When you assign privileges to a group, all subgroups and users belonging to the group inherit the privileges.
When you assign a role to a user, the user inherits the privileges belonging to the role.
When you assign a role to a group, the group and all subgroups and users belonging to the group inherit the privileges belonging to the role. The subgroups and users do not inherit the role.
So, the ideal approach is to have a dedicated group with the users who needs to see the sensitive data, and grant them with 'View Sensitive Data' permission.
The Privileges provide at Group level for a resource will be by default inherited to the user level as well .
For example if we give Read and Write Privileges at Group level that will be inherited to all the user present in that group for that particular resource . That can be further manage at user level .
What we have is the third scenario. We create roles and assign the privileges to the role. We assign the roles to groups. We the assign the users to the groups as well.
We want our users to be able to see ALL non-sensitive data but only certain folks to see sensitive data. I do not see how we can pull this off if the privileges are at the role, group, or user level and the metadata and data read permission is required on the resource.
I do not think your approach would work because of the way we have all users set up as "general users". This general users group is our security domain which we populate through our LDAP config from an AD group. In this case we assign privileges (View Data) to the group in the Administrator. In the Catalog Administrator this group has Metadata and Data Read access to all resources. As we understand it they must have this to be able to see ANY value frequency. Without it they could not even see non-sensitive data.
Since I now have users that are both general users (through the LDAP config) and Data Owners/Data Stewards then if I give the role, group, or even the user the View Sensitive Data privilege directly they would be able to see the sensitive data on any resource.
I have the same question.
- View Sensitive Data on Resource A only
- View Sensitive Data on Resource B only
- View Sensitive Data on Resource A & B only
- No Access to View Sensitive Data at all.
How can this be achieved?
I think the last one is the easiest answer. If you do not assign the View Sensitive Data privilege to the group, role, or user they will not be able to see the sensitive data (meaning the asset has a data domain in PII, PCI, PHI data domain group).
For the others I think the security would have to be at the user level. If the user has view sensitive data assigned (either directly, through a role, or through a group) then you would assign them "Metadata and Data Read" access to Resource A, Resource B, or both in the Catalog Administrator at the user level and not at the group or role level.
Note: If they have metadata and data read access to any other resource they would also be able to see the sensitive fields.