In Security and compliance studio, you can manage which securable objects have access to sensitive data. For each securable object, you can:

  • Give access to sensitive data: If you give a securable object access to sensitive data, automatically all related securable objects get access to sensitive data as well.
  • Undo access to sensitive data: If you, for a securable object, undo the access to sensitive data, automatically the access to sensitive data is undone for all related securable objects as well.
The rules that are applied to define the sensitive data access inheritance are:
  • If you give a securable object access to sensitive data, all entry points that are assigned to this securable object get access to this sensitive data as well. And, as a consequence, all securable objects that have access to these entry points also get access to this sensitive data by inheritance.
  • If for a securable object the access to sensitive data is undone, access to sensitive data is also undone for all entry points that are assigned to this securable object. And, as a consequence, for all securable objects that have access on these entry points, the access to sensitive data is also undone. If a securable object has another entry point assigned that has access to sensitive data, the access to sensitive data is not undone.
Example 1
Give 'Privilege 2' access to sensitive data.
'Entry point 4' already has access to sensitive data.

As a result of giving 'Privilege 2' access to sensitive data:

 

  • Entry points 2-3 are given access to sensitive data.
  • By inheritance, Privilege 1, Duties 1-2, Roles 1-3, and Users A-D are given access to sensitive data.
  • As Privilege 1 is given access to sensitive data, Entry point 1 is given access to sensitive data as well.
  • Privilege 3, Role 4, and User E already had access to sensitive data, inherited from Entry point 4. So, nothing changes for these securable objects.

 

Example 2

The result of Example 1 is the starting point.

Undo access to sensitive data for Duty 2.

As a result of undoing access to sensitive data for Duty 2:

 

  • Access to sensitive data is undone for Entry points 2-3.
  • By inheritance, access to sensitive data is undone for Privileges 1-2, Duty 1, Roles 1-3, and Users A-D.
  • As access to sensitive data is undone for Privilege 1, also access to sensitive data is undone for Entry point 1.
  • Privilege 3, Role 4, and User E have access to sensitive data, inherited from Entry point 4. So, nothing changes for these securable objects.

 

Provide feedback