role-based metadata security.

The Reltio Data Cloud platform supports role-based access control with its metadata security framework. Each role has a list of resources with operations that users assigned to the role can do on each resource. Security can be set at an entity/relationship type level or for individual attributes.

Note: For a newly created tenant, metadata security is disabled. It is enabled when any permissions configuration (even an empty configuration) is applied to the tenant. You may require metadata permissions for performing some of the tasks through Hub, such as crosswalk deletion.

Get Tenant Configuration

The tenant configuration API request supports option showAccess. If this option is enabled, the business model configuration of a tenant is returned along with access level specifications for all entity types, relationship types, and attributes.

Getting Tenant Configuration with Access

Request

GET {TenantURL}/configuration?options=showAccess
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

...
"attributes": [
  {
    "uri": "configuration/entityTypes/HCP/attributes/Prefix",
    "label": "Prefix",
    "name": "Prefix",
    "description": "",
    "type": "String",
    "hidden": false,
    "important": false,
    "faceted": true,
    "searchable": true,
    "attributeOrdering": {
      "orderingStrategy": "LUD"
    },
    "access": ["CREATE", "UPDATE", "READ"]
  },
  {
    "uri": "configuration/entityTypes/HCP/attributes/Name",
    "label": "Full Name",
    "name": "Name",
    "description": "Name",
    "type": "String",
    "hidden": false,
    "important": false,
    "searchable": true,
    "attributeOrdering": {
      "orderingStrategy": "LUD"
    },
    "access": ["READ"]
  },
...

Set Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}

This request sets permissions for all specified URIs and roles. All permissions for each specified URI and role are updated recursively.

Tip: An example for {env_uri}/reltio is https://abcd-01.reltio.com/reltio.
Table 1. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
BodyYesJSON Array with new permission records. Each record must have "uri", "role" and a list of access types. This list can contain one or several values or can be empty. Possible access types: CREATE, READ, UPDATE, DELETE, MERGE, UNMERGE, INITIATE_CHANGE_REQUEST, ACCEPT_CHANGE_REQUEST.

Response

The response contains all permissions for all the URIs from the request (same as for _get request for those URIs).

Important: To remove a particular role for a user, you must not resend the Post request without including the to-be-removed role. First, you must delete the entire role configuration for the user by using the Delete configuration option and then resend the Post request to assign only the required roles to the user.

Setting Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json 
Body:
[
  {
    "uri":"configuration/entityTypes",
    "permissions":[
      {
        "role": "API_USER",
        "access":["READ"]
      },
      {
        "role": "UI_USER",
        "access":["READ"]
      }
    ]
  },
  {
    "uri":"configuration/entityTypes/HCP",
    "permissions":[
      {
        "role": "API_USER",
        "access":["CREATE", "READ", "UPDATE"]
      }
    ]
  }
]

Response

[
    {
        "uri": "configuration/entityTypes",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["READ"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    },
    {
        "uri": "configuration/entityTypes/HCP",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["CREATE", "READ", "UPDATE"]
            }
        ]
    }
]

Adding More Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json 
Body:
[
  {
    "uri":"configuration/entityTypes",
    "permissions":[
      {
        "role": "DATA_STEWARD",
        "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
      }
    ]
  }
]

Response

[
    {
        "uri": "configuration/entityTypes",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["READ"]
            },
            {
                "role": "DATA_STEWARD",
                "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    }
]

Get Permissions for URIs

Returns permissions for specified URIs (with inheritance of URIs) and roles.

Request

POST {env_uri}/reltio/permissions/{tenant}/_get

Contains a list of URIs to get information about allowed operations for the specified user roles.

Note: If no query parameter is passed, then all user roles are considered.
Table 2. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
QueryrolesNoList of roles. Default: all roles which have any privileges for an URI.
BodyYesList of valid URIs. They can have corresponding permissions records or not. In the latter case, permissions will be obtained considering URIs inheritance. For example, "configuration/entityTypes/HCP" extends "configuration/entityTypes".

Response

For each URI from an input list, the response contains information about all privileges for the specified roles.

