/
ECS - Restrict Member Tenant user from updating Shared Instances via Data Import

ECS - Restrict Member Tenant user from updating Shared Instances via Data Import

As of Trillium release, a new capability has been added for use with Data Import roles to control whether a user can update Shared Instances via Data Import in ECS environments. This page will document the specific details and expected behavior around leveraging this capability:

Preconditions

A new user capability has been introduced called ‘Consortia Data-Import Central-Record-Update

o   This controls whether a Member Tenant user can update Shared Instances via Data Import.

o   This capability is included in the default ‘Data Import’ role to ensure there’s no change to existing, pre-Trillium users working with the system default role.

NOTE: If you have any pre-Trillium, customized/non-default Data Import users who should have the ability to update Shared Instances via Data Import, then you will want to add the 'Consortia Data-Import Central-Record-Update' capability for these users.



Implementation

To restrict Member Tenant Data Import Update jobs from affecting Shared Instances, a library can create a custom Data Import role which does not include the ‘Consortia Data-Import Central-Record-Update’ capability and then assign this role to those users whose Data Import access should be limited to Local Member Tenant data only.

When setting up a role for this purpose, an admin user should ensure that 'Consortia Data-Import Central-Record-Update' is unchecked from the following locations in the given role details under Settings app → Authorization roles:

  1. Capability sets -> Data

image-20251030-182000.png

 

  1. Capabilities -> Data

image-20251030-182119.png

 

  1. Capabilities -> Procedural

image-20251030-182250.png



Expected Behavior

  • If a Member Tenant user has the ‘Consortia Data-Import Central-Record-Update’ capability, then they will have the ability to update Shared Instances via Data Import. This will be the same behavior as seen in pre-Trillium releases.

  • If a Member Tenant user does not have the ‘Consortia Data-Import Central-Record-Update’ capability, and they run an Instance Update Data Import job which matches on a Shared Instance, then they will receive the following error message in their Data Import log, and no update will process for the matched Shared record: "User does not have permission to update record/instance on central tenant"

image-20251030-153244.png

Additional Information