Unify and manage your data

Access restrictions to data sources

Learn about the restrictions you can configure for data from specific sources

Any customer can have their data provided from different sources. This data is personal and sometimes sensitive, so you must be able to create restrictions that prevent all users from accessing all the data from all data sources. You might want to allow a specific set of users to only access a specific data source.

In metadata security, this is possible by using the slice filter, which slices the data based on the sources. When you create a role, add the slice filter specifying the data sources that role holders can access. When you assign this role to a user, the filter restricts their access to the specified data sources.

This example shows how to configure the role ROLE_TWIT_AND_FB_SLICE_READ to limit user access to the Twitter and FaceBook source systems. When this role is assigned to a user, they can only access these two data sources, data from any other sources is filtered out.

{"role" : "ROLE_TWIT_AND_FB_SLICE_READ", "filter" : "slice(sourceSystems,'FB') AND slice(sourceSystems,'TWITTER')", "access" : ["READ"]}

Slice filter usage conditions

Consider these points when you configure the slice filter:

  • Use the Entities API GET method to slice an entity, for example GET /{tenant}/entities/{id}.

  • The slice filter works only for entities. It doesn't work for relationships.

  • The slice filter applies only to READ permissions and takes priority over other filters. If you apply the filter to other permissions, such as UPDATE or MERGE, the API returns a FilterException error and doesn't complete the process, even if the user has been assigned another role with other permissions.

    {"role" : "ROLE_FB_SLICE_READ", "filter" : "slice(sourceSystems,'FB')", "access" : ["UPDATE"]}
  • The slice filter works only with sourceSystems. If you apply the filter to other values, the API returns a FilterException error and doesn't complete the process.

    {"role" : "ROLE_FB_SLICE_INVALID_READ", "filter" : "slice(sourceSystems,'FB') AND slice(type, 'configuration/entityTypes/ProductItem')", "access" : ["READ"]}
  • Use commas to separate multiple source names in the slice filter.

    {"role" : "ROLE_TWIT_AND_FB_SLICE_READ", "filter" : "slice(sourceSystems,'FB','TWITTER')", "access" : ["READ"]}
  • Use AND and OR conditional operators to apply more than one slice filters to a role. AND and OR conditional operators behave the same for the slice filter.

    {"role" : "ROLE_TWIT_AND_FB_SLICE_READ", "filter" : "slice(sourceSystems,'FB') AND slice(sourceSystems,'TWITTER')", "access" : ["READ"]}
    {"role" : "ROLE_TWIT_OR_FB_SLICE_READ", "filter" : "slice(sourceSystems,'FB') OR slice(sourceSystems,'TWITTER')", "access" : ["READ"]}
  • Use NOT conditional operators to restrict access to a specific source system. NOT conditional operators take priority over any other operators specified in the filter.

    The user who's been assigned these roles can't access data from the TWITTER and FB sources.

    {"role" : "ROLE_TWIT_NOT_AND_FB_SLICE_READ", "filter" : "not slice(sourceSystems,'FB') AND not slice(sourceSystems,'TWITTER')", "access" : ["READ"]}
    {"role" : "ROLE_TWIT_NOT_AND_FB_SLICE_AND_FB_READ", "filter" : "not slice(sourceSystems,'FB') AND not slice(sourceSystems,'TWITTER') AND slice(sourceSystems, 'FB')", "access" : ["READ"]}
    
  • If a user has been assigned two different roles with different slice filters, the filter permissions don't overlap. In this example, if the same user is assigned the ROLE_TWIT_READ role and the ROLE_FB_READ role, they can read data from both Twitter and Facebook, but no other data sources.

    {"role" : "ROLE_TWIT_READ", "filter" : "slice(sourceSystems,'TWITTER')", "access" : ["READ"]}
    {"role" : "ROLE_FB_READ", "filter" : "slice(sourceSystems,'FB)", "access" : ["READ"]}
  • Use AND and OR conditional operators to combine the slice filter with other filters.

    The slice filter always returns a value of true. If you combine the slice filter with other filters, evaluate the request carefully to ensure you get the desired result. In this example, the slice filter is true but the equals(type, 'configuration/entityTypes/ProductItem') filter is false. Because the combined filter uses the AND conditional operator, it returns a value of false so the user isn't granted READ permissions for the specified source.

    {"role" : "ROLE_TWIT_READ", "filter" : "slice(sourceSystems,'TWITTER') AND equals(type, 'configuration/entityTypes/ProductItem')", "access" : ["READ"]}