Authorization
Learn about Reltio authorization, including users, groups, services, and roles.
Authentication confirms WHO is requesting access, while authorization confirms WHAT resources they are permitted to access and at what level. This security model manages access permissions by assigning access rights (WHO) and access privileges (WHAT) independently.
Here's how this applies at a high level to managing access to employee records by HR employees. When an HR employee tries to access employee records, the security model first authenticates them to ensure they are an HR employee and then authorizes them to access the records with only the privileges they've been granted: create, read, write, or update employee records.
-
access rights for users and groups
-
access rights to tenants
-
access privileges (CREATE, READ, UPDATE, DELETE, EXECUTE) to services and their resources
For a more specific example, to enable a user to monitor the status of periodic tasks, you'd create a role that provides the READ privilege for the monitoring resource in the MDM Monitoring service, assign that role to a specific user or group, and associate that role with one or more tenants.
This topic describes these underlying features of the Reltio permissions framework. The sub topics in this section identify the roles you can associate with tenants, users, and groups as well as the access privileges you can define for services and resources.
You may find it helpful to familiarize yourself with the common terms we use in this section. For details, see topic Terminology.
Users
-
Identification details: name, email, locale, time zone, and active status.
-
Authorization details: roles they've been assigned, tenants they have access rights for, and any groups they're a member of.
Use user accounts to provide access rights to a tenant and assign one or more roles to provide specific access privileges to a particular individual.
For information on creating and managing user accounts with the application, see topics Creating a New User Account and Managing User Accounts.
For information on creating and managing user accounts using the User Management, see topics Create Users and User Management API.
Groups
-
Identification details: name and description.
-
Authorization details: roles they've been assigned and the tenants they have access rights for.
Use a group to provide access rights to one or more tenants and assign one or more roles to provide specific access privileges to multiple users. An individual user account can belong to more than one group.
For more information on creating and managing group accounts with the Console User Management application, see topics Creating a New Group and Managing Groups.
For information on creating and managing user accounts using the Groups Management, see topics Create Groups and Groups Management API.
Tenants
A tenant is a virtual workspace that stores your organization's data in the Reltio Data Cloud. Reltio creates a tenant for your organization during implementation. Each Tenant has a unique identification number.
The permissions framework in the security model enables you to manage access to your tenants. You define which users and groups have access to a tenant. For example, you must provide access rights for users to access a tenant and permissions for performing specific tasks, such as deleting crosswalks.
To configure access to specific objects and attributes types in your Reltio tenant, you enable metadata security (this isn't configured when Reltio first creates a new tenant). To do thipply a permissions configuration (even an empty configuration) to the tenant. For more information, see topic Metadata Security.
For information on managing your tenant using theConsole Tenant Management application, see topic Tenant Management at a glance.
For information on managing your tenant using the Tenant Management, see topic Tenant-related APIs.
Services
A service is a collection of resources that provide specific features and functionalities in the Reltio Data Cloud. Each service has a name, and its resources and sub resources each have a unique ID which enables you to manage access permissions to that level.
For information on managing your tenant using the Services Management, see topic Services Management API.
Roles
A role identifies access privileges for one or more services and its resources or sub resources.
- CREATE
- READ
- UPDATE
- DELETE
- EXECUTE
Assign one or more roles to a user or group account to manage its access privileges for those services and associate each role with one or more Reltio tenants to grant the user/group access rights.
- System roles:
- Reltio provides and maintains system roles. These default roles can provide access privileges for a single service or for a combination of services. You can assign but not edit these predefined roles. For more information, see topic System roles.
- Custom roles:
- You can create and manage your own custom roles to provide access permissions to meet your organization's needs. For more information, see topic Custom roles.
For information about creating and managing roles with the Console User Management application, see topics Creating a new Role and Managing Role Definitions.
For information about creating and managing roles with the Permissions Management, see topic Permissions Management API.