Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

User Access Management

User access management in ONE helps you control who can access your data assets, what permissions they have, and who’s responsible for maintaining them.

Access control and permissions in data governance

Effective access control is foundational to healthy data governance.

It ensures:

  • Clear ownership: Every asset has a responsible party accountable for its quality and maintenance.

  • Appropriate access: Users see only the data and metadata relevant to their work.

  • Right permissions: People can perform the actions they need without overreaching.

  • Auditability: You can track who has access to what and why.

How access control works

User access management in ONE is composed of three distinct layers that complement each other:

  • Groups and roles: Defines how your organization is structured in the platform and what each type of user can do.

  • Stewardship: Determines who is responsible for specific assets.

  • Sharing: Ensures all relevant users and teams can see and work with the data they need.

1. Groups and roles

Groups organize users into teams, forming a hierarchy that reflects how your organization works with data. Typically, this is organized around data domains, projects, or responsibilities, though it can also mirror your organizational structure.

Governance roles define what a user can do within a group. For example, a Data Steward might have full access to rules and terms, while a Data Consumer can only view them.

The same person can have different roles in different groups.

2. Stewardship

Stewardship assigns a group as the owner of a data asset. Individual users within that group receive access based on their governance roles.

The Owner group is responsible for the asset’s quality, maintenance, and managing who else can access it.

Throughout this guide, owner refers to the group or user accountable for an asset as defined in the stewardship system.

When we need to distinguish from the asset creator, we will explicitly refer to owner (assigned via stewardship) and author (the person who originally created the asset). For details, see Stewardship.

3. Sharing

Sharing grants access to users and groups who aren’t owners. This is how you make assets visible beyond the asset creator and stewardship group, whether that’s giving your whole organization read access to approved business terms, or letting the analytics team view catalog items without editing connection settings.

When you share an asset, you choose:

  • Which groups or users to share with.

  • The appropriate access level (for example, view metadata only or be able to edit assets).

    Recipients' governance roles might further refine what they can actually do.

Key concepts

Here is an overview of the core terminology you need to know before making any changes to user access permissions.

Users

People who can log in to ONE. User accounts are synchronized from your identity provider.

Groups

Teams of users organized in a hierarchy. Groups are the primary unit for managing access (assigning stewardship, sharing assets, definining governance roles).

Governance roles

Templates that define what actions a user can perform on different asset types. Roles are assigned to users within a specific group.

Some role examples include Data Administrator, Data Operator, Data Owner, Data Steward, and Data Consumer.

Access levels

The depth of access to a particular asset. Each level includes a specific set of operations you can perform.

Default access levels are: view data, view metadata, operate, editing, or full access.

Stewardship

Ownership assignment for a data asset. The Owner group is responsible for the asset, and its members receive access based on their governance roles.

Sharing

Granting access to specific groups or users. You select an access level when sharing but recipients' governance roles determine their effective permissions.

Identity provider roles

Roles from your identity provider that define your identity and control platform access. They can be mapped to governance roles in ONE, simplifying access management for large organizations.

Getting started

Ready to configure access for your organization? Start by setting up your first team.

For guidance on structuring groups based on your organization’s needs, see Access Management Models.

Exceptions

Modules with preconfigured permissions

Some ONE modules use their own preconfigured roles that cannot be customized through the standard governance role system:

  • Reference Data

  • Data Observability

Feature-specific access

Some platform features require specific identity provider roles before you can access them (for example, AI Agent). See Reserved identity provider roles.

Learn more

Was this page useful?