Creating hierarchical groups through security labels
You can define the relationship between user groups and rank them according to the level of importance or authority by defining hierarchical groups. A hierarchical group is headed by an ancestor group with descendant groups beneath it. At each level higher than the base of the hierarchy, the descendant groups can also be ancestors of the groups lower in the hierarchy.
In BMC Helix Innovation Studio, you can define hierarchical groups to perform the following functions:
- Define structure and form within the organization.
- Express the relationships between the user information, and share the information as per the relationship.
- Manage large amounts of data.
The following image displays a group relationship structure in a global car dealership company:
How hierarchical groups secure data
Row-level security for database tablesHierarchical groups enable you to define row-level security (RLS) for database tables. With RLS, you can store data for many users in a database table, and restrict row-level access based on the user's identity or role.
Some of the access levels that you can configure are as follows:
- Restrict access to a certain data based on an employee's region and role.
- Ensure that tenants of a shared system application can access only their data.
Security labels for database tablesRow-level security is defined by using security labels. A security label dynamically controls record and field access. You can define rules and process flows to automatically assign security labels. For example, you can define a rule to generate the name of a group as the security label for that group.
Security labels protect database tables at the row level, by assigning different levels of security. After row-level security is defined by using security labels, only those users with the appropriate permissions can access the row data.
For example, in a car dealership company, you can create security labels such as car type, sales group, and dealership, and only users with the appropriate security classification are allowed access to the relevant data.
Relationships within the user groupsBy specifying an ancestor-descendent relationship between user groups, you can grant data permissions according to the relationship.
You can define the following relationships in a hierarchy:
- Ancestor: A parent or top-level group within the hierarchy, with one or more subgroups associated with it. An ancestor group can be attached to one or more child groups.
- Descendant: A child group within the hierarchy, that is attached to a parent group. A child group can be attached to only one parent user group.
Hierarchical group inheritance
The following examples illustrate the data flow between ancestor groups and descendant groups.
Scenario 1: Ancestor groups can view data from all descendant groups
In the Car dealership hierarchical group, the users in the hierarchy need to have access to a sales application to view all the sales records. The sales application has a Sales record definition, that includes the latest sales records for a certain type of cars. All ancestors of the Sales Person group can view the sales records of the sales people in all dealerships.
The following image illustrates this example in detail:
Example 2: Descendant groups can view data from all ancestor groups
In the Car dealership hierarchical group, the users in the headquarters use a sales application to view all the sales records. The sales application has a Catalog record definition, that includes the latest changes in the sales policy for a certain type of cars. All descendant groups beneath the top-level Car dealership group can access the Catalog record.
The following image illustrates this example in detail:
Process of defining a hierarchical group in an organization
The following table describes the steps of creating a hierarchical group in BMC Helix Innovation Studio:
Stage | Task | Description |
|---|---|---|
1 | Set up the application development process and deploy it to BMC Helix Innovation Studio. The application development process consists of creating a project using Maven archetype and BMC Helix Innovation Studio SDK, implementing data and logical definitions using BMC Helix Innovation Studio, extending the services using Java and JavaScript (if required), and packing the application. | |
2 | Identify the different user groups in the organization | To define a hierarchical group, identify the data that each user needs to access according to the user's role in the organization. |
3 | You can create security labels for regular record definitions or join record definitions. | |
4 | You can assign permissions to the security label such that only the specified user group or role can access the record field data. | |
5 | You can configure the security label for a rule or a process to enable the hierarchy. |
After you create and configure the security labels for record definitions, you can perform any of the following tasks:
- Inherit the existing security labels to new record definitions to extend the security labels from an existing record definition to a new record definition.
- Modify the existing security labels to enforce the appropriate permissions if there is any change in the organization structure.