Locking access controls

In Data Access, you can use the locking mechanism to prevent unauthorized edits to specific parts of your access controls.

While access controls are typically managed in the data source or in Data Access, locking provides more granular management. It ensures that specific parts of an access control can't be edited through the Data Access user interface, so that they remain consistent with the data source. You can set locking parameters when adding or configuring a data source.

The locked parts are synchronized with the data source. Additionally, the value in the Managed in field in the access control remains Collibra, although the access control is partially managed in Collibra Data Access and partially in the data source.

Types of locking

Data Access has the following types of locking.

Locking type	Description
User interface locking	The locked parts of an access control can't be edited through the Data Access user interface but can be edited through the API.
Full locking	The locked parts can't be edited through the Data Access user interface or the API. Full locking is configured in the data source and is available for only specific data source types. It isn't supported for ACL-based data sources because the permissions (Who) and the data objects (What) in such data sources are too deeply integrated to be separated for locking.

Which parts can be locked

The following parts of an access control can be locked.

Locked part	Result of locking
Who	The beneficiaries of the access control can't be edited. You can lock the who part when you want to assign your access control to identities using a different tool.
Inheritance	The access control can't be linked to other access controls using inheritance.
Deletion	The access control can't be deleted.
What	The data objects of the access control can't be edited.
Owners	The owners of the access control can't be edited. You can lock the owners when they are managed through tags set on the data source.