This documentation supports the 20.02 version of BMC Helix Platform.

To view the documentation for the current version, select 20.08 from the Product version menu.

Creating hierarchical groups by defining security labels

You can define the relationship between user groups and rank them according to the level of importance or authority by defining hierarchical groups. A hierarchical group is headed by an ancestor group with descendant groups beneath it. At each level higher than the base of the hierarchy, the descendant groups can also be ancestors of the groups lower in the hierarchy.

In BMC Helix Innovation Studio, you can define hierarchical groups to perform the following functions:

  • Define structure and form within the organization.
  • Express the relationships between the user information, and share the information as per the relationship.
  • Manage large amounts of data.

The following image displays a group relationship structure in a global car dealership company:

How hierarchical groups secure data

  • Row-level security for database tables

    Hierarchical groups enable you to define row-level security (RLS) for database tables. With RLS, you can store data for many users in a database table, and restrict row-level access based on the user's identity or role.

    Some of the access levels that you can configure are as follows:

    • Restrict access to a certain data based on an employee's region and role.
    • Ensure that tenants of a shared system application can access only their data.
  • Security labels for database tables

    Row-level security is defined by using security labels. A security label dynamically controls record and field access. You can define rules and process flows to automatically assign security labels. For example, you can define a rule to generate the name of a group as the security label for that group.

    Security labels protect database tables at the row level, by assigning different levels of security. After row-level security is defined by using security labels, only those users with the appropriate permissions can access the row data. 

    For example, in a car dealership company, you can create security labels such as car type, sales group, and dealership, and only users with the appropriate security classification are allowed access to the relevant data.

  • Relationships within the user groups

    By specifying an ancestor-descendent relationship between user groups, you can grant data permissions according to the relationship.

    You can define the following relationships in a hierarchy:

    • Ancestor: A parent or top-level group within the hierarchy, with one or more subgroups associated with it. An ancestor group can be attached to one or more child groups. 
    • Descendant: A child group within the hierarchy, that is attached to a parent group. A child group can be attached to only one parent user group.

Hierarchical group inheritance

The following examples illustrate the data flow between ancestor groups and descendant groups.

Scenario 1: Ancestor groups can view data from all descendant groups

In the Car dealership hierarchical group, the users in the hierarchy need to have access to a sales application to view all the sales records. The sales application has a Sales record definition, that includes the latest sales records for a certain type of cars. All ancestors of the Sales Person group can view the sales records of the sales people in all dealerships.

The following image illustrates this example in detail:

Example 2: Descendant groups can view data from all ancestor groups

In the Car dealership hierarchical group, the users in the headquarters use a sales application to view all the sales records. The sales application has a Catalog record definition, that includes the latest changes in the sales policy for a certain type of cars. All descendant groups beneath the top-level Car dealership group can access the Catalog record.

The following image illustrates this example in detail:


Process of defining a hierarchical group in an organization

The following table describes the steps of creating a hierarchical group in BMC Helix Innovation Studio:


Preparing to develop a Digital Service application

Set up the application development process and deploy it to BMC Helix Innovation Studio. The application development process consists of creating a project using Maven archetype and BMC Helix Platform SDK, implementing data and logical definitions using BMC Helix Innovation Studio, extending the services using Java and JavaScript (if required), and packing the application.

2Identify the different user groups in the organizationTo define a hierarchical group, identify the data that each user needs to access according to the user's role in the organization.
3Creating or modifying security labels in record definitions to define hierarchyYou can create security labels for regular record definitions or join record definitions.
4Assign permissions to the security labelsYou can assign permissions to the security label such that only the specified user group or role can access the record field data.
5Configure the security labels for a rule or a processYou can configure the security label for a rule or a process to enable the hierarchy.

After you create and configure the security labels for record definitions, you can perform any of the following tasks:

Was this page helpful? Yes No Submitting... Thank you