Introduction
Ulpia has developed the Reltio Metadata Security Manager (MSM), a tool designed to simplify the process of modifying and validating metadata security configurations within Reltio. This case study explores the features of the MSM, its integration with Reltio, and the benefits and impact it brings to metadata security management.
Overview
Motivation
The primary motivation behind developing the MSM was the lack of an existing tool tailored for metadata security configuration in Reltio. Modifying JSON configuration files manually is tedious and error-prone. The MSM addresses this challenge by providing an intuitive graphical interface, making the process more accessible for both developers and business users responsible for defining security rules.
Tech Stack
The MSM is built using the React.js library, operating entirely on the front end. As a serverless application, it runs in the browser without storing any data on third-party servers, ensuring user data privacy and security.
Getting Started
Uploading Files
Users can upload up to three types of files into the MSM:
- L3 Files: Contains attribute definitions and hierarchies.
- Metadata Security Configuration Files: Defines existing security configurations.
- Custom Tenant Role Files: Includes system and custom roles from the tenant.
Upload When Starting the App
Upon launching the MSM, users can upload either an L3 file or a metadata security configuration file to begin. Uploaded files are saved and shown as selected in future sessions.
Upload After the App is Started
Users can upload additional files at any time. Previously selected files are displayed in the upload menu. However, changing the L3 or metadata security configuration files will reset any unsaved changes.
Loading of L3 and Metadata Security Config
When both L3 and metadata security configuration files are loaded, the MSM aggregates the data, displaying a unified configuration. Attributes present in the L3 but missing in the metadata security config are loaded with all actions forbidden, ensuring consistency. Attributes found in the metadata security config but not in the L3 are marked with a warning.
Loading of Role Files
The MSM accepts two role files:
- System Roles: Standard roles provided by Reltio.
- Custom Tenant Roles: User-defined roles specific to the tenant.
Uploading these files ensures that the roles within the configuration align with those defined in the tenant. Roles present in the configuration but not in the role files are flagged with a warning.
Connecting to Reltio
Users can directly connect to their Reltio tenant to pull necessary files by selecting the “Connect to Reltio Tenant” option. Required information includes:
- Tenant URL: Ensure no dashes at the beginning or end.
- Tenant ID: The unique identifier for the tenant.
- Security Token: Used to authenticate and access data via the Reltio API.
Modifying Your Configuration
The MSM supports multiple approaches for modifying the metadata security configuration, allowing for granular control and efficiency.
Multi-Selection
The tool excels in mass-editing capabilities through various multi-selection methods:
- By Row: Click on the leftmost squares of the table to select entire rows.
- By Column: Click on the permission name (e.g., Read, Update) to select entire columns.
- Individual Cells: Hold Ctrl (Windows) or Cmd (Mac) and click on multiple cells to select them individually.
These methods can be combined for complex selections. Once selections are made, users can grant or deny permissions to all selected cells via the “Edit selected cells” option.
Row Management
In inheritance management mode, users can manage permissions based on parent-child relationships:
- Inherited Rows: Rows that inherit permissions from their parent.
- Explicit Permissions: Setting explicit permissions overrides inheritance.
Toggle inheritance management mode using the switch on the left side of the table. Select desired rows and choose “Inherit from parent” to apply inheritance. To set explicit permissions, click on a specific permission within a row.
Filtering
The MSM provides robust filtering capabilities to focus on specific parts of the configuration:
- By Object Type: Filter between entities and relations, with sub-filters for specific attributes and types.
- By Roles: Display permissions for selected roles only.
- By Permissions: Choose specific permissions (e.g., Read, Update) to display, reducing table size for better visibility.
Active filters are indicated within the interface, and users can clear all filters with a single click.
Adding New Roles
Users can add new roles using the “Add Role” button:
- Enter Role Name: Provide a name for the new role.
- Copy Existing Role (Optional): Choose an existing role to copy permissions from, streamlining the creation of similar roles.
Renaming / Deleting a Role
Existing roles can be renamed or deleted via the context menu next to the role’s name, providing flexibility in managing role configurations.
Validating Your Configuration
Explaining the Errors
Upon clicking the “Validate Permissions” button, the MSM checks for potential issues:
- Parent Permission Requirements: Errors occur when a child object has permissions not granted to its parent.
- Example: Granting “Create” on an attribute without “Create” permission on the entity type.
- Action Dependencies: Some actions require other permissions to function correctly.
- Example: “Create” action requires both “Read” and “Update” permissions.
Errors are displayed in a list above the filters. Users can toggle the error list visibility or clear all errors. Validation is informational and does not prevent exporting the configuration.
Exporting Your Configuration
After modifications, users can export the configuration by clicking the “Download permissions” button:
- Select Save Location: Choose a local directory.
- Name the File: Provide a file name for the JSON configuration.
The exported JSON file is ready for deployment to the Reltio tenant.
Limitations and Known Issues
Filters
Currently, the MSM does not support editing filters within the metadata security configuration. The presence of filters is indicated by a filter icon, but no editing functionalities are available.
Browser Navigation
Using the browser’s back or forward navigation buttons can disrupt functionality. Refreshing the page restores full functionality.
File Upload
Uploading a new file while working on an existing configuration overrides the previous data without warning. Unsaved changes will be lost.
Future Roadmap
- Advanced Validation: Implementing more comprehensive validation to ensure configurations meet expected behaviors and prevent impossible scenarios.
- Enhanced L3 Support: Allowing direct uploading of L3 configurations to manage attributes not present in the metadata config.
- Full Tenant Integration: Aiming for complete integration with Reltio tenants, removing the need for manual file uploads and operating directly through Reltio APIs.
Appendix
Configuration Used to Test the App
[
{
“uri”: “configuration/entityTypes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Individual”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Individual/attributes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Organization”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Organization/attributes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Organization/attributes/Addresses”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Organization/attributes/Addresses/attributes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/entityTypes/Organization/attributes/Name”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/relationTypes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”, “UPDATE”, “MERGE”, “UNMERGE”]
}
]
},
{
“uri”: “configuration/relationTypes/Contact”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”]
}
]
},
{
“uri”: “configuration/relationTypes/Contact/attributes”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”]
}
]
},
{
“uri”: “configuration/relationTypes/Spouse”,
“permissions”: [
{
“role”: “G_RELTIO_DEV_ALL”,
“access”: [“CREATE”, “READ”, “UPDATE”, “DELETE”, “MERGE”, “UNMERGE”]
},
{
“role”: “G_RELTIO_UI_ALL”,
“access”: [“READ”]
},
{
“role”: “G_RELTIO_DATASTEWARD”,
“access”: [“READ”]
}
]
}
]
Note: The above configuration is used for testing purposes within the MSM.
Conclusion
The Reltio Metadata Security Manager by Ulpia significantly enhances metadata security management by providing an intuitive interface and robust features. It streamlines the process of configuring permissions, reduces errors through validation, and improves collaboration between developers and business users. As Ulpia continues to develop the MSM, it promises to become an indispensable tool for organizations utilizing Reltio.
