Locking access controls
In Data Access, you can use the locking mechanism to prevent unauthorized edits to specific parts of your access controls. While access controls are typically managed in the data source or in Data Access, locking provides more granular management. It ensures that specific parts of an access control cannot be edited through the Data Access user interface (UI), so that they remain consistent with your data source.
You can configure locking when adding the data source to Data Access. The locked parts of an access control are synchronized with the data source.
Types of locking
Data Access has the following types of locking.
Lockable parts
The following parts of an access control can be locked.
| Part | Outcome of locking |
|---|---|
| Owners | The owners of the access control cannot be edited. You can lock the owners when they are managed through the tags that are set on the data source. |
| The What component | The data objects of the access control cannot be edited. |
| The Who component | The beneficiaries of the access control cannot be edited. You can lock the Who component when you want to assign your access control to identities by using a different tool, for example, Terraform. |
| Inheritance | The access control cannot be linked to other access controls by using inheritance. |
| Deletion | The access control cannot be deleted. |
Lock configuration fields
Use the following table to understand the fields that are available for configuring access control locking when adding your data source to Data Access. Lock options are disabled by default. The Description column indicates what happens if you enable them.
| Field | Description |
|---|---|
| Fully lock all | Prevents changes to and deletion of all imported access controls. |
| Fully lock when incomplete |
Prevents changes to and deletion of imported access controls only if they are incomplete. Tip An access control is considered incomplete when the connector cannot fully resolve all its elements during the synchronization. This typically occurs when your data source contains elements that Data Access cannot faithfully represent, such as an intentionally filtered or unresolved beneficiary.
|
| Lock all delete |
Prevents the deletion of all imported access controls. |
| Lock all inheritance |
Prevents changes to the inheritance of all imported access controls. |
| Lock all names |
Prevents changes to the names of all imported access controls. |
| Lock all owners |
Prevents changes to the owners of all imported access controls. |
| Lock all data objects |
Prevents changes to the data objects of all imported access controls. |
| Lock all users and groups |
Prevents changes to the identities and groups of all imported access controls. |
| Lock delete when incomplete |
Prevents the deletion of access controls only if they are incomplete. |
| Lock inheritance when incomplete |
Prevents changes to the inheritance of access controls only if the access controls are incomplete. |
| Lock names when incomplete |
Prevents changes to the names of access controls only if the access controls are incomplete. |
| Lock data objects when incomplete |
Prevents changes to the data objects of access controls only if the access controls are incomplete. |
| Lock users and groups when incomplete |
Prevents changes to the identities and groups of access controls only if the access controls are incomplete. |
| Fully lock by name |
Prevents changes to and deletion of access controls if their names during import match the names that you specify in this field. |
| Fully lock by tag |
Prevents changes to and deletion of access controls if their tags match the tags that you specify in this field. |
| Lock delete by name |
Prevents the deletion of access controls if their names during import match the names that you specify in this field. |
| Lock delete by tag |
Prevents the deletion of access controls if their tags match the tags that you specify in this field. |
| Lock inheritance by name |
Prevents changes to the inheritance of access controls if their names during import match the names that you specify in this field. |
| Lock inheritance by tag |
Prevents changes to the inheritance of access controls if their tags match the tags that you specify in this field. |
| Lock names by name |
Prevents changes to the names of access controls if their names during import match the names that you specify in this field. |
| Lock names by tag |
Prevents changes to the names of access controls if their tags match the tags that you specify in this field. |
| Lock what by name |
Prevents changes to the What components (such as data objects) of access controls if their names during import match the names that you specify in this field. |
| Lock what by tag |
Prevents changes to the What components (such as data objects) of access controls if their tags match the tags that you specify in this field. |
| Lock who by name |
Prevents changes to the Who components (such as beneficiaries) of access controls if their names during import match the names that you specify in this field. |
| Lock who by tag |
Prevents changes to the Who components (such as beneficiaries) of access controls if their tags match the tags that you specify in this field. |