Governance Roles
Governance roles represent the different action sets available on particular entities for a specific access level. In other words, they aggregate the access levels in ONE that can be later assigned to users or groups. For more information about access levels, see Access Levels.
Governance roles can be assigned to either a user or an identity provider role. Both types of roles are essential for regulating access for groups. For more information, see Groups.
Overview
To see the existing governance roles, go to Global Settings > Governance Roles.
Only users with the ONE Administrator role can manage governance roles. |
To view the full configuration of a role, select the role name. On the role details screen, the following tabs are available for each role:
-
Overview: Provides the description, general information, and the full access level configuration of the role.
-
History: Lists all changes made to the governance role.
To view an earlier version of the role configuration, select the version from the History tab. This opens the role Overview tab showing the configuration for that particular version. |
Default governance roles
By default, the following governance roles are configured in ONE:
Default governance role | Description | Assigned to new groups |
---|---|---|
ONE Administrator |
ONE admin changes the application model and settings, manages group hierarchy, and creates new entity types. They make sure the overall consistency of the metadata model is preserved. ONE admins have full access to all system management features of ONE including access management. |
No |
ONE Operator |
ONE operators can perform actions on all data assets that change the ONE workflows. For example, ONE operators can manage synchronization with Keycloak and the lifecycle of assets, track data quality, create reports. ONE operators cannot modify the application model and settings nor access the assets. |
No |
Data Owner |
Data owners define the data quality requirements of a specific department, division, or data domain. They work with a team of ONE operators and other roles to ensure the data governance criteria are met. Data owners are usually senior business managers. |
Yes |
Data Consumers |
Data Consumers work with metadata only when they browse Ataccama ONE. They are business or technical users with limited knowledge of data management. They can view metadata but are not allowed to view actual data values. |
Yes |
Data Steward |
Data Stewards work with both technical assets, like tables, fields, files, systems, and models, and business assets, like business terms, acronyms, KPIs, and reports. They manage the life cycle of assets, track data quality, and create reports for data owners. |
Yes |
Default entities and their access levels
The following table shows the default configuration of access levels on default entities for each governance role in ONE. For more information about access levels, see Access Levels.
When you create a new governance role or entity, no access levels are assigned by default. We recommend assigning access levels as soon as possible as otherwise access remains unrestricted. Until the access level is assigned, the following warning is displayed: |
Entity | Entity description | ONE Administrator | One Operator | Data Owner | Data Consumer | Data Steward |
---|---|---|---|---|---|---|
System |
The level of access to the System entity governs whether a role can draft changes in the metadata model.
However, to apply the changes you must also have the |
Full access |
Operate access |
View metadata access |
View metadata access |
View metadata access |
User Management |
The level of access to the User Management entity determines the actions a role is able to perform as related to the User and Access Management features. |
Full access |
Operate Access |
Editing Access |
View metadata access |
View metadata access |
Connection |
Child entity of the Source entity. Defines a data source connection. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Rule |
Identifies catalog item attributes to which a specific business term should be applied. Evaluates the data quality of catalog items and their attributes. For more information, see Detection and DQ Evaluation Rules. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Term |
Terms enable further analysis of data, as evaluation and quality checks operate on the basis of expected values of specified terms. For more information, see Data Quality. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Post Processing Result File |
Access to result files of post-processing plans. For more information, see Monitoring Project Results, Reports, and Notifications, section Export and post-processing plans. |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Component |
Components are ONE Desktop files that can be used for three possible data processing steps:
|
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Catalog Item |
Entity that defines assets in the Data Catalog. For more information, see Catalog Items. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Location |
Child entity of the Source entity. Defines the location of a data source. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Folder |
Defines the workspace folder of virtual catalog items in the data catalog. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Source |
Entity that describes the source of catalog items in the application. ONE can work with data from a number of sources. After a data source has been added, data and metadata from this source can be imported and consequently cataloged and profiled, as well as monitored for data quality. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Policy Condition Setting |
When you user assigns policies, the conditions on the application work are set. These conditions have a "do when" format: "do something when something happens". Policy Condition Settings screen configures the timing for the action (the "when" part). In other words, it specifies where to look for particular values when evaluating conditions on certain entities. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Lookup Item |
Entity that allows you to use reference data in ONE. They provide a list of predefined values for an attribute, and can be used both in DQ evaluation rules and detection rules. For more information, see Lookup Items. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Value Lists |
A list of values aggregates referenced and enumerated lists of values you can assign to entities. Currently, there are two default lists: Deployments and Data Instances. Once you add a value list, you can configure it as needed. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Monitoring Project |
Used to evaluate the data quality of selected catalog items and monitor it over time. Data is evaluated in accordance with the DQ rules applied to the selected items, automatic anomaly detection, and structure checks. For more information, see Monitoring Projects. |
View data access |
View metadata access |
Full access |
View metadata access |
Full access |
Policy |
Entity that defines policies. The level of access to this entity determines whether you can create and manage policies in ONE. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Regulation |
Entity that can be used to organize policies under a specified regulation. Regulations are a single-level aggregation framework for policies (this means you cannot have regulations within regulations). |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Category |
Entity that can be used to organize policies in a specified category. Categories are a multilevel aggregation framework for policies (this means you can store categories within categories). |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Catalog Configuration |
Entity that defines various configuration options within the Data Catalog. Additionally, Full and Edit access level to this entity enables you to create SQL catalog items. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Profiler Configuration |
Enables you to Configure Profiling. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
DQ Configuration |
Entity that defines the level of access to various configuration options related to Data Quality features. |
Full access |
View metadata access |
Full access |
View metadata access |
Full access |
Web App Configuration |
The level of access to this entity determines whether a role can make changes to the layout, color palette, and navigation of ONE. For more information, see the following topics: |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Slack Configuration |
The level of access to this entity determines whether a role can configure the Slack Integration with ONE. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Data Export Project |
The level of access to this entity determines whether a role can use the Data Export feature. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Notification Configuration |
The level of access to this entity determines whether a role can configure the MS Teams Integration with ONE. |
Full access |
View metadata access |
View metadata access |
View metadata access |
View metadata access |
Dmm Configuration |
The level of access to this entity defines the actions a role can perform as related to ONE Data. |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Csp Configuration |
The level of access to this entity defines the actions a role can perform as related to Content Security Policy Configuration. |
Full access |
View data access |
View data access |
View data access |
View data access |
Reconciliation Project |
The level of access to this entity defines the actions a role can perform as related to data reconciliation. |
View metadata access |
View metadata access |
Full access |
View metadata access |
Full access |
Landing Page |
The level of access to this entity defines the actions a role can perform as related to the ONE home page features. For more information, see The Home Page. |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Dq Firewall |
The level of access to this entity determines whether a role can configure the DQ firewall features. |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Vault |
The level of access to this entity determines whether a role can configure the secret-management-service.adoc features. |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Unassigned |
Create or edit governance roles
To create a new role or edit an existing one, do the following:
-
Go to Global Settings > Governance Roles and continue with one of the options:
-
To add a new role, select Create.
-
To modify an existing role, select the role and then Edit.
-
-
Specify the following information:
-
Name: Meaningful name for the role.
-
Description (optional): Description of the role purpose.
-
Assign to new groups (optional): Select to automatically add this role to the list of the prefilled roles in newly created groups. For more information, see Groups.
-
Order: Specify the position of the governance role on the stewardship widget. Roles with a lower number are displayed first. We recommend setting the order of your roles based on seniority and corresponding levels of access.
-
-
Specify the access level on entities following these steps:
If no access level is specified, we recommend assigning one as soon as possible. -
Search for the entity that the role should have access to.
-
In the three dots menu next to the entity name select the appropriate access level.
-
-
Select Save and Publish.
Remove governance roles
When you delete a governance role, users with this role are automatically removed from the groups.
To delete a governance role:
-
Go to Global Settings > Governance Roles.
-
Do one of the following:
-
Select one or more roles and then Delete.
-
Open the role details and in the three dots menu select Delete.
-
Was this page useful?