Inheriting Permissions
Special case of inheriting permissions across roles.
Permission Conflicts
Conflict scenarios and resolutions.
Policy users can be assigned to multiple roles with different Data Element permission settings. This section guides you through conflict resolution applied by the software. As a general rule, the least restrictive permissions are applied. If the conflict is unsolvable, access may be revoked. If multiple policies exist in one data store, then the effective merged policies and merged role permissions are applied when the Data Store is deployed.
Masking Conflicts
In case of Masking conflicts, the general rule of applying least restrictive permission is typically applied, with some exceptions.
Study the following table to understand all possible conflict permutations and their outputs. In this table, User U1 with a policy P is associated with roles R1, R2, and R3. The user is also connected with the data element DE1 containing Left and Right masks, and output formats.
| Role | User | Data Element | Output Format | Mask Settings | Resultant Output |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | Left: 1, Right: 2 |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask settings (Left, Right) and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 0, Right: 5 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character ‘*’ | There is conflict in the mask character settings and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 with mask character ‘/’ | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the mask settings (Left, Right) and thus, the Unprotect access is revoked with NULL as the output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 2 | |
| R3 | U1 | DE1 | MASK | Left: 0, Right: 5 | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 1 with masked mode | There is conflict in the mask
settings and thus, the Unprotect access is revoked with NULL as
the output. For example: If the value 12345 is masked with
Left: 1, Right: 1 settings in masked mode,
then it results in *234*.If the value 12345 is masked with
Left: 1, Right: 1 settings in clear mode,
then it results in 1***5.As the resultant values are
conflicting, the Unprotect access is revoked with NULL as the
output. |
| R2 | U1 | DE1 | MASK | Left: 1, Right: 1 with clear mode | |
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats. The resultant output is most permissive, which is CLEAR. |
| R2 | U1 | DE1 | CLEAR | ||
| R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats due to conflicting MASK settings. However, with the CLEAR setting applicable in the order of access as per the role R3, the resultant output is most permissive. In this case, it is CLEAR. |
| R2 | U1 | DE2 | MASK | Left: 0, Right: 5 | |
| R3 | U1 | DE3 | CLEAR |
Unprotect Permission Conflicts
Unprotect Permissions may be set to authorized or unauthorized. In the case of authorized access, the data can be returned as masked or in the clear. In the case of unauthorized access, the output may be set to null, exception, or protected string, if available for the specific Data Element.
In case of Authorized and Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following table to understand all possible conflict permutations and their outputs.
| Sr. No. | Role | User | Data Element | No Access Operation | Output Format | Mask Settings | Resultant Output |
| 1 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | There is conflict in the output formats. If one of the roles has access, then the output format is used. The resultant output is most permissive, which is MASK. | |
| R2 | U1 | DE1 | NULL | ||||
| 2 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | ||
| R2 | U1 | DE1 | Protected | ||||
| 3 | R1 | U1 | DE1 | MASK | Left: 1, Right: 2 | ||
| R2 | U1 | DE1 | Exception | ||||
| 4 | R1 | U1 | DE1 | CLEAR | If one of the roles has access, then the output format is used. The resultant output is most permissive, which is CLEAR. | ||
| R2 | U1 | DE1 | NULL | ||||
| 5 | R1 | U1 | DE1 | CLEAR | |||
| R2 | U1 | DE1 | Protected | ||||
| 6 | R1 | U1 | DE1 | CLEAR | |||
| R2 | U1 | DE1 | Exception |
No Access Permissions for Users in Multiple Roles
In case of Unauthorized Unprotect Permissions conflicts, the general rule of applying least restrictive permission is always applied. Study the following below to understand all possible conflict permutations and their outputs.
| No Access Permission 1 | No Access Permission 2 | Resultant Permission on the Protector |
|---|---|---|
| Protected | NULL | Protected |
| Protected | EXCEPTION | Protected |
| Protected | Mask | Mask |
| Protected | Clear | Clear |
| NULL | EXCEPTION | EXCEPTION |
| NULL | Mask | Mask |
| NULL | Clear | Clear |
| EXCEPTION | Mask | Mask |
| EXCEPTION | Clear | Clear |
Feedback
Was this page helpful?