Metadata Security
Reltio platform supports role-based metadata security.
The Reltio Data Cloud platform supports role-based access control with its metadata security framework. Each role has a list of resources with operations that users assigned to the role can do on each resource. Security can be set at an entity/relationship type level or for individual attributes.
Get Tenant Configuration
The tenant configuration API request supports option showAccess
. If this option is enabled, the business model configuration of a tenant is returned along with access level specifications for all entity types, relationship types, and attributes.
Getting Tenant Configuration with Access
Request
GET {TenantURL}/configuration?options=showAccess
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Response
...
"attributes": [
{
"uri": "configuration/entityTypes/HCP/attributes/Prefix",
"label": "Prefix",
"name": "Prefix",
"description": "",
"type": "String",
"hidden": false,
"important": false,
"faceted": true,
"searchable": true,
"attributeOrdering": {
"orderingStrategy": "LUD"
},
"access": ["CREATE", "UPDATE", "READ"]
},
{
"uri": "configuration/entityTypes/HCP/attributes/Name",
"label": "Full Name",
"name": "Name",
"description": "Name",
"type": "String",
"hidden": false,
"important": false,
"searchable": true,
"attributeOrdering": {
"orderingStrategy": "LUD"
},
"access": ["READ"]
},
...
Set Permissions
Request
POST {env_uri}/reltio/permissions/{tenant}
This request sets permissions for all specified URIs and roles. All permissions for each specified URI and role are updated recursively.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Body | Yes | JSON Array with new permission records. Each record must have "uri", "role" and a list of access types. This list can contain one or several values or can be empty. Possible access types: CREATE, READ, UPDATE, DELETE, MERGE, UNMERGE, INITIATE_CHANGE_REQUEST, ACCEPT_CHANGE_REQUEST. |
Response
The response contains all permissions for all the URIs from the request (same as for _get
request for those URIs).
Setting Permissions
Request
POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
{
"uri":"configuration/entityTypes",
"permissions":[
{
"role": "API_USER",
"access":["READ"]
},
{
"role": "UI_USER",
"access":["READ"]
}
]
},
{
"uri":"configuration/entityTypes/HCP",
"permissions":[
{
"role": "API_USER",
"access":["CREATE", "READ", "UPDATE"]
}
]
}
]
Response
[
{
"uri": "configuration/entityTypes",
"permissions": [
{
"role": "API_USER",
"access": ["READ"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
},
{
"uri": "configuration/entityTypes/HCP",
"permissions": [
{
"role": "API_USER",
"access": ["CREATE", "READ", "UPDATE"]
}
]
}
]
Adding More Permissions
Request
POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
{
"uri":"configuration/entityTypes",
"permissions":[
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
}
]
}
]
Response
[
{
"uri": "configuration/entityTypes",
"permissions": [
{
"role": "API_USER",
"access": ["READ"]
},
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
}
]
Get Permissions for URIs
Returns permissions for specified URIs (with inheritance of URIs) and roles.
Request
POST {env_uri}/reltio/permissions/{tenant}/_get
Contains a list of URIs to get information about allowed operations for the specified user roles.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Query | roles | No | List of roles. Default: all roles which have any privileges for an URI. |
Body | Yes | List of valid URIs. They can have corresponding permissions records or not. In the latter case, permissions will be obtained considering URIs inheritance. For example, "configuration/entityTypes/HCP" extends "configuration/entityTypes". |
Response
For each URI from an input list, the response contains information about all privileges for the specified roles.
