Configuring Policy Permissions
Overview of configuring policy permissions.
Policy Permissions define how your end users will interact with sensitive data. Permissions specify if the members of a Role have the ability to protect or unprotect a given Data Element. Permissions govern the format of data to return for authorized and unauthorized unprotect operations.
Permissions can be set using the ESA Web UI or the Policy Management API.
Available Permissions vary depending on whether the Policy is Structured or Unstructured.
For Structured Policies, the following Permissions are configurable for each Data Element:
- Unprotect: Allows Role members to unprotect data.
- Protect: Allows Role members to protect data.
- Reprotect: Allows Role members to reprotect data.
Note: From 10.1.0, if you have selected the HMAC-SHA256 data elements, then only the Protect option is enabled. The other options, such as, Reprotect and Unprotect are grayed out.
For Unstructured Policies, the following Permissions are configurable for each Data Element:
- Unprotect Content: Allows Role members to unprotect data.
- Protect Content: Allows Role members to protect data.
- Reprotect Content: Allows Role members to reprotect data.
- Create Object: Allows Role members to create a file or directory.
- Admin Permissions: Allows Role members to add or remove protection.
Access and No-Access Operations
You can control the data output during unprotect operations:
- For authorized unprotect operations, you can decide to return the data in the clear or with an applied Mask.
- For unauthorized unprotect operations, you can decide to return the data in its protected form if it is available, as null, or generate an error.
The following table specifies the behavior during Unprotect operations.
| No-Access Operation | Permission Description |
|---|
| Null | A null value is returned when the user tries to access the data. |
| Protected Value | The tokenized or encrypted value is returned when the user tries to access the data. |
| Exception | An exception is returned when the user tries to access the data. |
Note: Masks can only be applied during unprotect operations.
For more information about how no-access operations work for users in multiple roles, refer to the section No-Access Operations for Users in Multiple Roles.
You can also set permissions or rules using the Policy Management API.
Setting Default Permissions for a Policy
By default, every new Policy is created with most restrictive permissions, disallowing all operations for Policy members. Changes to Permissions will have to be made on a granular level, by modifying Data Element Permissions or Role Permissions.
To set default permissions for a policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Permissions tab.
- Select the required permissions.
- Click Save.
The permissions are set for the policy. The default Permissions are inherited by every new Role added to the Policy. Roles added before the Permission change are not modified.
Modifying Data Element Permissions
You can modify Permissions of Roles for each individual Data Element. The new Permissions override the default Permission configuration.
To customize permissions for each data element:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Edit Permissions.
The Permissions screen appears.
Select the required permissions.
You can choose the Permissions of each Policy Role on the Data Element you are modifying.
Note: If you are using masks with any data element, then ensure that masks are created before editing permissions.
Click Save.
A message Permissions have been updated successfully appears.
Note: The customized permissions, if any, override the default permissions for any policy.
Modifying Role Permissions
You can modify Permissions over Data Elements for each individual Role. The new Permissions will override the default Permission configuration.
To customize permissions for each role:
On the ESA Web UI, navigate to Policy Management> Policies & Trusted Applications> Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Roles tab.
Click Edit Permissions.
The Permissions screen appears.
Select the permissions.
You can choose the Permissions of each Policy Data Element for the Role you are modifying.
Click Save.
A message Permissions have been updated successfully appears.
1 - Permission Conflicts
Conflict scenarios and resolutions.
Policy users can be assigned to multiple roles with different Data Element permission settings. This section guides you through conflict resolution applied by the software. As a general rule, the least restrictive permissions are applied. If the conflict is unsolvable, access may be revoked. If multiple policies exist in one data store, then the effective merged policies and merged role permissions are applied when the Data Store is deployed.
Masking Conflicts
In case of Masking conflicts, the general rule of applying least restrictive permission is typically applied, with some exceptions.
Study the following table to understand all possible conflict permutations and their outputs. In this table, User U1 with a policy P is associated with roles R1, R2, and R3. The user is also connected with the data element DE1 containing Left and Right masks, and output formats.
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask
settings (Left, Right) and thus, the Unprotect access is revoked
with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 0, Right: 5 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character
‘*’ | There is conflict in the mask
character settings and thus, the Unprotect access is revoked with
NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character
‘/’ |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask
settings (Left, Right) and thus, the Unprotect access is revoked
with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 |
| R3 | U1 | DE1 | MASK | Left: 0, Right: 5 |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 1 with masked mode | There is conflict in the mask
settings and thus, the Unprotect access is revoked with NULL as
the output. For example: If the value 12345 is masked with
Left: 1, Right: 1 settings in masked mode,
then it results in *234*. If the value 12345 is masked with
Left: 1, Right: 1 settings in clear mode,
then it results in 1***5. As the resultant values are
conflicting, the Unprotect access is revoked with NULL as the
output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 1 with clear mode |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output
formats. The resultant output is most permissive, which is
CLEAR. |
| R2 | U1 | DE1 | CLEAR | |
|
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output
formats due to conflicting MASK settings. However, with the CLEAR
setting applicable in the order of access as per the role R3, the
resultant output is most permissive. In this case, it is
CLEAR. |
| R2 | U1 | DE2 | MASK | Left: 0, Right: 5 |
| R3 | U1 | DE3 | CLEAR | |
Unprotect Permission Conflicts
Unprotect Permissions may be set to authorized or unauthorized. In the case of authorized access, the data can be returned as masked or in the clear. In the case of unauthorized access, the output may be set to null, exception, or protected string, if available for the specific Data Element.
In case of Authorized and Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following table to understand all possible conflict permutations and their outputs.
| 1 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 | There is conflict in the output
formats. If one of the roles has access, then the output format is
used. The resultant output is most permissive, which is
MASK. |
| R2 | U1 | DE1 | NULL | | |
| 2 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 |
| R2 | U1 | DE1 | Protected | | |
| 3 | R1 | U1 | DE1 | | MASK | Left: 1, Right: 2 |
| R2 | U1 | DE1 | Exception | | |
| 4 | R1 | U1 | DE1 | | CLEAR | | If one of the roles has access,
then the output format is used. The resultant output is most
permissive, which is CLEAR. |
| R2 | U1 | DE1 | NULL | | |
| 5 | R1 | U1 | DE1 | | CLEAR | |
| R2 | U1 | DE1 | Protected | | |
| 6 | R1 | U1 | DE1 | | CLEAR | |
| R2 | U1 | DE1 | Exception | | |
No-Access Operations for Users in Multiple Roles
In case of Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following below to understand all possible conflict permutations and their outputs.
| No-Access Operation 1 | No-Access Operation 2 | Resultant Permission on the Protector |
|---|
| Protected | NULL | Protected |
| Protected | EXCEPTION | Protected |
| Protected | Mask | Mask |
| Protected | Clear | Clear |
| NULL | EXCEPTION | EXCEPTION |
| NULL | Mask | Mask |
| NULL | Clear | Clear |
| EXCEPTION | Mask | Mask |
| EXCEPTION | Clear | Clear |
1.1 - Inheriting Permissions
Special case of inheriting permissions across roles.
A special case exists when a user is present in multiple roles, this creates a conflict. This section provides information about how the software resolves this conflict. As a general rule, the software applies the most restrictive permissions.
Typically, when a policy user is assigned a role that does not have a specific data element associated with the role, then the user cannot use the data element for performing security operations. If the user tries to use the data element, then an error is generated.
However, consider a policy where you have created a default role that is applicable to all users. You associate a specific data element with this default role. In this case, the policy user, who is included in another role that is not associated with the specific data element, inherits the permissions for this data element from the default role. This scenario is applicable only if the users are a part of the same policy or a part of multiple policies that are applied to the same data store.
Scenario:
Policy 1 contains the role R1, which is assigned to the user U1. The role R1 is associated with a data element DE1, which has the permissions Unprotect, Protect, and Reprotect. The user U1 can unprotect, protect, and reprotect the data using the data element DE1.
Policy 2 contains the role R2, which is assigned to the user U2. The role R2 is associated with a data element DE2. which has the permissions Unprotect, Protect, and Reprotect. The user U2 can unprotect, protect, and reprotect the data using the data element DE2.
Policy P3 contains the role R3, which is applicable to all the users. The role R3 role is associated with two data elements DE1 and DE2. Both the data elements have the Unprotect permissions associated with it.
Note: The ALL USERS denotes a default role which is applicable to all the users. To enable the default role, click the Applicable to all the members toggle button on the ESA web UI. For more information about Applicable to all the members, refer to the section Roles.
