Skip to main content


While InCountry manages the application’s regulated data for a particular country, the source application continues to provide user authentication and authorizes all actions and data access. The source application and identity provider specify what countries a user can access and continue to provide Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC). Using the existing user model is critical as it can be very difficult to replicate and maintain cloned access policies, especially for applications with fine-grained access controls.

For highly regulated environments, user, employee, and customer PII can be managed within InCountry and the global Identity Provider contains masked user names and email addresses.

You can find details on how to properly integrate your ACL with InCountry Data Residency-as-a-Service, please check documentation:

Data firewall

InCountry Data Residency-as-a-Service is equipped with the data firewall that can automatically block access to regulated records stored in the InCountry Vault in a specific country for users accessing these regulated records outside the country of origin. By default, the data firewall identifies the IP address of the requestor (user) and checks whether this IP address is attributed to the country where the record is stored. If the requestor resides in the country different from the record’s country of origin, the data firewall blocks such request and does not return the content of the regulated record.