Getting All Permissions for a List of URIs

Request

POST {env_uri}/reltio/permissions/{tenant}/_get
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json 
Body:
[
    "configuration/entityTypes/HCP",
    "configuration/entityTypes/Location"
]

Response

[
    {
        "uri": "configuration/entityTypes/HCP",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["CREATE", "READ", "UPDATE"]
            },
            {
                "role": "DATA_STEWARD",
                "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    },
    {
        "uri": "configuration/entityTypes/Location",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["READ"]
            },
            {
                "role": "DATA_STEWARD",
                "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    }
]

Getting Permissions for Specific Roles

Request

POST {env_uri}/reltio/permissions/{tenant}/_get?roles=API_USER
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json 
Body:
[
    "configuration/entityTypes/HCP",
    "configuration/entityTypes/Location"
]

Response

[
    {
        "uri": "configuration/entityTypes/HCP",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["CREATE", "READ", "UPDATE"]
            }
        ]
    },
    {
        "uri": "configuration/entityTypes/Location",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["READ"]
            }
        ]
    }
]

Get Configuration

Returns full permissions configuration.

Request

GET {env_uri}/reltio/permissions/{tenant}
Table 3. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
QueryrolesNoList of roles. Default: all roles which have any privileges for an URI.

Response

Returns all permissions configuration records for a tenant. If some user roles are specified as a query parameter, irrelevant records will be excluded from the response.

Getting Full Configuration

Request

GET {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

[
    {
        "uri": "configuration/entityTypes",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["CREATE", "READ", "UPDATE"]
            },
            {
                "role": "DATA_STEWARD",
                "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    },
    {
        "uri": "configuration/entityTypes/HCP",
        "permissions": [
            {
                "role": "API_USER",
                "access": ["CREATE", "READ", "UPDATE"]
            }
        ]
    }
]

Getting All Records for Specific Roles

Request

GET {env_uri}/reltio/permissions/{tenant}/_configuration?roles=UI_USER,DATA_STEWARD
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

[
    {
        "uri": "configuration/entityTypes",
        "permissions": [
            {
                "role": "DATA_STEWARD",
                "access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
            },
            {
                "role": "UI_USER",
                "access": ["READ"]
            }
        ]
    }
]

Delete Configuration

Removes the entire security configuration for a tenant and disables metadata security.

Request

DELETE {env_uri}/reltio/permissions/{tenant}
Table 4. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.

Response

Returns the status of the request execution.

Disabling Metadata Security

Request

DELETE {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json

Response

{
    "status": "success"
}

Check User Permissions

Returns available permissions for roles of a current user and for specified URIs. If a user has more than one role, then they will be able to do the maximum from their roles.

Note: The API is available for all users and is designed to check permissions for their roles.

Request

POST {env_uri}/reltio/permissions/{tenant}/_check

The request contains a list of URIs to check if they are allowed for a user.

Table 5. Parameters
ParameterNameRequiredDetails
HeadersAuthorizationYesInformation about authentication access token in format Bearer <accessToken> (see details in Authentication API).
Content-TypeYesMust be Content-Type: application/json.
BodyNoList of valid URIs. Permissions will be obtained considering the URIs inheritance and all roles of a user.

Response

For each URI from the input list, contains a set of allowed access types (this list can be empty).

Checking Configured Permissions

Request

POST {env_uri}/reltio/permissions/{tenant}/_check
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Role: API_USER 
Body:
[
    "configuration/entityTypes/HCP",
    "configuration/entityTypes/Location"
]

Response

{
    "configuration/entityTypes/HCP": ["CREATE", "UPDATE", "READ"],
    "configuration/entityTypes/Location": ["READ"]
}

Hide Attributes in Reltio UI

Suppose we need to hide some attributes in the UI by using the role-based metadata security. For this purpose, we must post permissions for the attributes with empty access.

Hiding Attributes by Metadata Security

The example below illustrates how to hide the first name of an HCP for role ROLE_HEART_READ.

Request

POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
  {
    "uri": "configuration/entityTypes/HCP/attributes/Name",
    "permissions": [
      {
        "role": "ROLE_HEART_READ",
        "access": []
      }
    ]
  }
]
Note: Metadata security is not compatible with Analytics attributes. You cannot apply the Metadata security rules to analytics attributes.