Use Case 1
The Use Case 1 table demonstrates that roles R1 and R2 have an indirect relationship with data elements DE1 and DE2. The roles are part of different policies that are deployed to the same data store. As a result, the roles R1 and R2 have inherited the permission of the default role for data elements DE1 and DE2.
Table 1. Use Case 1
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | U |
| P2 | R2 | U2 | DE2 | URP | U2 | DE1 | U |
| DE2 | URP |
| P3 | R3 | ALL USERS | DE1 | U | ALL USERS | DE1 | U |
| DE2 | U | DE2 | U |
The Unprotect permission is highlighted in bold in the Protector side permissions after deploying the policy column. This Unprotect permission indicates that it has been inherited from the role R3, which is applicable to the data elements DE1 and DE2 for all the users.
Use Case 2
The Use Case 2 table demonstrates that if roles R1 and R2 have a direct relationship with data elements DE1 and DE2, then they will not inherit the permissions of the default role.
Table 2. Use Case 2
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | - | DE2 | - |
| R3 | ALL USERS | DE1 | U | U2 | DE1 | - |
| DE2 | U | DE2 | URP |
| P2 | R2 | U2 | DE1 | - | ALL USERS | DE1 | UR |
| DE2 | URP |
| P3 | R4 | ALL USERS | DE1 | R | DE2 | UR |
| DE2 | R |
Use Case 3
The Use Case 3 table demonstrates that if roles R1 and R2 have a direct relationship with data elements DE1 and DE2, then they will not inherit the permissions of the default role.
Table 3. Use Case 3
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | - | DE2 | - |
| R2 | U2 | DE1 | - | U2 | DE1 | - |
| DE2 | URP | DE2 | URP |
| R3 | ALL USERS | DE1 | U | ALL USERS | DE1 | UR |
| DE2 | U |
| R4 | ALL USERS | DE1 | R | DE2 | UR |
| DE2 | R |
Use Case 4
The Use Case 4 table demonstrates that as role R2 has an indirect relationship with data element DE1, it has inherited the permissions of the default role. The role R1 has a direct relationship with data element DE1, and it have not inherited the permissions of the default role.
Table 4. Use Case 4
| P1 | R1 | U1 | DE1 | - | U1 | DE1 | - |
| DE2 | - |
| R3 | ALL USERS | DE1 | U | U2 | DE1 | U |
| DE2 | URP |
| P2 | R2 | U2 | DE2 | URP | ALL USERS | DE1 | U |
| DE2 | - |
The Unprotect permission is highlighted in bold in the Protector side permissions after deploying the policy column. This Unprotect permission indicates that it has been inherited from the role R3, which is applicable to the data element DE1 for all the users.
Use Case 5
The Use Case 5 table demonstrates that Role R1 has inherited the permissions of the default role for the data element DE2.
Table 5. Use Case 5
| P1 | R1 | U1 | DE1 | URP | U1 | DE1 | URP |
| DE2 | UP |
| P2 | R3 | ALL USERS | DE2 | U | ALL USERS | DE1 | - |
| P3 | R4 | ALL USERS | DE2 | P | DE2 | UP |
The resultant permissions are highlighted in bold in the Protector side permissions after deploying the policy column. These permissions indicate that they have been inherited from the roles R3 and R4, which are applicable to the data element DE2 for all the users.
Use Case 6
The Use Case 6 table demonstrates that role R1 will inherit the permissions of the default role for the data element DE2.
Table 6. Use Case 6
| P1 | R1 | U1 | DE1 | U | U1 | DE1 | UP |
| DE2 | URP |
| P2 | R5 | U1 | DE1 | P | ALL USERS | DE1 | - |
| P3 | R3 | ALL USERS | DE2 | URP | DE2 | URP |
The resultant permissions are highlighted in bold in the Protector side permissions after deploying the policy column. These permissions indicate the permissions that have been inherited from the role R3, which is applicable to the data element DE2 for all the users.
Use Case 7
In Use Case 7 table, role R1 is related to data element DE1 in policy P1 and and role R3 is related to data element DE1 in policy P3. In this case, roles R1 and R3 will not inherit the permissions of the default role.
Table 7. Use Case 7
| P1 | R1 | U1 | DE1 | U | U1 | DE1 | U |
| DE2 | - |
| P2 | R1 | U1 | DE2 | - | ALL USERS | DE1 | URP |
| P3 | R3 | ALL USERS | DE1 | URP | DE2 | - |