Data access controls what users can see in Zuora, such as a U.S regional sales person viewing only customer accounts in the U.S. This article introduces key features and explains how to implement data access control.
Data Access Control gives customers the ability to customize and control what areas their users can access within Zuora. Data Access Control allows you do the following:
Data Access Control is ONLY enforced on UI users, not API users. API users always have complete Data Access Control.
You must have Zuora Platform Administrator permission to manage Data Access Control. See Zuora Platform Roles for more information.
Data access controls differ from permissions in the following:
A hierarchy is a set of tags created by your Zuora administrator to enforce access rights on a Zuora object. Both hierarchies and tags are organized in a tree structure.
Currently, the following applies to a hierarchy:
A tag is a value within a hierarchy that is assigned to users and objects. Tags are organized in a tree structure. The following are examples of tag values:
When you tag an object, you are tagging an account or product. For example, if you apply a "West Coast" tag on an account, all subscriptions under that account will inherit the same tag. Take into account that transaction objects, such as subscriptions, invoices, payments, and refunds are restricted because they inherit tag of the account, but not the product.
See Zuora API Object Basics for more information on objects.
When you apply tags to users:
Unrestricted access are objects that can be viewed by any user. Regardless of where a user resides in the tag hierarchy, unrestricted objects can be accessed by all users. Any user can change an object to or from Unrestricted.
Complete data access control is the top level of the Data Access Control hierarchy. Users tagged at this root level have access to all objects within Zuora. Users that have not been tagged, will automatically be tagged at the root level.