Data access (Enterprise Edition)
Set up data access control in your shared space to allow users to access only the data that they are entitled to see.
Data access is typically determined by security classifications. For example, your organization may employ contractors that work alongside full-time employees on the same project, but may have a different security clearance. You may want to enable some employees to view highly sensitive material, while restricting others. Data access control means that you can do just that.
Data access control categories are created, applied to roles, and then items, in this order. A user with a certain role will only be able to see items that have one of the data access control categories included in his role.
A user with restricted data access will not be able to see any information on that item, including relations to other items. Data access also affects count. For example, a graph displaying the number of defects, will only display the number of defects that the user has access to. The user will not know that the item exists.
Generally, The current access that a user has determines what the user can see. For example, if a user was granted additional access, the user will be able to see additional items along with all of their relevant history. The only exception is trend graphs, which display information regardless of data access. However, you can exclude trend graphs for certain roles. For details, see Exclude trend graphs for a specific role.
- Data access control is supported for defects and manual tests.
- Data access control is supported for shared spaces only.
To apply data access control, you must first create data access control categories.
You can create up to 63 data access categories.
You must be a space admin.
To create data access categories:
In Settings > Spaces, select a shared space.
In the Permissions tab, from the middle pane, click Data Access, and then click Data Access Categories.
In the Data Access Categories dialog box, add the required categories.
By default, full data access is granted to all roles.
To restrict data access, you must enable data access control for each role, and select the category that you want to apply to that role.
To apply data access controls to roles:
- In the Permissions tab, from the Role list, select the role to which you want to apply data access control.
- Select the Enable data access control check box.
Select the categories that you want to apply to the role.
Note: If you enable data access control but you do not select a category, data access will be completely restricted for that role.
- Repeat for all relevant roles.
By default, if data access has not been enabled on you role, full data access is granted to all items. However, if data access has been enabled on your role, you will only be able to see items that include the data access categories in your role.
To enable access to certain items, you need to assign data access categories to those items. You can do this using business rules or manually.
Create rules for assigning data access categories to items:
Create rules for assigning data access categories to items. For details, see Create a rule.
If you want to update an item both upon creation and during editing, create a separate rule for each.
Note: The When creating an entity option includes copied, duplicated, and imported items, in addition to newly created items.
The following is an example of a rule that assigns the External - restricted data access category to defects when the owner of the defect has the External Tester role.
Note: To avoid situations where items are left without a data access category, you can define a default category and assign it using a dedicated rule. Run this rule first, so that it doesn't override specific item categories. For details, see Define and assign a default category.
If you have strict regulation regarding sensitive material, keep in mind that the Admin and the Space admin both have full access to all data.
Assign data access categories to items manually
You must have the Manage Data Access permission (available from Permission > Backlog tab) to assign data access to categories.
You can only assign data access categories which you have yourself.
Assign data access categories to a single item or to multiple items.
To update a single item. In the item's Details tab, select the data access categories in the Access granted field.
If this field is not displayed, click the Customized fields button, and select it.
- To update multiple items. Follow the instructions in Update multiple backlog items.
Trend-based or status over time graphs display historical information. Because data access can change from time to time, ALM Octane displays all trend-based graphs without data restrictions.
Note: Trend-based graphs only display the number of items (count). You cannot access any other information on the item from that graph.
You can restrict certain roles from viewing trend-based graphs on the restricted items types by clearing the View Status Over Time Graphs check box in Permissions > General System Actions.
This prevents the user from configuring or viewing trend-based graphs for the item type, regardless of the user's data access permissions.
Data access categories can be assigned to items using rules or manually. Ideally, rules would cover all use cases, but since this cannot be guaranteed, there may be cases where some items are left without a data access category, making then inaccessible to the relevant role.
To avoid situations where items are left without a data access category, you can define a default category and assign it using a dedicated rule.
To define a default category and assign it using a dedicated rule:
When you create the data access control categories, create a default category as well. For details, see Create data access control categories.
When you apply data access control to roles, in addition to the specific data access categories, apply the default category to all roles. For details, see Apply data access control to roles.
When you create rules for assigning data access categories to items, create a rule for assigning the default category to items upon creation. Make this rule unconditional so that all items are updated. For details, see Assign data access categories to items.
Note: The default category is temporary and should be overriden by the specific category assigned to the item. Make sure to run this rule first, before the other rules for assigning the specific data access categories.
Upgrade from 15.1.40
Important note regarding manual tests that were created before 15.1.40:
To assure that existing tests can initially still be accessed by all users, manual tests that were in the system before the 15.1.40 upgrade are assigned all the current and new data access categories.
To begin setting up data access controls for manual tests, we recommend first assigning a default category to all existing tests.
Here's a recommended procedure:
- Create an additional data access category called default.
- Assign the default category to the roles in the system that have data access control enabled.
- Filter the manual tests by items whose Access granted field is not empty.
- Perform a bulk update on all the filtered manual tests, replacing the current Access granted values with Public.
For more details, see Define and assign a default category.
Until you update the Access granted value of the existing manual tests, the tests will continue to be visible to all users. Until that point, new data access categories will also be assigned automatically to the tests.
This section includes data access control limitations:
Data access control categories can be edited but not deleted.
Cross-filter results are based on the entire data and regardless of the data access your role has. For example, if you create a filter for returning all tests that are associated with high defects, then you will also get tests that are associated with defects to which you do not have access.