Permission Conflicts
Conflict scenarios and resolutions.
Configuring Policy Permissions
Overview of configuring policy permissions.
Policy Permissions define how your end users will interact with sensitive data. Permissions specify if the members of a Role have the ability to protect or unprotect a given Data Element. Permissions govern the format of data to return for authorized and unauthorized unprotect operations.
Permissions can be set using the ESA Web UI or the Policy Management API.
Available Permissions vary depending on whether the Policy is Structured or Unstructured.
For Structured Policies, the following Permissions are configurable for each Data Element:
- Unprotect: Allows Role members to unprotect data.
- Protect: Allows Role members to protect data.
- Reprotect: Allows Role members to reprotect data.
Note: From 10.1.0, if you have selected the HMAC-SHA256 data elements, then only the Protect option is enabled. The other options, such as, Reprotect and Unprotect are grayed out.
For Unstructured Policies, the following Permissions are configurable for each Data Element:
- Unprotect Content: Allows Role members to unprotect data.
- Protect Content: Allows Role members to protect data.
- Reprotect Content: Allows Role members to reprotect data.
- Create Object: Allows Role members to create a file or directory.
- Admin Permissions: Allows Role members to add or remove protection.
Access and No Access Permissions
You can control the data output during unprotect operations:
- For authorized unprotect operations, you can decide to return the data in the clear or with an applied Mask.
- For unauthorized unprotect operations, you can decide to return the data in its protected form if it is available, as null, or generate an error.
The following table specifies the behavior during Unprotect operations.
| No Access Permission | Permission Description |
|---|---|
| Null | A null value is returned when the user tries to access the data. |
| Protected Value | The tokenized or encrypted value is returned when the user tries to access the data. |
| Exception | An exception is returned when the user tries to access the data. |
Note: Masks can only be applied during unprotect operations.
For more information about how no-access permissions work for users in multiple roles, refer to the section No Access Permissions for Users in Multiple Roles.
You can also set permissions or rules using the Policy Management API.
Setting Default Permissions for a Policy
By default, every new Policy is created with most restrictive permissions, disallowing all operations for Policy members. Changes to Permissions will have to be made on a granular level, by modifying Data Element Permissions or Role Permissions.
To set default permissions for a policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Permissions tab.
- Select the required permissions.
- Click Save.
The permissions are set for the policy. The default Permissions are inherited by every new Role added to the Policy. Roles added before the Permission change are not modified.
Modifying Data Element Permissions
You can modify Permissions of Roles for each individual Data Element. The new Permissions override the default Permission configuration.
To customize permissions for each data element:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Edit Permissions.
The Permissions screen appears.
Select the required permissions.
You can choose the Permissions of each Policy Role on the Data Element you are modifying.
Note: If you are using masks with any data element, then ensure that masks are created before editing permissions.
Click Save.
A message Permissions have been updated successfully appears.
Note: The customized permissions, if any, override the default permissions for any policy.
Modifying Role Permissions
You can modify Permissions over Data Elements for each individual Role. The new Permissions will override the default Permission configuration.
To customize permissions for each role:
On the ESA Web UI, navigate to Policy Management> Policies & Trusted Applications> Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Roles tab.
Click Edit Permissions.
The Permissions screen appears.
Select the permissions.
You can choose the Permissions of each Policy Data Element for the Role you are modifying.
Click Save.
A message Permissions have been updated successfully appears.
Feedback
Was this page helpful?