Set up role-based access control for RDM
Learn how Role-based access control in RDM adds a layer of security beyond Reltio API Permissions, enabling controlled data access within RDM tenants.
Reltio API Permissions
To execute RDM service endpoints, users must have appropriate privileges for the API resource rdm:permissions.
Users with roles ROLE_ADMIN or ROLE_ADMIN_TENANT already have these permissions and do not require to set them explicitly.
| Permission Resource | Permission Privileges |
|---|---|
rdm:permissions |
|
Step 1: Define RBAC roles and assign permissions
Use the Permissions API to define roles within your RDM tenant.
Assign specific permissions to each role, specifying what actions (Create, Read, Update, Delete) are allowed for different lookup types.
PaymentMethod lookup types to the role ROLE_RDM_FINANCE:POST https://{rdm-service-url}/permissions/{tenantId}
{
"tenantId": "rdm_tenant_id",
"configuration": [
{
"uri": "rdm/lookupTypes/PaymentMethod",
"permissions": [
{
"role": "ROLE_RDM_FINANCE",
"access": ["CREATE", "READ", "UPDATE", "DELETE"]
}
]
}
]
}
Step 2: Implement Filters
Use filters to control access to specific data based on conditions such as prefix or value.
For example: Define a role with full access to lookup values for EmployeeType lookup types, but only for those with canonical codes starting with 'US_'
POST https://{rdm-service-url}/permissions/{tenantId}
{
"tenantId": "rdm_tenant_id",
"configuration": [
{
"uri": "rdm/lookupTypes/EmployeeType",
"permissions": [
{
"role": "ROLE_RDM_HR",
"filter": "startsWith(code,'US_')",
"access": ["CREATE", "READ", "UPDATE", "DELETE"]
}
]
}
]
}
To understand the different types of filter criteria that can be defined for canonical codes, see topic Search.
Step 3: Test the Configuration
Ensure that the configuration works as expected by testing with different user roles to verify that the permissions are enforced correctly.
Use this endpoint to verify if role-based access control is enabled on your RDM tenant.
GET https://{rdm-service-url}/permissions/{tenantId}If the response is 200 and contains an RBAC configuration, then RBAC is configured for this RDM tenant.
Use this endpoint to view permissions for the lookup type of the current user.
View available permissions to lookup types by executing Get RDM tenant configuration with the options=showAccess parameter.
GET https://{rdm-service-url}/configuration/{tenantId}?options=showAccessView available permissions to lookup values by executing any of the lookup value endpoints with the options=showAccess parameter.
GET https://{rdm-service-url}/lookups/{tenantId}?options=showAccess
POST https://{rdm-service-url}/lookups/{tenantId}/_byUris?options=showAccess
POST https://{rdm-service-url}/lookups/{tenantId}/_dbscan?options=showAccess
View available permissions to unmapped values by executing Unmapped values endpoints with options=showAccess parameter.
GET https://{rdm-service-url}/unmapped/{tenantId}?options=showAccess
POST https://{rdm-service-url}/unmapped/{tenantId}/_byUris?options=showAccess
POST https://{rdm-service-url}/unmapped/{tenantId}/_dbscan?options=showAccess