Skip to content

Please refer to the responsibilities and capabilities assignment model for an explanation of how users relate to role assignment.

Each user of the system is assigned one or more groups. Each group assigned to a user controls security roles assigned (Viewer/Editor/Manager). Security roles are then associated with the types of permissions one has to an object in MetaKarta.

The basic configuration of MetaKarta has two groups defined, which may not be removed:

Administrators -- Users assigned this group are given all roles.

Everyone -- All users, as a way to assign blanket responsibilities.

The Administrators group is created by default as part of a new installation and has the Global Administrator global role and Object Administrator object role assignments to the repository root.

The Administrators group is created on migration of older repository and has the Global Administrator global role and Object Administrator object role assignments everywhere the predefined Administrators group was used before in the repository.

A user assigned to the Administrators group may create any number of groups with different user interface assignments and responsibility assignments.

All responsibility assignments are available to both users and user groups.

There are two types of roles in MetaKarta:

• A global role applies to all repository objects.

• An object role typically applies to a particular repository object (e.g., folder, glossary, model, etc.) and responsibility assignments are scoped to that object and its models.

All security role assignments are additive and inherit down through the folder structure.

Create a New Group

Management of user responsibilities becomes more manageable when using groups to organize users and assign responsibilities.

Steps

  1. Sign in as a user with at least the Security Administrator capability global role assignment.

  2. Go to MANAGE > Groups in the banner

  3. Click Add.

  4. Provide NAME, DEFINITION, EMAIL.

Both users and groups can have email addresses that are used for notification. Individual users (but not groups) can control their notification frequency. If you leave the group email address empty, then the notification for that group (based upon its roles) will instead be sent to the email addresses of its member users. When a group's email address is set, notifications are sent to the system email frequency and the individual email addresses of the member users will not receive notifications.

  1. Include USERS from the pick list.

  2. Assign GLOBAL ROLES from the pick list.

  3. Select a published configuration from the DEFAULT CONFIGURATION search box.

The DEFAULT CONFIGURATION will be the configuration assigned automatically when a user who is a member of this group signs in. If a user is a member of several groups so that more than one configuration is default, then that user will be presented with a choice among those default configurations. If the group is the reserved group EVERYONE then all users will be given a default configuration.

Example

Sign in as an Administrator.

Go to MANAGE > Groups

Click Add.

Provide NAME, DEFINITION, and EMAIL as shown below:

  • Power Users

  • Business users who create and manage worksheets, dashboards, presentations and collections

Assign this group these three GLOBAL ROLES:

  • Worksheet Author

  • Collections Custodian

  • Applications Designer

Select the Demo Enterprise Architecture configuration from the DEFAULT COFIGURATION search box.

Click CREATE.

Explore Further

Group Preferences

Anyone with the Security Administrator global capability is able to go to the Preferences tab when managing a group, where they may assign and edit key/value pairs defining options as to the product will behave for users of that group, e.g.:

Preference Name Definition
Use Session Cookies By default, the authentication cookie is persistent. Set to True in order to make the cookie expire when the browser is closed for members of the group.
Show Lineage Debug Properties In the lineage tab of an object, show a Lineage Debug Properties panelto give more debug information about the selected object.
Show <> Widget Whether to show these widgets by default in the object page
Responsibilities Default Roles Pick list of roles to show in the Responsibilities widget when enabled
Maximum Object Attachment Size This is the maximum file size that users can attach to an object (in bytes).
Default Object Explorer Grouping Default presentation of the tree structure in the explorer, based upon the Configuration organization, Repository structure or None.
Default Browse Categories Default metadata categories to present when browsing.
Worksheet Export Maximum number of objects Maximum number of objects which may be exported to CSV at a time.
Worksheet Maximum number of objects per Page Maximum number of objects which may be presented on one page of the results.
Worksheet Refresh Policy User Adjustable Allows / disallows users to choose whether to do automatic refresh of search / worksheets when the query changes.
Worksheet Refresh Policy Default Define either auto or manual refresh policy default

Choosing an option like Use Session Cookies and then setting it to false will disable that part of the UI for users of that group (not allowing editing of collections, for example).

There is a group named Everyone which allows you to assign group preferences to all users at once.

Steps

  1. Sign in as a user with at least the Security Administrator capability global role assignment.

  2. Go to MANAGE > Groups in the banner

  3. Select a group.

  4. Click the Preferences tab.

  5. Click sign to add a preference that is not yet assigned.

  6. Click the X next to a preference to remove it (unassign it).

  7. Change the value between true and false to enable or disable the feature or setting of a preference or set the numeric value.

Setting the value to "0" generally means unlimited.

The product reads the group preferences settings when starting up and they are cached for the current user until one refreshes the browser. If a user is part of multiple groups, the product takes care of consolidating any contradicting settings.

For example, if a user is part of multiple groups with different Worksheet Export Maximum number of objects, the product will pick the largest one.

Example

Sign in as Administrator and go to MANAGE > Groups. Select the Business Users group and click the Preferences tab. Click Add.

A screenshot of a computer Description automatically generated with medium confidence

Select Show Responsibilities Widget and Responsibilities Default Roles. Click OK.

Set the Show Responsibilities Widget to true. Double-click the Value cell for Responsibilities Default Roles and pick Steward.

Click SAVE.

Now, sign in as Bob (a Business User), go to the Social Security Number term.

The Responsibilities with Steward role is now shown for all Business Users.

