Why can't I search for entities in my data tenant and why can't I import entities from the UI.

Gloria

December 11, 2025 01:29

What is the DTSS Shared Data Tenant?

The DTSS data tenant is a shared resource that contains reference and enrichment data used by multiple Reltio customers.
Because it is shared, you must not use it as a regular project tenant to browse, search, or manage data directly.
Your normal interaction with this tenant should be only through the D&B Connector from your own Reltio tenant.

Intended Use: Only Import Potential Matches

What you should do

You can use the DTSS API below to find potential matches for one or more entities in the Data Tenant (DT) within the Customer Tenant (CT). This operation is proper when checking if a DT record already exists in the CT before initiating a subscription or import. Use this API with the same CustomerTenant / DataTenant headers and a body containing DT URIs; you can exclude already-imported items with skipAllImportedEntities=true.

POST {DTSSURL}/entities/_matchesForDtEntities

You can use the DTSS API below to identify potential matches for one or more entities within the same Data Tenant (DT). This operation helps validate entity uniqueness or detect redundancy before further processing.

POST {DTSSURL}/entities/_matchesForCtEntities

To import a potential match from your DT into the CT (for D&B Direct+), use DTSS “Import entity”:.

POST {DTSSURL}/entities/_import?dataEntityUri={DT_entity_uri}

This “potential matches” flow is the only supported way for your users to leverage the shared DTSS tenant.

What you must not do

Within the DTSS shared tenant itself:

Do not use “Search” to browse entities.
Do not use “Import” to bring data directly from the shared tenant into your tenant.
Do not change any configuration in the shared tenant, including security settings.

Those actions bypass the D&B Connector use case and can expose data belonging to other customers.

Security & Access Model

The tenant configuration should include a section like:

 "security": {
            "metadataAndDataSecurity": {
                "enabled": true,
                "permissionConfig": [
                    {
                        "uri": "configuration/entityTypes/PureParty",
                        "permissions": [
                            {
                                "role": "ROLE_DNB_CONNECTOR",
                                "filter": "equals(attributes.DtssCustomerTenantId, '5QvXXYziQAkEGcL')",
                                "access": [
                                    "READ"
                                ]
                            }
                        ]
                    }
                ]
            }
        }

DT is hidden from the customer UI.
- hiddenDt changed from false → true.

    "groupContributors": true,
    "autoRematch": false,
    "hiddenDt": true,
    "searchCtMetadata": false,

Security enabled
- security.metadataAndDataSecurity.enabled changed from false → true.
Tenant-scoped permissionConfig
- Added a permissionConfig entry to allow READ only for DT entities, where DtssCustomerTenantId = '<customerTenantId>', via role ROLE_DNB_CONNECTOR.
DT entity view/search disabled
- DT is hidden via hiddenDt: true.
Existing flags that could expose CT metadata/extra functionality (searchCtMetadata: false) are left as-is.
searchMatchesCtMetadata is left true so the connector can still drive potential match–based imports, as per your requirement to import matches from DT via the potential match view UI.
eventsConfiguration: entityMatch: "ACTIVATE", most others set to "IGNORE"
synchronizationConfig.entities[0].action: "MANUAL_MATCH" and cleared matchRules to let DTSS evaluate suspect rules by default (avoids unintended autosubscribe behavior tied to an "ExactMatch" rule).

What happens if we enable metadata security?

If Reltio enables strict metadata security for this shared tenant, your users will not see any data there, which is exactly what was reported in the original ticket.
This is expected behavior, because end users are not supposed to work directly in the shared tenant UI. All interaction should be via the D&B Connector from your own tenant.

Why you must not change security

Changing metadataAndDataSecurity or permissionConfig can:
- Break your D&B Connector integration.
- Allow your users to see data belonging to other customers in the shared tenant.

Allowed vs Not Allowed – Quick Matrix

Action	Allowed?	Where?	Notes
Request potential matches via D&B Connector	yes	Your tenant	Standard enrichment use case.
Import selected potential match from DTSS via D&B Connector	yes	Your tenant	Data is written only to your tenant.
Search / browse data directly in DTSS shared tenant UI	no	Shared DTSS tenant	Not supported; may expose other customers’ data.
Use “Import” directly from shared DTSS tenant	no	Shared DTSS tenant	Bypasses integration use case.
Modify `security.metadataAndDataSecurity` or `permissionConfig`	no	Shared DTSS tenant	Only Reltio Integration/Operations may change this.

Reference

https://docs.reltio.com/en/applications/data-integrations/data-enrichment-integrations-at-a-glance/reltio-data-tenant-subscription-service-dtss-at-a-glance/reltio-dtss-operation/dtss-and-matching/identify-potential-matches-across-data-and-customer-tenants/search-for-potential-matches-in-data-tenants-dt