Use case overview

You will go through an example attribute-based access control workflow where you will create and assign roles, labels, and policies to configure whether your users can or cannot access specific resources in your organization. This guide uses an example of restricting access to sensitive data to demonstrate the workflow. This use case is outlined below:

You are a healthcare provider and want to configure access to resources in your organization.

  • Your internal marketing team should be able to access PHI/ Regulated Health Data data.
  • Your external agency should not be able to access PHI/ Regulated Health Data data.

In order to do this, you must configure roles, resources, and policies.

You will:

Permissions

Permissions is the area of Experience Cloud where administrators can define user roles and policies to manage permissions for features and objects within a product application.

Through Permissions, you can create and manage roles and assign the desired resource permissions for these roles. Permissions also allow you to manage the labels, sandboxes, and users associated with a specific role.

Contact your system administrator to gain access if you do not have admin privileges.

Once you have admin privileges, go to Adobe Experience Cloud and sign in using your Adobe credentials. Once logged in, the Overview page appears for your organization you have admin privileges for. This page shows the products your organization is subscribed to, along with other controls to add users and admins to the organization. Select Permissions to open the workspace for your Platform integration.

Image showing the Permissions product being selected in Adobe Experience Cloud

The Permissions workspace for Platform UI appears, opening on the Overview page.

Apply labels to a role

Roles are ways to categorize the types of users interacting with your Platform instance and are building blocks of access control policies. A role has a given set of permissions, and members of your organization can be assigned to one or more roles, depending on the scope of access they need.

To get started, select Roles from the left navigation and then select ACME Business Group.

Image showing the ACME Business Group being selected in Roles

Next, select Labels and then select Add Labels.

Image showing Add labels being selected on the Labels tab

A list of all labels in your organization appears. Select RHD to add the label for PHI/Regulated Health Data and then select Save.

Image showing the RHD label being selected and saved

NOTE
When adding an organization group to a role, all users in that group will be added to the role. Any changes to the organization group (users removed or added) will be automatically updated within the role.

Apply labels to schema fields

Now that you have configured a user role with the RHD label, the next step is to add that same label to the resources that you want to control for that role.

From the top navigation, select the application switcher, represented by the application switcher icon and then select Experience Platform.

Image showing Experience Platform being selected from the application switcher's dropdown menu

Select Schemas from the left navigation and then select ACME Healthcare from the list of schemas that appear.

Image showing the ACME Healthcare schema being selected from the Schemas tab

Next, select Labels to see a list that displays the fields associated with your schema. From here, you can assign labels to one or multiple fields at once. Select the BloodGlucose and InsulinLevel fields, and then select Apply access and data governance labels.

Image showing the BloodGlucose and InsulinLevel being selected and apply access and data governance labels being selected

The Edit labels dialog appears, allowing you to choose the labels that you want to apply to the schema fields. For this use case, select the PHI/ Regulated Health Data label, then select Save.

Image showing the RHD label being selected and saved

NOTE
When a label is added to a field, that label is applied to the parent resource of that field (either a class or a field group). If the parent class or field group is employed by other schemas, those schemas will inherit the same label.

Apply labels to audiences

NOTE
Any audience that utilizes a labeled attribute must likewise be labeled if you want the same access restrictions to apply to it.

Once you have completed labeling your schema fields, you can now begin labeling your audiences.

Select Audiences from the left navigation under the Customers section. A list of audiences available in your organization is displayed. In this example, the following two audiences are to be labeled as they contain sensitive health data:

  • Blood Glucose >100
  • Insulin <50

Select Blood Glucose >100 (by the audience name, not the checkbox) to start labeling the audience.

Image showing the Blood Glucose >100 being selected from the Audiences tab

The segment Details screen appears. Select Manage Access.

Image showing the selection of Manages access

The Apply access and data governance labels dialog appears, allowing you to choose the labels that you want to apply to the audience. For this use case, select the PHI/ Regulated Health Data label, then select Save.

Image showing the selection of the RHD label and save being selected

Repeat the above steps with Insulin <50.

NOTE
Assign labels created in the Permissions workspace (such as the segment labels above) to various objects in Adobe Journey Optimizer using Object Level Access Control."

Activate the access control policy

The default access control policy will leverage labels to define which user roles have access to specific Platform resources. In this example, access to schema fields and audiences will be denied in all sandboxes for users who aren’t in a role that has the corresponding labels in the schema field.

To activate the access control policy, select Permissions from the left navigation and then select Policies.

List of policies displayed

Next, select the ellipsis (...) next to the Default-Field-Level-Access-Control-Policy, and a dropdown displays controls to edit, activate, delete, or duplicate the role. Select Activate from the dropdown.

Dropdown to activate policy

The activate policy dialog appears which prompts you to confirm activation. Select Confirm.

Activate policy dialog

Confirmation of policy activation is received and you are returned to the Policies page.

Activate policy confirmation