Table of Contents

Search

  1. Preface
  2. Introduction
  3. Configuring the Data Director Application
  4. Establishing a Root Node
  5. Defining the Business Entity Model
  6. Configuring Business Entity Properties
  7. Configuring Reference Entity Properties
  8. Transforming Business Entities and Views
  9. Configuring Hierarchy and Network Relationships
  10. Creating Match Rule Sets
  11. Configuring Search
  12. Configuring Tasks
  13. Configuring Security and Data Filters for Business Entities
  14. Configuring the Content Security Policy
  15. Integrating Data as a Service
  16. Configuring External Calls
  17. Designing the Data Director User Interface
  18. Localizing Data Director
  19. Appendix A: Provisioning Tool Frequently Asked Questions

Field Filter Rules and User Roles

Field Filter Rules and User Roles

When you create a field filter for a business entity, the records that a user can see are constrained by the rules in the field filter and the assigned user role.
Before you create field filters, decide how you want to manage rules. You can define rules in terms of who is denied access, who is allowed access, or both. Familiarize yourself with the behaviors of each approach and create an overall plan. For maintenance purposes, it can be more straightforward to use only one type of rule.
Avoid creating an excessive number of field filters. The more filters, the longer it takes to process API requests. If you have performance issues after adding field filters, consider reducing the number of field filters.

Deny rules only

Deny rules are joined by a logical OR operator. If you create at least one deny rule, you must also fill in the Remaining Values rule in the Deny section. If the Remaining Values rule is empty, and records contain a value that is not covered by the other rules, users can see the records with the other values.
If you define only deny rules for a field filter, the following behaviors apply:
  • When a user role is not assigned to any deny rules, the user can see any record.
  • When a user role is assigned to all the deny rules, the user cannot see any record.
  • When a user role is assigned to one deny rule, and a record satisfies the rule, the user cannot see the record.
  • When a user role is assigned to multiple deny rules, and a record satisfies
    any
    of the rules, the user cannot see the record.
  • When a user role is not assigned to any deny rules, but one or more deny rules have the
    Apply this rule
    option selected, and a record satisfies any of these rules, the user cannot see the record.

Allow rules only

Allow rules are joined by a logical AND operator. If you create at least one allow rule, you must also fill in the Remaining Values rule in the Allow section. If the Remaining Values rule is empty, and records contain a value that is not covered by the other rules, users cannot see the records with the other values.
If you define only allow rules for a field filter, the following behaviors apply:
  • When a user role is not assigned to any allow rules, the user cannot see any record.
  • When a user role is assigned to all the allow rules, the user can see any record.
  • When a user role is assigned to one allow rule, and a record satisfies the rule, the user can see the record.
  • When a user role is assigned to multiple allow rules, and a record satisfies
    all
    the rules, the user can see the record.
  • When a user role is assigned to multiple allow rules, and a record does not satisfy all the rules, the user cannot see the record.
  • When a user role is not assigned to any allow rules but one or more allow rules have the
    Apply this rule
    option selected, and a record satisfies all of these rules, the user can see the record.

Both deny and allow rules

If you define both deny rules and allow rules for a field filter, the following behaviors apply:
  • If a user role is not assigned to any deny rules or allow rules, the user cannot see any records.
  • If a user role is assigned to one or more deny and allow rules, and a record satisfies any of the deny rules, the allow rules are ignored and the user cannot see the record.
  • If a record does not satisfy a deny rule, the allow rules are processed as described in the
    Allow rules only
    section.

Multiple field filters exist for the same business entity

When a user role is assigned to more than one field filter, the following behaviors apply:
  • If a record satisfies a deny rule in any of the field filters, the user cannot see the record. If an allow rule is assigned to the same user role, the allow rule is ignored.
  • If a record does not satisfy any deny rules, the allow rules are processed as described in the
    Allow rules only
    section.

0 COMMENTS

We’d like to hear from you!