Worksheet Refresh Policy Preferences

Depending upon the worksheet REFRESH MODE preferences settings, worksheets with either:

  • Auto -- Every action, such as to update the filter, add a column set preferences, etc., will cause the worksheet to re-run the query

  • Manual -- You must click the EXECUTE button (which is only available in this mode) to re-run the query. The button is highlighted when a refresh of the query would produce new results.

In addition, depending upon how your group preferences are configured, you may not be able to adjust the REFRESH MODE or may simply have a different default behavior.

The two preferences controlling this behavior at the group level are as follows:

Preference Name Definition
Worksheet Refresh Policy User Adjustable Allows / disallows users to choose whether to do automatic refresh of search / worksheets when the query changes.
Worksheet Refresh Policy Default Define either auto or manual refresh policy default

E.g., in order to ensure that users who are members of the group Everyone (i.e., everyone in the system) must use the manual EXECUTE button, one may set:

  • Worksheet Refresh Policy User Adjustable = False

  • Worksheet Refresh Policy Default = Manual

Use Session Cookies

By default, the authentication cookie is persistent. Set this preference to true in order to make the cookie expire when the browser is closed for members of the group.

Steps

  1. Sign in as a user with at least the Security Administrator capability global role assignment.

  2. Go to MANAGE > Groups in the banner

  3. Select a group.

  4. Click the Preferences tab.

  5. Click the plus sign to Add the Use Session Cookies preference that is not yet assigned.

  6. Click the X next to a preference to remove it (unassign it).

  7. Change the value between true to to use session or false persistent (default) cookies.

Example

Sign in as Administrator. Go to MANAGE > Groups. Select the group Everyone.

Selecting the group Everyone mean you will be applying this preference to every user.

Click the plus sign to Add the Use Session Cookies preference. Select true.

Once enabled, the auth cookie will be deleted automatically when any user in that group closes their browser (not when they refresh it). If they close their browser and reopen it, they will have to login again. Also, now there will be 2 sessions active for the same user: the old one and the new one, until the old one expires).

Assign Object Role Responsibilities on a Repository Object to a User or Group

Please refer to the responsibilities and capabilities assignment model for an explanation of how users relate to role assignment.

Keep in mind that in order to have any object role assignments on a child object in MetaKarta, one must at least have the View Metadata capability object role assignment.to its parent. Thus, in order to create portions of the repository which are entirely inaccessible to a group, you may create a new folder at the root of the repository in order to assign special Metadata Viewer capability object role assignment for that folder and its children.

For metadata it generally assumed that all metadata should be visible to any authenticated user. This is the most common situation and MetaKarta is designed for the ease of managing permissions with that assumption in mind. Thus, by design all repository objects can be viewed by default.

If NO user or group is assigned the Viewer security role on an object (or any of its parents), then all users will be able to view the object.

However, If ANY user or group is assigned the Viewer security role on an object (or any of its parents), then all other users will NOT be able to view the object (those users not assigned the Viewer security role on an object or a member of such a group).???

Steps

  1. Sign in as a user with at least the Security Management capability object role assignment.

  2. Go to MANAGE > Repository or MANAGE > Configuration.

  3. Select an object in the repository or configuration.

  4. Go to the Responsibilities tab.

  5. Use the ADD ROLE button to pick object roles to assign to the object.

The responsibilities that you assign for a configuration apply to the configuration, not its models. Thus, when you assign a group or user the Edit Metadata capability for that configuration then they have the ability to, for example, add a model to the configuration, but do not necessarily have permissions to edit the contained models within the configuration. Instead, each model in the configuration may also have its own responsibility assignments. Thus, if you wish to be able to edit the contained model properties, you will need to assign the Edit Metadata responsibility to that user or group on those objects, not just the configuration they are contained within. This is a very powerful feature that allows one to control who is Editor or Manager for individual models in a configuration, separately from security role assignments to the configuration itself.

You may, of course, use repository folder structure to manage the object responsibility assignments. For example, you may place all the models which should be editable in the same folder and assign the Edit Metadata responsibility at that level for the group or users you wish to be able to edit all of those models. This is because, while object responsibility assignments are not inherited through the configuration, security role assignments are inherited through the actual folder structure in MetaKarta.

For viewing rights to a model (or glossary, etc.), the simplest best practice is to control viewing via configuration access, and not through restricting viewer rights to specific objects which may be in a configuration. This suggestion follows from the fact that any user who needs to open a configuration MUST ALSO have view permissions to all of the models in the configuration (either by explicitly assigning the View Metadata object responsibility to all the objects contained, or if no such assignment has been made, then the object is by default viewable). So, the easiest way to manage access to a model is to simply not include it in any open configuration.

Again, if ANY model of a configuration is not viewable by a user then the entire configuration is not viewable by that user.

Example

Log in as the Administrator user.

Go to MANAGE > Configuration. Select the Staging DW model. Go to the Responsibilities tab.

Click ADD ROLE and select Content Custodian.

To complete the responsibility assignment, pick Adam and Angela to be Content Custodians for Staging DW.

Click OK and then SAVE.

Download Group Report

Steps

  1. Sign in as a user with at least the Security Administrator capability global role assignment.

  2. Go to MANAGE > Groups in the banner.

  3. Click the Download icon.

Examples

Go to MANAGE > Groups.

Click the Download icon.

You may download either CSV files or XLSX files. The XLSX file have special handling which safeguards against CSV Injection, also known as Formula Injection, which is a security vulnerability that occurs when untrusted input is included in a CSV file.

Opened in Excel we see: