Sensitive data access inheritance
Concept

In Security and compliance studio, you can manage which securable objects have access to sensitive data. For each securable object, you can:

• Give access to sensitive data: If you give a securable object access to sensitive data, automatically all related securable objects get access to sensitive data as well.
• Undo access to sensitive data: If you, for a securable object, undo the access to sensitive data, automatically the access to sensitive data is undone for all related securable objects as well.

• If you give a securable object access to sensitive data, all entry points that are assigned to this securable object get access to this sensitive data as well. And, as a consequence, all securable objects that have access to these entry points also get access to this sensitive data by inheritance.
• If for a securable object the access to sensitive data is undone, access to sensitive data is also undone for all entry points that are assigned to this securable object. And, as a consequence, for all securable objects that have access on these entry points, the access to sensitive data is also undone. If a securable object has another entry point assigned that has access to sensitive data, the access to sensitive data is not undone.

As a result of giving 'Privilege 2' access to sensitive data:

• Entry points 2-3 are given access to sensitive data.
• By inheritance, Privilege 1, Duties 1-2, Roles 1-3, and Users A-D are given access to sensitive data.
• As Privilege 1 is given access to sensitive data, Entry point 1 is given access to sensitive data as well.
• Privilege 3, Role 4, and User E already had access to sensitive data, inherited from Entry point 4. So, nothing changes for these securable objects.

Example 2

The result of Example 1 is the starting point.

Undo access to sensitive data for Duty 2.

As a result of undoing access to sensitive data for Duty 2:

• Access to sensitive data is undone for Entry points 2-3.
• By inheritance, access to sensitive data is undone for Privileges 1-2, Duty 1, Roles 1-3, and Users A-D.
• As access to sensitive data is undone for Privilege 1, also access to sensitive data is undone for Entry point 1.
• Privilege 3, Role 4, and User E have access to sensitive data, inherited from Entry point 4. So, nothing changes for these securable objects.