Configuring Tag-based Access

TrustArcOverview Configuring Tag-Based Access

Overview

Tag-based access control lets you restrict a user's access in Data Mapping & Risk Manager to only the entities that share one or more Tags with that user. A common use case is restricting users to Business Process records associated with their department — so that an Engineering user only sees Engineering records, a Marketing user only sees Marketing records, and so on.

This article walks through a complete example of that configuration: creating a Departments Tag Group, associating it with both the User entity and the Business Process entity, assigning departments to individual users, and applying a custom Permission Set with Tag-based access.

For information on creating custom Permission Sets, see Managing User Access.

What you can do

✓Create a Tag Group to represent a custom access dimension (such as departments)

✓Associate that Tag Group with both User and Business Process entities

✓Assign tag values to individual users to define their access scope

✓Apply a Tag-based Permission Set to enforce the restriction

Prerequisites

✓Admin privileges in both the Admin module and Data Mapping & Risk Manager

✓Familiarity with Permission Sets — see Managing User Access

Configuring Tag-Based Access Control

The following steps walk through a complete example of restricting Business Process access based on department. To apply this to a different entity type or access dimension, adapt the Tag Group name and entity selections accordingly.

From the left side of the page, hover over the Admin icon, then navigate to Tags 1 > Tag Groups 2.

Admin navigation showing Tags expanded with Tag Groups selected

Create a Tag Group representing all departments in your company. This will serve as the basis for a corresponding custom field.

→Click Add New 3 and name the Tag Group Departments 4. For more information, see Creating Tag Groups.

Tag Groups page with the Add New button highlighted and a new group being named Departments

→Add your department names as tags within the group. In this example, four departments have been created — Engineering, Marketing, Human Resources, and Sales. You can create any number of departments and sub-departments in a Tag Group hierarchy.

Departments Tag Group showing four tags: Engineering, Marketing, Human Resources, and Sales

Associate the Departments Tag Group with the User entity in the Admin module.

→From the left side of the page, hover over the Admin icon, then navigate to Tags 5 > Associations 6.

Admin navigation showing Tags expanded with Associations selected

→Click New Association 7.

Associations page with the New Association button highlighted

•Set Application to Admin.

•Set Entity to User.

•Set Tag Group to the newly created Departments group.

•Check the Use for Access Control checkbox to designate this field for restricting access to system entities.

•Click Associate 8 to save.

📋 Notes

When a tag-based custom field is associated with Data Mapping & Risk Manager in the Application field, it is always used for access control regardless of the Use for Access Control checkbox setting.

The Allow Multiple Values checkbox controls whether users can select more than one tag value in that field. For example, checking this for the Departments field means a Business Process can be associated with more than one department.

Associate the Departments Tag Group with the Business Process entity in Data Mapping & Risk Manager. Click New Association again and complete the fields as follows:

•Set Application to Data Mapping & Risk 9.

•Set Entity to BusinessProcess 10.

•Set Tag Group to Departments 11.

•Check both Allow Multiple Values and Use for Access Control to allow Business Processes to be associated with more than one department.

•Click Associate to save.

Assign a department to each user you want to restrict.

→Hover over the Admin icon and navigate to User Settings 12 > Users 13.

Admin navigation showing User Settings expanded with Users selected

→Locate the user — use the Search Users field if needed — then click the Settings icon to the right of their record and select Edit User from the context menu.

Users list showing the Settings icon and Edit User option in the context menu for a selected user

→In the Edit User window, go to the Tags section and select the user's department in the Departments field 14.

Edit User window showing the Tags section with the Departments field and department options

📋 Note: The name of the custom field matches the Tag Group name and is the same across all entities it is added to. In this example, the field is named Departments — this name appears on both Business Process records and the User Management screen, even though a user typically belongs to only one department.

→Click Update User 15 to save. Repeat for every user you want to restrict based on their department.

Assign a custom Permission Set with Tag permission type for the Business Process entity to all users whose access you want to restrict. See Managing User Access for instructions on creating and assigning Permission Sets.

The screenshot below shows an example of a Permission Set configured for Tag-based access:

Permission Group Settings modal showing Tag selected as the permission type for Business Process entity actions

📋 Result: Once all steps are complete, a Business Process is accessible only to users who share at least one department tag with that record and who have been assigned the Tag-based Permission Set. All other users will not be able to see or interact with it.

TrustArc · Configuring Tag-Based Access Control · support.trustarc.com