Benefits

Implementing RBAC for RDM enhances data security and compliance by allowing you to define roles and permissions according to your organizational policies. This control is crucial for managing sensitive data, ensuring users access only the information they are authorized to view or modify, thereby maintaining data integrity and security.

Key features

The key features to achieve the benefits of RBAC for RDM are:

Custom Roles

Administrators create custom roles tailored to specific job functions within the organization.

Granular Permissions

Permissions are assigned at a detailed level, including access to specific lookup types and canonical codes.

API-Driven Configuration

All role and permission configurations are managed through a set of robust APIs, allowing for seamless integration and automation.

For the terms of the security model, see topic Terminology.

Best practices

Prefixes for role-based access

To facilitate role-based access, use specific prefixes for canonical codes that correspond to different user roles. This way, users with specific roles can easily be restricted to view or edit only the values relevant to their department. For example:

• FIN_ for Finance-related data accessible only by users with the ROLE_RDM_FINANCE role.

• HR_ for HR-related data accessible only by users with the ROLE_RDM_HR role.

Hierarchical or dependent lookup permissions

Set up permissions for parent and child lookups separately. Permissions for a parent lookup type do not automatically grant access to child lookups. Each lookup type should have explicit permissions defined.

Limitations

Property Filter Limitations

The property filter in RBAC configuration does not support the inSameAttributeValue expression.

Data Change Requests (DCRs)

Data Change Requests do not support role-based access.

API and UI Restrictions

RDM RBAC on the MDM side is only applicable to API endpoints that return RDM lookup values and to MDM UI dropdown boxes displaying available attribute values linked with RDM lookups.