Attributes based on Source

Attribute Management in TrustLogix allows organizations to configure user attributes for data access control.

Entitlement Attribute Management in TrustLogix ensures flexible and scalable attribute creation and mapping. Whether using direct, derived, hierarchical, or recursive hierarchical types, organizations can manage access efficiently.

1. Attribute Source Configuration

2. Creating Attributes with Source Configuration:

   • Direct Mapping Attribute

   • Derived Attribute

   • Hierarchical Attribute

   • Recursive Hierarchical Attribute

3. Creating Attributes Without Source Configuration

TrustLogix supports separation of duties for attribute management feature.

User Attribute Administrator is responsible for Attribute Source Configuration, Attribute Creation and also Attribute Value population

Value Manager is responsible for Attribute Value Population

Ensure the right user is logged in and performing respective activity. The users can be confined to a particular data source by assigning the data source in user administration screen.

Attribute Source Configuration

Attribute Source Configuration is a one-time activity required to define a source for attributes. Any registered TrustLogix account can configure a source from a dimension table (or master table).

Steps to Configure a Source:

• Enter the name of the connection.

• Select the data source from the dropdown list.

• Click Create Configuration.

• On the next screen, attributes can be created using this source.

Creating an Attribute with Source Configuration

Steps:

• Select Target Datasource and Data Product.

• Choose Attribute Type.

• Enter Display Name and Description.

• Select the Multi-Value checkbox if applicable.

• Click Import to create the attribute.

• Go to User Attributes tab to verify the newly created attributes.

Direct Mapping Attribute

• Used when the attribute value is directly mapped to a column.

• Example: Department Name mapped from a Department Dimension Table.

• The Department Name attribute will be stored as a dropdown list.

• Ensure TrustLogix users have SELECT access to the department dimension table.

Derived Attribute Type

• Used when an attribute value is obtained by joining a source column with a value column in a dimension table.

• Example: Assigning a Department Name while storing Department ID in a fact table.

• The Department ID is stored in the fact table but resolved to Department Name via a join.

Hierarchical Attribute Type

• Used when an attribute value is derived from hierarchical columns in a dimension table.

• Example: Assigning country access within a geographical hierarchy.

• The hierarchy is displayed as a tree structure, allowing multiple selections.

Recursive Hierarchical Attribute Type

• Used when an attribute value is derived from a recursive hierarchy.

• Example: Employee reporting structure.

• Select MANAGER_EMAIL as Parent Column and EMP_EMAIL as Child Column.

• This allows an attribute value to be displayed in a hierarchical tree.

Creating an Attribute Without Source Configuration

• Attributes can be created without a source configuration.

• The value screen will show an input text box for free-form text entry.

Steps:

• Click Add Attribute.

• Select Target Datasource and Data Product.

• Enter Display Name, Description, Type and Group.

• Select Multiple Values checkbox if needed.

• Click Save.

• Click Provision to push the attribute to the target datasource.

Associating Attributes with Data Products

When creating an attribute in the TrustLogix platform, it is mandatory to associate it with a Data Product. Attributes associated with "All" are shared globally across all Data Products.

Each Data Product can maintain its own distinct set of attributes and a designated Identifier. These attributes are critical for defining data access policies tailored to individual Data Products.

Note: An attribute can be associated with one or multiple Data Products based on the access control requirements.

When adding attribute values, the platform uses the selected attribute and its associated Identifier to populate the values correctly. This ensures precise mapping and enforcement of policies across different Data Products.

For more information on attribute value population, see Attribute Value

Configuring Identifier attribute

To add attribute values in the TrustLogix App, one of the attributes must be designated as the Identifier. This Identifier uniquely distinguishes each entity (e.g., a user, role, or group) and serves as the primary reference point for additional attributes.

Attributes such as User Name, Role Name, or Group Name are commonly used as Identifiers due to their unique and descriptive nature. All other attributes will be treated as supplementary characteristics associated with the Identifier.

To configure an attribute as an Identifier:

• Select the "Use this as user identifier" checkbox for the relevant attribute.

• This configuration can be applied during the initial creation of the attribute or updated later by editing an existing attribute.

Designating the correct Identifier is essential for accurate data representation and effective policy enforcement within the TrustLogix platform.

Overriding Identifier attribute for a data product

In TrustLogix, you can assign different Identifier attributes for each Data Product to enable precise and context-aware access control. An Identifier uniquely distinguishes a user or entity within the context of a Data Product and plays a critical role in policy definition.

If no specific Identifier is configured for a Data Product, the attribute "User Name" (associated with the "All" Data Product) will be used as the default Identifier across all Data Products.

Example

Let’s consider three Data Products: HR, Finance, and Health Care.

If you do not configure an Identifier for any specific Data Product, the attribute "User Name" will be used as the default Identifier across HR, Finance, and Health Care.

However, for the HR Data Product, you may want to override this and use "Employee ID" as the Identifier since it more accurately reflects the internal HR systems.

To override the default:

✅ Select the checkbox “Use this as user identifier” for the attribute Employee ID when creating or editing the attribute.

This approach ensures that each Data Product uses the most appropriate Identifier, enhancing the accuracy and granularity of your data access policies.

Note: Only one attribute can serve as the Identifier per Data Product, and it must be marked accordingly using the "Use this as user identifier" option during creation or by editing the attribute.

Organizing Attributes Using Groups

Attributes in TrustLogix can be assigned to a Group during creation or later through updates. Grouping related attributes together provides better organization, especially when managing attributes across multiple data products or use cases.

Grouping attributes based on their function or context enhances usability and consistency. All attributes belonging to the same group are displayed together on the Attribute Value page, making it easier for users to populate values efficiently and accurately.

This approach supports streamlined configuration and improved clarity when working with complex attribute sets across different business domains.