General Info

Security labels restrict the user when working with objects. A label is used to delimit access rights to data within a single entity/reference set and represents a verifiable set of attributes.

The user, to whose role the label is assigned, is given a list of allowed attribute values. The user can only work with entity/reference set records whose attribute values match the allowed ones.

Labels are used only for attributes of the following types:

• String,

• Integer,

• Link to reference set.

Restricting Access with Labels

Data access restriction logic:

• If several attributes are involved in the label, the user sees the records where the value of the specified attributes matches the allowed values configured for the user (i.e. a logical "AND" works within the label).

• If several instances of the same label are configured for the user, the user sees the records that completely satisfy one of the label instances (i.e. a logical "OR" works between the labels).

• If several different labels are configured for the user, then the user sees records that satisfy all labels (i.e. a logical "AND" works within between labels). In this case, rules 1 and 2 apply inside the labels.

Access restriction should be understood to mean:

• Search queries return only data that satisfy the labels;

Assigning Securiry Labels

To configure and assign security labels, the following actions must be performed:

• Create security labels;

• In the "Roles" section, assign a set of labels to the required role;

• In the "Users" section, assign the role to the required user;

• Enable securiry labels for the account.