FieldRestriction

Controls access to specific fields within data records, implementing column-level security that determines which attributes users can see, modify, or interact with regardless of their access to the parent record. This granular control is essential when users need access to records but shouldn't see all fields - for example, HR staff might access employee records but not see salary information, or customer service reps might view orders but not credit card details. Field restrictions support various protection levels: complete hiding (field doesn't exist), masking (showing '****' instead of values), redaction (showing partial data like last 4 digits), transformation (showing ranges instead of exact values), and read-only (visible but not editable). The entity handles field dependencies where restricting one field affects others, inheritance where child objects inherit parent field restrictions, and conditional restrictions based on field values or user context. It enables compliance with privacy regulations requiring data minimization, implements need-to-know principles for sensitive attributes, and supports dynamic schemas where different users see different views of the same data. Field restrictions can be temporary (hiding data during blackout periods), progressive (revealing more fields as trust increases), or contextual (showing fields only in certain workflows). This field-level security is crucial for multi-tenant SaaS applications, healthcare systems protecting patient data, and financial systems managing sensitive financial information.

29 properties
Schema

Properties

PropertyTypeModeDescriptionRequired
restrictionIduuid
stored

Unique identifier for this field restriction

Required
resourceTypestring
stored

Type of resource containing the field

Example: "employee_profile"

Required
fieldNamestring
stored

Name of the field being restricted

Example: "salary"

Required
fieldPathstring
stored

Full path for nested fields

Example: "compensation.base_salary"

Optional
restrictionTypestring
enum

Type of restriction applied

Values: hide, mask, redact, transform, readonly, writeonly, encrypt

Required
restrictionLevelstring
enum

Severity of restriction

Values: none, partial, full

Optional
maskingPatternstring
stored

Pattern for masking values

Example: "***-**-####"

Optional
transformFunctionstring
stored

Transformation to apply to field value

Example: "round_to_nearest_thousand"

Optional
appliesTostring
stored

JSON criteria for who this restriction affects

Example: "{\"roles\":[\"employee\",\"contractor\"],\"clearance_level\":{\"$lt\":3}}"

Required
exemptionsstring
stored

JSON array of exemption conditions

Example: "[{\"role\":\"payroll_admin\"},{\"user_id\":\"cfo_001\"}]"

Optional
conditionsstring
stored

JSON conditions for when restriction applies

Example: "{\"record_status\":\"active\",\"user_department\":{\"$ne\":\"hr\"}}"

Optional
dependentFieldsstring
stored

JSON array of fields affected by this restriction

Example: "[\"total_compensation\",\"bonus_eligible\"]"

Optional
inheritToChildrenboolean
stored

Whether child objects inherit this restriction

Optional
priorityinteger
stored

Evaluation order for conflicting restrictions

Optional
dataClassificationstring
stored

Classification of the protected field

Example: "highly_sensitive"

Optional
complianceRequirementstring
stored

Regulatory requirement for this restriction

Example: "GDPR Article 25 - Data Protection by Design"

Optional
alternativeValuestring
stored

Value to show instead of restricted data

Example: "Contact HR for details"

Optional
visibilityRulesstring
stored

JSON rules for field visibility

Example: "{\"show_if\":\"user.id == record.manager_id\",\"hide_if\":\"record.confidential == true\"}"

Optional
auditAccessboolean
stored

Whether to audit access attempts

Optional
notifyOnAccessboolean
stored

Whether to notify when restricted field is accessed

Optional
temporalRestrictionstring
stored

Time-based restriction rules

Example: "{\"blackout_period\":\"quarter_end\",\"visible_after\":\"90_days\"}"

Optional
encryptionRequiredboolean
stored

Whether field must be encrypted at rest

Optional
retentionPolicystring
stored

Special retention rules for this field

Optional
isActiveboolean
stored

Whether this restriction is active

Optional
effectiveFromDateTime
stored

When restriction becomes effective

Optional
effectiveUntilDateTime
stored

When restriction expires

Optional
createdByUser
stored

Who created this restriction

Optional
createdAtDateTime
stored

When restriction was created

Required
metadataobject
stored

Additional restriction configuration

Optional

Examples

Example 1

{
  "@type": "FieldRestriction",
  "restrictionId": "restrict_salary_001",
  "resourceType": "employee_profile",
  "fieldName": "salary",
  "fieldPath": "compensation.base_salary",
  "restrictionType": "mask",
  "restrictionLevel": "full",
  "maskingPattern": "$***,***",
  "appliesTo": "{\"roles\":[\"employee\",\"manager\"],\"clearance_level\":{\"$lt\":4}}",
  "exemptions": "[{\"role\":\"hr_admin\"},{\"role\":\"payroll\"},{\"condition\":\"user.id == record.id\"}]",
  "conditions": "{\"record.employment_status\":\"active\"}",
  "dependentFields": "[\"total_compensation\",\"bonus_amount\",\"stock_options\"]",
  "inheritToChildren": true,
  "priority": 100,
  "dataClassification": "highly_sensitive",
  "complianceRequirement": "SOX compliance - salary confidentiality",
  "alternativeValue": "Competitive salary",
  "visibilityRules": "{\"show_exact_if\":\"user.role == 'compensation_analyst'\",\"show_range_if\":\"user.role == 'recruiter'\"}",
  "auditAccess": true,
  "notifyOnAccess": false,
  "encryptionRequired": true,
  "isActive": true,
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "salary_bands_visible": true,
    "show_percentile": true
  }
}

Example 2

{
  "@type": "FieldRestriction",
  "restrictionId": "restrict_ssn_002",
  "resourceType": "customer_record",
  "fieldName": "social_security_number",
  "fieldPath": "personal_info.ssn",
  "restrictionType": "redact",
  "restrictionLevel": "partial",
  "maskingPattern": "***-**-####",
  "appliesTo": "{\"all_users\":true}",
  "exemptions": "[{\"role\":\"compliance_officer\"},{\"permission\":\"view_full_ssn\"}]",
  "conditions": "{\"context.purpose\":{\"$ne\":\"identity_verification\"}}",
  "inheritToChildren": true,
  "priority": 200,
  "dataClassification": "pii_critical",
  "complianceRequirement": "PCI DSS - PII Protection",
  "alternativeValue": "Last 4: ####",
  "auditAccess": true,
  "notifyOnAccess": true,
  "temporalRestriction": "{\"hide_after\":\"30_days\",\"require_reauth_after\":\"5_minutes\"}",
  "encryptionRequired": true,
  "retentionPolicy": "{\"delete_after\":\"7_years\",\"archive_after\":\"1_year\"}",
  "isActive": true,
  "effectiveFrom": "2024-01-01T00:00:00Z",
  "createdAt": "2024-01-01T00:00:00Z",
  "metadata": {
    "pii_category": "government_id",
    "requires_legal_basis": true
  }
}