Getting All Permissions for a List of URIs
Request
POST {env_uri}/reltio/permissions/{tenant}/_get
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
"configuration/entityTypes/HCP",
"configuration/entityTypes/Location"
]
Response
[
{
"uri": "configuration/entityTypes/HCP",
"permissions": [
{
"role": "API_USER",
"access": ["CREATE", "READ", "UPDATE"]
},
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
},
{
"uri": "configuration/entityTypes/Location",
"permissions": [
{
"role": "API_USER",
"access": ["READ"]
},
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
}
]
Getting Permissions for Specific Roles
Request
POST {env_uri}/reltio/permissions/{tenant}/_get?roles=API_USER
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
"configuration/entityTypes/HCP",
"configuration/entityTypes/Location"
]
Response
[
{
"uri": "configuration/entityTypes/HCP",
"permissions": [
{
"role": "API_USER",
"access": ["CREATE", "READ", "UPDATE"]
}
]
},
{
"uri": "configuration/entityTypes/Location",
"permissions": [
{
"role": "API_USER",
"access": ["READ"]
}
]
}
]
Get Configuration
Returns full permissions configuration.
Request
GET {env_uri}/reltio/permissions/{tenant}
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Query | roles | No | List of roles. Default: all roles which have any privileges for an URI. |
Response
Returns all permissions configuration records for a tenant. If some user roles are specified as a query parameter, irrelevant records will be excluded from the response.
Getting Full Configuration
Request
GET {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Response
[
{
"uri": "configuration/entityTypes",
"permissions": [
{
"role": "API_USER",
"access": ["CREATE", "READ", "UPDATE"]
},
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
},
{
"uri": "configuration/entityTypes/HCP",
"permissions": [
{
"role": "API_USER",
"access": ["CREATE", "READ", "UPDATE"]
}
]
}
]
Getting All Records for Specific Roles
Request
GET {env_uri}/reltio/permissions/{tenant}/_configuration?roles=UI_USER,DATA_STEWARD
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Response
[
{
"uri": "configuration/entityTypes",
"permissions": [
{
"role": "DATA_STEWARD",
"access": ["CREATE", "READ", "UPDATE", "DELETE", "MERGE", "UNMERGE"]
},
{
"role": "UI_USER",
"access": ["READ"]
}
]
}
]
Delete Configuration
Removes the entire security configuration for a tenant and disables metadata security.
Request
DELETE {env_uri}/reltio/permissions/{tenant}
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . |
Response
Returns the status of the request execution.
Disabling Metadata Security
Request
DELETE {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Response
{
"status": "success"
}
Check User Permissions
Returns available permissions for roles of a current user and for specified URIs. If a user has more than one role, then they will be able to do the maximum from their roles.
Request
POST {env_uri}/reltio/permissions/{tenant}/_check
The request contains a list of URIs to check if they are allowed for a user.
Parameter | Name | Required | Details |
---|---|---|---|
Headers | Authorization | Yes | Information about authentication access token in format Bearer <accessToken> (see details in Authentication API). |
Content-Type | Yes | Must be Content-Type: application/json . | |
Body | No | List of valid URIs. Permissions will be obtained considering the URIs inheritance and all roles of a user. |
Response
For each URI from the input list, contains a set of allowed access types (this list can be empty).
Checking Configured Permissions
Request
POST {env_uri}/reltio/permissions/{tenant}/_check
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Role: API_USER
Body:
[
"configuration/entityTypes/HCP",
"configuration/entityTypes/Location"
]
Response
{
"configuration/entityTypes/HCP": ["CREATE", "UPDATE", "READ"],
"configuration/entityTypes/Location": ["READ"]
}
Hide Attributes in Reltio UI
Suppose we need to hide some attributes in the UI by using the role-based metadata security. For this purpose, we must post permissions for the attributes with empty access.
Hiding Attributes by Metadata Security
The example below illustrates how to hide the first name of an HCP for role ROLE_HEART_READ.
Request
POST {env_uri}/reltio/permissions/{tenant}
Headers: Authorization: Bearer <Access-Token>, Content-Type: application/json
Body:
[
{
"uri": "configuration/entityTypes/HCP/attributes/Name",
"permissions": [
{
"role": "ROLE_HEART_READ",
"access": []
}
]
}
]