The authorization tag is an attribute designed to establish the connection between the user-defined DDM roles and the fields of a table to which a mask is to be applied. If an authorization tag is associated with fields of a table on one side and a user-defined role on the other, and if that role is mapped to you, then it can be determined that you have unmask privileges for the fields of the table in consideration.

For DDM, the authorization tag must begin with #DDM_See_. This prefix is not case-sensitive. The permitted characters in an authorization tag are:
  • A maximum of 64 characters from the following restricted character set:

    • a - z

    • A - Z

    • 0 - 9

  • Any of the following seven special characters:
    _ . - # $ % &
Note: Authorization tags cannot contain spaces, and they must consist of more than just a prefix. Therefore, a tag cannot contain an empty string ("").

The default value of the authorization tag in the schema is the unknown value. The maximum length of a tag is 100 bytes.

The DDM administrator is responsible for creating and assigning new authorization tags to the user-defined roles. They can map any role to multiple authorization tags and any authorization tag to multiple user-defined roles. After mapping the roles and authorization tags together, they can map these authorization tags to the table fields. For example, the DDM administrator can assign the #DDM_See_Salary authorization tag to the HR role. Any user who has been assigned this role is authorized to view the Salary field of the Employee table.

You can manage authorization tags using the methods available through the IDataAdminService interface.

For more information on the IDataAdminService methods that you can utilize to manage authorization tags, see IDataAdminService interface.