Locking access controls

In Data Access, you can use the locking mechanism to prevent unauthorized edits to specific parts of your access controls. While access controls are typically managed in the data source or in Data Access, locking provides more granular management. It ensures that specific parts of an access control cannot be edited through the Data Access user interface (UI), so that they remain consistent with your data source.

You can configure locking when adding the data source to Data Access. The locked parts of an access control are synchronized with the data source.

Types of locking

Data Access has the following types of locking.

Locking type Description
User interface locking The locked parts of an access control cannot be edited through the Data Access UI but can be edited through the API.
Full locking

The locked parts cannot be edited through the Data Access UI or the API.

Full locking is configured in the data source and is available for only specific data source types. It is not supported for the data sources that are based on Access Control List (ACL), because the permissions and the data objects in such data sources are too deeply integrated to be separated for locking.

Lockable parts

The following parts of an access control can be locked.

Part Outcome of locking
Owners The owners of the access control cannot be edited. You can lock the owners when they are managed through the tags that are set on the data source.
The What component The data objects of the access control cannot be edited.
The Who component The beneficiaries of the access control cannot be edited. You can lock the Who component when you want to assign your access control to identities by using a different tool, for example, Terraform.
Inheritance The access control cannot be linked to other access controls by using inheritance.
Deletion The access control cannot be deleted.

Lock configuration fields

Use the following table to understand the fields that are available for configuring access control locking when adding your data source to Data Access. Lock options are disabled by default. The Description column indicates what happens if you enable them.

Field Description
Fully lock all Prevents changes to and deletion of all imported access controls.
Fully lock when incomplete

Prevents changes to and deletion of imported access controls only if they are incomplete.

Tip An access control is considered incomplete when the connector cannot fully resolve all its elements during the synchronization. This typically occurs when your data source contains elements that Data Access cannot faithfully represent, such as an intentionally filtered or unresolved beneficiary.
Lock all delete

Prevents the deletion of all imported access controls.

Lock all inheritance

Prevents changes to the inheritance of all imported access controls.

Lock all names

Prevents changes to the names of all imported access controls.

Lock all owners

Prevents changes to the owners of all imported access controls.

Lock all data objects

Prevents changes to the data objects of all imported access controls.

Lock all users and groups

Prevents changes to the identities and groups of all imported access controls.

Lock delete when incomplete

Prevents the deletion of access controls only if they are incomplete.

Lock inheritance when incomplete

Prevents changes to the inheritance of access controls only if the access controls are incomplete.

Lock names when incomplete

Prevents changes to the names of access controls only if the access controls are incomplete.

Lock data objects when incomplete

Prevents changes to the data objects of access controls only if the access controls are incomplete.

Lock users and groups when incomplete

Prevents changes to the identities and groups of access controls only if the access controls are incomplete.

Fully lock by name

Prevents changes to and deletion of access controls if their names during import match the names that you specify in this field.

Fully lock by tag

Prevents changes to and deletion of access controls if their tags match the tags that you specify in this field.

Lock delete by name

Prevents the deletion of access controls if their names during import match the names that you specify in this field.

Lock delete by tag

Prevents the deletion of access controls if their tags match the tags that you specify in this field.

Lock inheritance by name

Prevents changes to the inheritance of access controls if their names during import match the names that you specify in this field.

Lock inheritance by tag

Prevents changes to the inheritance of access controls if their tags match the tags that you specify in this field.

Lock names by name

Prevents changes to the names of access controls if their names during import match the names that you specify in this field.

Lock names by tag

Prevents changes to the names of access controls if their tags match the tags that you specify in this field.

Lock what by name

Prevents changes to the What components (such as data objects) of access controls if their names during import match the names that you specify in this field.

Lock what by tag

Prevents changes to the What components (such as data objects) of access controls if their tags match the tags that you specify in this field.

Lock who by name

Prevents changes to the Who components (such as beneficiaries) of access controls if their names during import match the names that you specify in this field.

Lock who by tag

Prevents changes to the Who components (such as beneficiaries) of access controls if their tags match the tags that you specify in this field.