Adding Permissions to Policy
Permissions are applied restrictions to access sensitive data. Use the Policy Management Web UI or the DevOps API to add permissions to a policy.
Using the policy permissions, the system can determine what is returned to a user who wants to view protected data. If the user has the appropriate permissions, then the data gets decrypted or detokenized. If permission is denied, then a NULL value is returned by default. Depending on your data element and policy settings, the system can instead return a no-access value (such as Exception or Protected value). The permissions are always defined in the context of a roles and a data element.
You can set a no-access value, such as Exception or Protected value, through editing the permission settings for a role or a data element.
For more information about editing the permission settings of a role or data element, refer to the Customizing Permissions for Data Element in a Policy or Customizing Permissions for Role in a Policy.
The following table describes the different permissions that you can set for structured data.
Permission | Options | Permission Description |
---|
Content | Unprotect | Allow members to get protected data in cleartext. |
| Protect | Allow members to add and protect the data. Note: From 10.0.x, if you have selected the HMAC-SHA256 data elements, then only the Protect option is enabled. The other options, such as, Reprotect and Unprotect are grayed out. |
| Reprotect | Allow members to reprotect the protected data with a new data element. |
The following table describes the permissions that you can set for an unstructured data. These permissions are only applicable for File Protector.
Permission | Options | Permission Description |
---|
Content | Unprotect | Allow members to get protected data in cleartext. |
Protect | Allow members to add data and protect it as needed. | |
Reprotect | Allow members to reprotect the protected data with a new data element. | |
Object | Create | Allow members to create a file or directory. |
Admin Permissions | Manage Protection | Allow members to add or remove protection. |
You can also set permissions or rules using the Policy Management REST API.
Setting Default Permissions for a Policy
This section describes the steps to set the default permissions for a policy.
To set default permissions for a policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Permissions tab.
The following screen appears.

Select the required permissions.
For more information about the permissions, refer to the tables Permissions for Structured Data and Permissions for Unstructured Data.
Click Save.
The permissions are set for the policy.
Customizing Permissions for Data Elements in a Policy
You can edit the permissions for an individual data element. When you edit the permissions for a data element, then you change the permissions for the roles associated with the data element.
To customize permissions for data element in a policy:
On the ESA Web UI, navigate to Policy Management > Policies & Trusted Applications > Policies.
The list of all the policies appear.
Select the required policy.
The screen to edit the policy appears.
Click the Data Elements tab.
Click Edit Permissions.
The screen to update the permissions for the role appears.
Select the required permissions.
Note: If you are using masks with any data element, then ensure that masks are created before editing permissions.
Click Save.
A message Permissions have been updated successfully appears.
Note: The customized permissions, if any, override the default permissions for any policy.
Customizing Permissions for Roles in a Policy
You can edit the permissions for individual roles. When you edit the permissions for a role, then you change the permissions for the data elements associated with the role.
To customize permissions for role in a policy:
On the ESA Web UI, navigate to Policy Management> Policies & Trusted Applications> Policies.
The list of all the policies appear.
Select the policy.
The screen to edit the policy appears.
Click the Roles tab.
Click Edit Permissions.
The screen to update the permissions for the role appears.
Select the permissions.
Click Save.
A message Permissions have been updated successfully appears.
Note: The customized permissions, if any, override the default permissions for any policy.
Policy users can be assigned to multiple roles with different data element permission settings. In this scenario, the resultant access settings applicable for that user are the least restrictive permissions derived from the data element - parent role association.
Last modified January 30, 2025