You are here:
Data Graph Tag Propagation
A data graph supports access and security management through tag-based controls, similar to how calculated insight objects (CIOs) are managed. Row-level security (RLS) defined on participating DMOs isn’t automatically enforced in data graphs. Depending on the level of data protection required, administrators can enforce access by using tag propagation.
When you create a data graph, it pulls in fields from various data model objects (DMOs) and CIOs. Only the fields explicitly projected into the data graph are materialized and available at query time. To enforce access controls, the system evaluates user permissions based on tags associated with the projected fields, participating DMOs, and CIOs. Tags from all fields and source DMOs and CIOs are copied to the data graph records. However, if a new tag is added to a DMO after the data graph has already been created, that tag will not automatically propagate to the data graph. In such cases, manual propagation is required so that the data graph reflects the updated tagging.
If a user doesn’t have access to any required tag from a participating DMO or CIO, the entire data graph is inaccessible to that user.
DMO-level RLS policies aren’t applied to data graphs. Data graphs enforce access exclusively through tag-based controls on projected fields.
