Set up data access (Enterprise Edition)
Set up data access control in your shared space to allow users to access only the data that they are entitled to see.
- Data access control is supported for defects.
- Data access control is supported for shared spaces only.
Data access is typically determined by security classifications. For example, your organization may employ contractors that work alongside full-time employees on the same project, but may have a different security clearance. You may want to enable some employees to view highly sensitive material, while restricting others. Data access control means that you can do just that.
Data access control categories are created, applied to roles, and then items, in this order. A user with a certain role will only be able to see items that have one of the data access control categories included in his role.
A user with restricted data access will not be able to see any information on that item, including relations to other items. Data access also affects count. For example, a graph displaying the number of defects, will only display the number of defects that the user has access to. The user will not know that the item exists.
Note: Generally, The current access that a user has determines what the user can see. For example, if a user was granted additional access, the user will be able to see additional items along with all of their relevant history. The only exception is trend graphs, which display information regardless of data access. However, you can exclude trend graphs for certain roles. For details, see Exclude trend graphs for a specific role.
To apply data access control, you must first create data access control categories.
You can create up to 63 data access categories.
You must be a space admin.
To create data access categories:
In Settings > Spaces, select a shared space.
In the Permissions tab, from the middle pane, click Data Access, and then click Data Access Categories.
In the Data Access Categories dialog box, add the required categories.
By default, full data access is granted to all roles.
To restrict data access, you must enable data access control for each role, and select the category that you want to apply to that role.
To apply data access controls to roles:
- In the Permissions tab, from the Role list, select the role to which you want to apply data access control.
- Select the Enable data access control check box.
Select the categories that you want to apply to the role.
Note: If you enable data access control but you do not select a category, data access will be completely restricted for that role.
- Repeat for all relevant roles.
By default, if data access has not been enabled on you role, full data access is granted to all items. However, if data access has been enabled on your role, you will only be able to see items that include the data access categories in your role.
To enable access to certain items, you need to assign data access categories to those items. You can do this using business rules or manually.
Create rules for assigning data access categories to items:
Create rules for assigning data access categories to items. For details, see Define rules.
If you want to update an item both upon creation and during editing, create a separate rule for each.
Note: The When creating an entity option includes copied, duplicated, and imported items, in addition to newly created items.
The following is an example of a rule that assigns the External - restricted data access category to defects when the owner of the defect has the External Tester role.
Note: To avoid situations where items are left without a data access category, you can define a default category and assign it using a dedicated rule. Run this rule first, so that it doesn't override specific item categories. For details, see Define a default category and assign it using a dedicated rule.
If you have strict regulation regarding sensitive material, keep in mind that the Admin and the Space admin both have full access to all data.
Assign data access categories to items manually
You must have the Manage Data Access permission (available from Permission > Backlog tab) to assign data access to categories.
You can only assign data access categories which you have yourself.
Assign data access categories to a single item or to multiple items.
To update a single item. In the item's Details tab, select the data access categories in the Access granted field.
If this field is not displayed, click the Customized fields button, and select it.
- To update multiple items. Follow the instructions in Update multiple backlog items.
Trend-based or status over time graphs display historical information. Because data access can change from time to time, ALM Octane displays all trend-based graphs without data restrictions.
Note: Trend-based graphs only display the number of items (count). You cannot access any other information on the item from that graph.
You can restrict certain roles from viewing trend-based graphs on the restricted items types by clearing the View Status Over Time Graphs check box in Permissions > General System Actions.
This prevents the user from configuring or viewing trend-based graphs for the item type, regardless of the user's data access permissions.
Data access categories can be assigned to items using rules or manually. Ideally, rules would cover all use cases, but since this cannot be guaranteed, there may be cases where some items are left without a data access category, making then inaccessible to the relevant role.
To avoid situations where items are left without a data access category, you can define a default category and assign it using a dedicated rule.
When you create the data access control categories, create a default category as well. For details, see Create data access control categories.
When you apply data access control to roles, in addition to the specific data access categories, apply the default category to all roles. For details, see Apply data access control to roles.
When you create rules for assigning data access categories to items, create a rule for assigning the default category to items upon creation. Make this rule unconditional so that all items are updated. For details, see Assign data access categories to items.
Note: The default category is temporary and should be overriden by the specific category assigned to the item. Make sure to run this rule first, before the other rules for assigning the specific data access categories.
This section includes data access control known issues and limitations:
- Data access control categories cannot be deleted but can be edited.
- Cross-filter results are based on the entire data and regardless of the data access your role has. For example, if you create a filter for returning all tests that are associated with high defects, then you will also get tests that are associated with defects to which you do not have access.