Edit User Access Rules

The Edit User Access Rules tab  is used to specify the Compliance Categories accessible to database users and roles. Basically, a field and user must have at least one common Compliance Category in order for a user to see unencrypted field data.

  • If a database user is not in the User Access Rules table and not a member of a database role in the table (directly or indirectly) then the database user will be denied access to CS:Govern protected fields. “Denied Access” means that they will see the Masked value for any CS:Govern field they try to read.
  • If a database user is in the User Access Rules table (directly or because of database role membership) then they will be able to view encrypted data for any CS:Govern protected field which matches one of the Compliance Categories assigned to the user.

Examples:

  • Suppose database user “henry” is in the User Access Rules table and his Compliance Categories include Public and PII.  When reading CopyStorm field data, “henry” will be able to view any field in the Public or PII compliance categories unencrypted. For CS:Govern fields in other compliance categories “henry” will see the masked value.
  • Suppose database user “mary” is not in the User Access Rules table but “mary” is a member of the database role “HumanResources” in the User Access Rules table. If “HumanResources” can see unencrypted data in PII fields, then so can “mary”.
  • Suppose database user “greg” is in the User Access Rules table but no compliance categories have been set his record. User “greg” will not be able to see any decrypted field values.

How to Add a New User or Database Role

To add a new database user or role to the CS:Govern rules:

  • Click on the Add Additional Users or Roles button. This will launch a dialog for selecting users and roles.
  • Edit the Compliance Categories for the newly added user or role.
  • Click on the Save button to write changes to the CopyStorm database. After the save operations CS:Govern will be using the rules.

Removing a user is simple: Click on the Remove button at the far right of any user or role record.

Once a user or role is selected set the Compliance Categories accessible to the user or role.