5 Managing Node Access Groups
Oracle Data Relationship Management controls granular user access to hierarchy nodes and their properties using node access groups. You can assign users to groups that are granted access to specific nodes in a subset of hierarchies within a Data Relationship Management version. Node access groups use inheritance to assign similar access to descendant nodes of a hierarchy node where an access level has been explicitly assigned. This level of access can be overridden at a lower level or can be locked to prevent overrides.
Typically, node access groups represent functional areas of an organization, and a user may require assignment to multiple groups. If assigned access levels conflict, the highest security level is used.
There are two types of node access groups. The group type controls the type of data access that can be assigned to users of that group. Each node access group can be of only a single group type.
-
Interactive––Users have direct access to browse, search, and modify data based on the level of access assigned
-
Workflow––Users have restricted access to browse, search, and modify data using governance workflows based on the level of access assigned
Table 5-1 Interactive Group Type–Node Access Levels
| Level | Description | Example Usage |
|---|---|---|
|
Read |
Enables read-only access––no changes permitted |
View and report |
|
LimitedInsert |
Enables insertion of a node for which the user has (at least) global insert privilege. |
Insert |
|
Edit |
Enables property values to be edited |
Edit |
|
Insert |
Enables nodes to be inserted, moved, or, removed |
Edit, insert, copy, move, remove |
|
Inactivate |
Enables nodes to be inactivated and reactivated |
Edit, insert, move, remove, inactivate, reactivate |
|
Add |
Enables nodes to be added or deleted |
Edit, insert, copy, move, remove, inactivate, reactivate, add, delete |
Keep the following information in mind:
-
Access levels are cumulative; assignment of the Edit access level implies that the Read Only and LimitedInsert access levels are granted. Assignment of the Add access level implies that all other access levels are granted.
-
Node access group security is only applied at the hierarchy level. Node access groups do not control access to global lists of nodes such as orphans.
-
Access levels are assigned separately for limb and leaf nodes which allows you to define a different level of access for each. This capability is useful when a user should be able to maintain the roll-up structure of a hierarchy but not edit any properties of leaf nodes or when a user can insert leaf nodes to an existing roll-up structure but not reorganize the structure itself.
-
Node access groups are defined only by a user with the Access Manager role.
-
Node access groups use local inheritance for access assignment to related nodes. A node access group can be defined as global in order to use global inheritance based on the level of access assigned to a controlling hierarchy.
-
Global node access groups can be created and must have a controlling hierarchy defined for each version. This is done by assigning controlled node access groups to a hierarchy. See the see the Oracle Data Relationship Management User's Guide for more information.
-
Interactive and Workflow node access groups handle the visibility of nodes in hierarchies differently. An interactive access group provides users visibility to the entire hierarchy if the group has access to any node in the hierarchy. In contrast, a workflow access group provides users limited visibility to only nodes in hierarchies to which they have been assigned access. For both group types, members of the group cannot view hierarchies to which they have not been assigned access.