Controlling data visibility and access
You can control who sees what and who can add persistent data using data level entitlements, set though the Rules of Visibility and access tokens.
Data level entitlements are rules that dictate whether or not a
user can view or persist certain sets of data. InfoSphere® MDM defines
two categories of Data Level Entitlements:
- Rules of Visibility, which control the data that a user is allowed to view, based on the defined rules and constraints
- Persistency entitlements, which control the data that a user is allowed to add or update, based on the defined rules and constraints
InfoSphere MDM processes
entitlements at two levels:
- At the database level, referred to as Accessibility. For Rules of Visibility, this provides database-level filtering of data based on access tokens.
- In the data-level entitlements engine. For Rules of Visibility, this provides post-inquiry filtering of data based on more complex rules and constraints; for persistency entitlements this ensures that the user is entitled to make adds or updates to that party, prior to invoking calls on the database.
These two levels, or mechanisms, should be considered together when deriving a strategy around data level entitlements. For example, the Accessibility mechanism can provide a coarse-grained filtering of data that a user has access to in a high performing manner, followed by additional filtering by the Rules of Visibility engine, which applies a more complex logic that is not suited or possible to contain in database queries.
These mechanisms are described in: