Parent/Child Table Security

Simple Data Separation is table-specific, affecting data visibility specifically for the table being accessed. When securing a table that is part of an extended table hierarchy, special consideration is encouraged to ensure the desired behavior is honored for all tables in the hierarchy.

Securing Child Table Data

Simple Data Separation makes it possible to define data segregation on a parent table, but to selectively enable/disable/modify the data segregation used on child tables.

When defining a Separation Rule on a table that has children (a table from which other tables are extended), the preferred options to secure child tables are:

1. Cascade Rule on the Parent Table

   1. By checking the 'Cascade rule' checkbox on your Separation Rule, you can ensure that the same security on the parent table will be honored on all extended tables.

2. Unique Separation Rules for Child Tables

   1. If your data separation needs are different for your child tables than your parent table, then you can create additional Separation Rules for those child tables. In this case, you'll need to ensure that one of the below statements is true:

      1. The 'Cascade rule' checkbox on the parent rule is not selected - this ensures that no child tables inherit the Separation Rule defined for the parent table.

      2. The 'Cascade rule' checkbox on the parent table is selected, but the child table is explicitly named in the 'Cascade exceptions' list - this ensures that all child tables will inherit the Separation Rule defined for the parent table, except for those named as exceptions.

Securing Parent Table Data

Simple Data Separation makes it possible to secure a child table in a hierarchy without affecting the security of its parent tables. This flexibility is an advantage, but can have the unintended affect of exposing child table data when a parent table is viewed directly.

When defining a Separation Rule on a table that has parents (a table that is extended from another table), the preferred options to secure the data from parent table views are:

1. Create the Rule on the Parent Table

   1. Create the Separation Rule on the parent table (instead of the child table).

      1. If the 'Separation field' is not available directly on the parent table, utilize dot-walking to select the appropriate 'Separation field' from the child table.

      2. Use the 'Cascade rule' and 'Cascade exceptions' fields to tailor how the Separation Rule will behave for all child tables extended from the parent.

2. Create an Additional Rule on the Parent Table

   1. Create an additional Separation Rule on the parent table to hide child table records. In many cases, eliminating specific child table data from a parent table view is the ideal solution.

      1. Use the 'Hide child tables' and 'Hide child table exceptions' fields to tailor the data that is visible from a parent table view. When enabled for a child table, that child table's data will not be visible when the parent table is viewed.

         1. Note: When using 'Hide child tables' or 'Hide child table exceptions', it is not required to select a 'Separation field'. This enables you to hide child table data without otherwise segregating data at the parent table.

      2. Use the 'Cascade rule' field to ensure that the 'Hide child tables' configuration is honored down the line in a multi-table hierarchy.

   2. Alternatively, create an additional Separation Rule on the parent table to segregate data in an alternate fashion.

      1. In some cases, data segregation parameters are different for tables in a hierarchy. In these cases, different rules can be utilized for each table.

      2. Use the 'Cascade rule' and 'Cascade exceptions' fields to tailor how the Separation Rule will behave for all tables in the hierarchy.