Object security policies are in the beta phase of development and may not be available on your enrollment. Object security policies are currently only supported on streaming object types. Functionality may change during active development.
Object security policies allow you to configure object instance permissions without dependency on backing datasources.
When an object security policy is configured, users do not need Viewer permissions to the object type's backing datasources to view any object instances.
Instead, access to an object instance is determined by the following conditions:
A granular policy can be configured to enable row-level security in the same manner as a restricted view granular policy, but it is based on object properties instead of dataset columns.
By default, an object security policy will inherit all mandatory controls from its datasources. These include markings, organizations, and classifications.
The object security policy can then be further customized to add new mandatory controls and remove inherited mandatory controls that are no longer necessary.
Visibility of specific properties can be guarded by an additional property security policy. Property security policies are identical to object security policies, except they only apply to a selection of properties.
When a property security policy is configured for a property, the user must pass both the object and property security policy to view the property value. If a user passes the object security policy but does not pass the property security policy, they will instead see a null value in place of the property value.
The following restrictions apply when configuring one or more property security policies: