If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Access Levels

Access levels specify what sets of actions a user can perform on an entity. You need access levels for sharing access to a specific entity with groups or users. For more information, see Share Access to Assets.

Overview

For each entity, different access levels are defined through a list of operations available for users with that specific access level.

When you create a new governance role or entity, no access levels are assigned by default. We recommend assigning access levels as soon as possible as otherwise access remains unrestricted.

Until the access level is assigned, a warning is displayed: Assign access level.

By default, ONE includes the following access levels:

Full access: Provides the complete set of operations available on an asset, including the permissions to delete, create new data assets, publish, and share.
Editing access: Allows editing drafts on the corresponding entity. An editor cannot share access to the entity with other users or groups, delete or publish assets.
Operate access: Allows to trigger operation actions on the corresponding asset, such as reindexing OpenSearch and synchronizing users from Keycloak.
View data access: Allows to view metadata and data of the asset. Can be useful for data reviewers.
View page access: Allows to view the landing pages and their content. Making changes to landing pages is not allowed.
View metadata access: Allows to view metadata of the asset but not see data. Can be useful for metadata reviewers.

The View metadata access level does not include access to viewing profiling results. The required operation getProfileData cannot be configured directly from the web application.

However, you can use the following GraphQL queries to enable this operation for the View metadata access level. For information about how to use GraphQL with ONE, see ONE API.

Expand to view the GraphQL queries

# Get GID of your mmdAccessLevel
query mmdAccessLevels {
  mmdAccessLevels(versionSelector: { publishedVersion: true }) {
    edges {
      node {
        gid
        publishedVersion {
          name
        }
      }
    }
  }
}

# Get catalogItemProfile mmdNode ID
query mmdNodes {
  mmdNodes(
    filter: "name = 'catalogItemProfile'"
    versionSelector: { draftVersion: true }
  ) {
    edges {
      node {
        gid
      }
    }
  }
}

# Run mutation 1
mutation mmdOperationSetCreate {
  mmdOperationSetCreate(
    parentGid: "01576c63-0000-7000-0000-000000053f8f" #gid of mmd node catalogItemProfile
    parentNode: "mmdNode"
    parentProperty: "operationSets"
    new: {
      _type: "mmdOperationSet"
      forAccessLevel: {
        gid: "01576c63-0000-7000-0000-000000053cdd" # gid of access level viewMetadata
      }
      grantedOperations: [
        # operations that you want to add
        "profiling:getProfileData"
      ]
      deniedOperations: [] # required parameter
    }
  ) {
    result {
      gid
    }
  }
}

# Run mutation 2
mutation initializeMigration {
  _initializeMigration(initialize: false, type: USER)
}

You can customize the following:

The list of access levels. Requires the ONE Administrator governance role. See Manage access levels.
The list of available access levels on each entity. See Configure access levels on entities.
The list of operations (actions) for each access level on a specific entity. See Configure access levels on entities.

As access levels are a part of the metadata model, all changes must be published as any other system changes. To view previously published changes to access levels, go to Global Settings > System Changes > Applied Changes. For more information, see System Changes.

Manage access levels

For this, you need the ONE Administrator governance role.

To view and manage existing access levels, go to Global Settings > Global Access Levels:

Create or edit access levels

To create a new access level or edit an existing one:

Go to Global Settings > Global Access Levels and continue with one of the options:
- To add a new global access level, select Create.
- To modify an existing access level, select the access level and then Edit.
Fill in or modify the following information:
1. System name (or Name if you are editing): The unique name of the access level that is used internally in the application.
2. Name (or Display Name if you are editing): The name of the access level that is displayed in ONE.
3. Description (Optional): Description of the access level.
4. Order: The order in which the access level appears in the access level list.
Select Save.
Go to Global Settings > System Changes and apply the pending changes. This is necessary as access levels are a part of the metadata model. For more information, see System Changes.
To use the newly created access level on entities and for sharing, proceed with Configure access levels on entities.

Delete access level from the list

To delete an access level:

Go to Global Settings > Global Access Levels.
Do one of the following:
- Select one or more access levels and then Delete. Confirm your choice when prompted.
- Open the access level details and in the three dots menu select Delete.
  
  Alternatively, you can access the same option from the access level listing.
Go to Global Settings > System Changes and apply the pending changes. This is necessary as access levels are a part of the metadata model. For more information, see System Changes.

Configure access levels on entities

To make changes in the metadata model, you need to have the MMM_admin identity provider role which, by default, is attached to the ONE Administrator governance role.

You can configure the access levels list for each entity, including the custom ones. This is done for each entity individually by configuring the metadata model.

For each entity, only one access level must be selected for the following:

Assign when asset is created: Automatically assigned to the creator of the new entity. In general, we recommend setting this to the highest access level (Full access).
Select as default when sharing assets: Automatically assigned to all users and groups with whom this entity is shared. In general, we recommend setting this to the lowest access level (View metadata access).

To modify the access levels on entities:

Go to Global Settings > Metadata Model.
Find and select the entity for which you would like to modify the list of access levels.

Use the search to find the entity faster.
Switch to the Access levels tab.
Manage the access levels list as needed:
- To add a new access level, select Assign global access level and choose one from the list.
- To edit an access level, open the access level details and in the three dots menu select Edit.
- To remove an access level, open the access level details and in the three dots menu select Delete.
  
  The entity is now in the draft state. Once you’re done editing, finalize your changes to the metadata model by publishing them.

Customize each access level for the entity as needed.

Select the access level and then Edit.

You can configure the following:

The access levels that are automatically assigned when an entity is created (Assign when asset is created) or shared (Select as default when sharing assets).

Before making any changes, make sure that neither of these options is already selected for another access level. Only one access level can be selected at a time, otherwise the platform breaks.

The Core and Plugin operations that the users or groups with this access level can perform on the entity. Select all that apply. For more information, see Access level operations.

For example, to prevent users from exporting data from ONE, which is by default allowed for users with Full, Editing, or View Data Access permissions on corresponding data assets, you can modify the access levels for the catalogItem entity to remove the following plugin operations:

Run data export project.
Data Export: Download File.

Select Save.

Go to Global Settings > System Changes and apply the pending changes. This is necessary as access levels are a part of the metadata model. For more information, see System Changes.

Access level operations

A specific set of actions is defined for each entity for each access level. These are configured through the following operations:

Core operations: Basic actions that are similar across all entities.
Plugin operations: Entity-specific actions that depend on the entity plugins.

To view the access level operations, go to Global Settings > Metadata Model and select the entity that you want to work with. On the Access Levels tab, find and select the access level.

To edit the list of the operations for this access level, select Edit. Select all operations that apply, then save and publish the system changes.

The list of available operations depends on the entity.

Was this page useful?