Unify and manage your data

Set up role-based access control for RDM

Learn how Role-based access control in RDM adds a layer of security beyond Reltio API Permissions, enabling controlled data access within RDM tenants.

Enable controlled data access within RDM tenants with the help of Role-based access control (RBAC), by adding a layer of security beyond Reltio API Permissions.

Reltio API Permissions

To execute RDM service endpoints, users must have appropriate privileges for the API resource rdm:permissions.

Note:

Users with the role ROLE_ADMIN_TENANT already have these permissions and do not require to set them explicitly.

Table 1. RDM Permissions
Permission ResourcePermission Privileges
rdm:permissions
  • READ

  • CREATE

  • UPDATE

  • DELETE

Step 1: Define RBAC roles and assign permissions

Use the Permissions API to define roles within your RDM tenant.

Assign specific permissions to each role, specifying what actions (Create, Read, Update, Delete) are allowed for different lookup types.
Note: Define both the Create and Update permissions to enable RBAC for roles with editing privileges for RDM Lookup types and/or lookup values.
For example, grant read-only access to all lookup types and lookup values in the RDM tenant to the role ROLE_RDM_READ:
POST https://{rdm-service-url}/permissions/{tenantId}
{
    "tenantId": "rdm_tenant_id",
    "configuration": [
        {
            "uri": "rdm/lookupTypes",
            "permissions": [
                {
                    "role": "ROLE_RDM_READ",
                    "access": ["READ"]
                }
            ]
        }
    ]
}
Or grant full access to lookup values of the PaymentMethod lookup type to the role ROLE_RDM_FINANCE:
POST https://{rdm-service-url}/permissions/{tenantId}
{
    "tenantId": "rdm_tenant_id",
    "configuration": [
        {
            "uri": "rdm/lookupTypes/PaymentMethod",
            "permissions": [
                {
                    "role": "ROLE_RDM_FINANCE",
                    "access": ["CREATE", "READ", "UPDATE", "DELETE"]
                }
            ]
        }
    ]
}

Step 2: Implement Filters

Use filters to control access to specific data based on conditions such as prefix or value.

For example: Define a role with full access to lookup values for EmployeeType lookup types, but only for those with canonical codes starting with 'US_'

POST https://{rdm-service-url}/permissions/{tenantId}
{
    "tenantId": "rdm_tenant_id",
    "configuration": [
        {
            "uri": "rdm/lookupTypes/EmployeeType",
            "permissions": [
                {
                    "role": "ROLE_RDM_HR",
                    "filter": "startsWith(code,'US_')",
                    "access": ["CREATE", "READ", "UPDATE", "DELETE"]
                }
            ]
        }
    ]
}

To understand the different types of filter criteria that can be defined for canonical codes, see topic Search.

Step 3: Test the Configuration

Ensure that the configuration works as expected by testing with different user roles to verify that the permissions are enforced correctly.

Use this endpoint to verify if role-based access control is enabled on your RDM tenant.

GET https://{rdm-service-url}/permissions/{tenantId}

If the response is 200 and contains an RBAC configuration, then RBAC is configured for this RDM tenant.

Use this endpoint to view permissions for the lookup type of the current user.

View available permissions to lookup types by executing Get RDM tenant configuration with the options=showAccess parameter.

GET https://{rdm-service-url}/configuration/{tenantId}?options=showAccess

View available permissions to lookup values by executing any of the lookup value endpoints with the options=showAccess parameter.

GET https://{rdm-service-url}/lookups/{tenantId}?options=showAccess

POST https://{rdm-service-url}/lookups/{tenantId}/_byUris?options=showAccess

POST https://{rdm-service-url}/lookups/{tenantId}/_dbscan?options=showAccess

View available permissions to unmapped values by executing Unmapped values endpoints with options=showAccess parameter.

GET https://{rdm-service-url}/unmapped/{tenantId}?options=showAccess

POST https://{rdm-service-url}/unmapped/{tenantId}/_byUris?options=showAccess

POST https://{rdm-service-url}/unmapped/{tenantId}/_dbscan?options=showAccess