You are here:
Create an Object or Field-Level Access Policy in Data 360
In data governance, define who can access specific data objects or fields based on user and data attributes. Create either object-level or field-level access to users.
Required Editions
Before completing this task, consider these guidelines and limitations.
- Data 360 enforces service protection limits on Object-Level Security (OLS) and Field-Level Security (FLS) policies to prevent complex policies from affecting system performance. The impact depends on the number of rules and condition complexity. More complex policies have a greater impact.The system checks these limits when you create, edit, or delete a policy. You can't save a policy that exceeds the limit. Simplify the policy or consolidate existing ones.
- When OLS or FLS restrictions are applied to objects within a data graph, the graph is hidden from the list view to prevent unauthorized access. But this filtering doesn’t apply to draft data graphs, since their underlying objects, such as ID or Value DMO, haven’t been created yet. As a result, a draft data graph can still appear in the list view, but opening it displays an error.
- Data Cloud architects or users with View All Records (VAR) Modify All Records (MAR) permissions can view the metadata of all objects, even if deny policies are in place. They can add fields, including those restricted by policies, to a report during creation or editing. However, access policies are enforced at runtime. If the Data 360 admin or user doesn’t have access to any of the fields included in the report, the report fails to run and displays an error.
| Available in: All Editions supported by Data 360. See Data 360 edition availability. |
| User Permissions Needed | |
|---|---|
| To create data access policy: | Permission set:
|
- In Data Cloud, go to the Data Governance tab.
- In the left pane, click Policies.
- Click New, select Data Access, and click Next.
-
In Policy Builder, enter a unique policy name, and an optional description.
The policy API name is auto-filled based on your policy name, but you can change it.
- Click Next.
-
Select Rules, and select the resources to protect. In the
Resource dropdown, select Object or
Field.
By default, the rule applies across all data spaces. As new data spaces are added, these rules apply to their resources.
- To restrict policies to specific data space scopes, click Customize Scope, deselect Apply to the resources in all Data Spaces in Data 360, and select the desired data spaces.
- Click Save.
-
Select the action you want to take on the resource. From the Action dropdown, select
Allow access or Deny access.
Only Deny access is supported in a field-level security (FLS) policy.
-
Define the conditions when this action must take place. For example, set a condition to
trigger the rule if the Financial Data.Account Info tag is present in
the object. Or, if the Personal Data.Digital Identifier.Browsing History
tag is not present in the object.
You can trigger the rule when objects meet any or all specified conditions.
-
To add more conditions, click Add Condition.
You can add up to five conditions to a record-level security (RLS) policy.
- Group your conditions into different sets and use the OR operator to take action when any group meets the rule conditions.
- To add a group, click Add Group.
-
To apply the policy to users, select Users.
Apply the policy to all users or to users who meet specific AND and OR conditions. The conditions are based on custom permissions assigned to users.
Actions that explicitly deny access override other permissions to block the user from performing that action.
- Click Save and Activate.
Did this article solve your issue?
Let us know so we can improve!
