Access Control Categories

Attribute-based access control (ABAC) in Granta MI allows access to individual records to be granted or denied based on the value of specially-configured 'security' Attributes in those records.

For example, you could restrict who can see or edit material records based on the material’s development status (Submitted, Approved, In testing, etc), ensuring that employees in Test and Production groups don't have access to new materials until they have been approved.

Access Control Categories are central to the configuration of ABAC in Granta MI. For more information about Attribute-based Access Control for Granta MI, see Granta MI Administration and Configuration.

In summary, the Attribute-based Access Control workflow in Granta MI is this:

• Access Control Categories are database level objects with a Discrete Type that defines a set of permitted values.
• The permitted values of each Access Control Category are mapped to system security roles.
• Users must be assigned to the relevant system security roles in your authorization system (For example, AD, User Manager).
• Each Access Control Category may be mapped to a Discrete Attribute with the same Discrete Type in one or more tables.
• The access control Rule Engine then determines, for a given record and user, what the various possible permutations of Access Control Category values imply for that user in terms of their permissions to (a) Read the record, (b) Write to the record and (c) Set or change the value of the Access Control Category in the record.

For example, the workflow for restricting access to a material record based on the material’s development status could be as follows: