Access Control

From 3.4.2

fSeries includes facilities for detailed control over the data gathered, down to row and field level, based on roles and rules. This allows for Role Based Access Control (RBAC) and Attribute Based Access Control (ABAC) to be implemented when gathering data.

One of the options in fData when managing a data group is “Access Control”. This is where the conditions are set. Use the “Add Access Control” in the ribbon to begin a new access control condition, or select a pre-completed one by selecting it from the list of conditions entered.

fData Data Group - Access Control (v.3.4.2)

Each condition is either the id of an access role or an fSeries function, shown in the box underneath the condition dropdown. A description may also be recorded for each as a note of the purpose of the condition.

There are two types of conditions: those that apply to field restrictions and those that apply to the entire row. If you check the “Apply to Row” option, the entire row will be removed if the condition applies. Otherwise select the fields from the list provided to clear the value of the selected fields if the condition applies.

A further option (Apply All Restrictions, at the top of the window) lets you specify a function that if true enforces all conditions to be treated as true. The purpose is to provide a failsafe option (A further “Apply All” option in fAdmin settings that imposes a similar failsafe to all access control settings in all DSDs). In both cases the function is evaluated at the same time as the conditions and if true, all conditions are deemed to be true.

The effect is that all fields specified in any conditions are cleared and if any condition is marked as “Apply to Row” all rows will be cleared. An example of a function that could be used here is “=HasNoAccessRoles()”. If there has been a failure in gathering access roles then this will fall back on applying all conditions and preventing inappropriate inclusion of any restricted data.

The Access Control section may be hidden for Data Group types where it is not relevant.