# Data access control via target object and security role

Through the DataControl object it is possible to control data access for a target user(s) for a given object connected to the target by checking if the user(s) belongs to a given role.

For example, if we want to limit access for the captain of a vessel to only be able to view voyages of their vessel, a DataControl object like this has to be posted:

```
{
    "matcherTarget": "User",
    "matcherAttributeTarget": "key",
    "objectName": "Voyage",
    "attribute": "voyageHeader.vesselCodes.masterUser",
    "dataControlRoleValues":[
    	{"role": "MASTER_ONLINE_VESSEL"}
    ]
}
```

* **matcherTarget** defines the Dataloy object that has to be used as target object
* **matcherAttributeTarget** defines the attribute in the matcherTarget object that has to be used against the attribute of the object (objectName)
* **objectName** the Dataloy object that has to be applied the access control
* **attribute** the attribute name that links the Dataloy object with the target object
* **dataControlRoleValues** list of SecurityRole that the DataControl will be applied

In the above example if an User that belong to the SecurityRole "MATER\_ONLINE\_VESSEL" make a query to the endpoint Voyage, the server will return only the voyages that has voyageHeader.vesselCodes.masterUser = {the user that made the query}