Skip to content

Please refer to the responsibilities and capabilities assignment model for an explanation of how users relate to role assignment.

Object specific roles are used to assign responsibilities to users and groups for specific objects in the repository.

There are a number of pre-defined but fully customizable object roles, based upon various methodologies, already delivered with the product.

Role Name Type Definition
Object Administrator Producer All object administrative capabilities. Created by default on new install and on migrated install for the Administrators group to migrate.
Content Custodian Producer Manages content for a subset of the repository, collects and holds information on behalf of a data producers or requesters and who is responsible for managing the use, disclosure and protection of metadata. Responsible for accuracy, integrity, and timeliness of an information asset and for establishing the controls for its generation, import, processing, access, dissemination and disposal.
(DG) Chief Data Officer Consumer The chief data officer oversees a range of data-related functions that may include data management, ensuring data quality and creating data strategy. He or she may also be responsible for data analytics and business intelligence, the process of drawing valuable insights from data. Or some data management functions may fall to IT, and analytics may belong to a chief analytics officer, a title that some say is interchangeable with chief data officer.
(DG) Council Member Producer A data governance council (DGC) is ultimately in charge of high-level decisions involving data. This is the body that will actually create the policies concerning your data. Your council should be cross-functional, i.e., it should include employees from different parts of your company. This ensures that everyone who uses data is represented. You would not want your council to create a policy that prevents a particular team from conducting their business efficiently.
(DG) Manager Producer A user who acts as liaison between all the different roles and groups. This user can also analyze and pack up issues, so that the data governance council can make decisions. Assigning and removing roles and responsibilities are also among this user's duties.
Steward Producer A Steward user:
- Is responsible for the taking (stewarding) data asset metadata, terminology, etc., through the data governance process
- Is a primary point of contact for information about those assets
- Is involved in daily, business-related decisions about the best ways to turn policy into practice. As steward presents a trust level of responsibility toward those metadata assets assigned. This user approves changes to the metadata for the assigned assets and terminology.
Most cited reference:
"The concept of a data steward is intended to convey a fiduciary (or trust) level of responsibility toward the data. Data governance is the process by which responsibilities of stewardship are conceptualized and carried out."
- Rosenbaum, Sara, "Data Governance and Stewardship: Designing Data Stewardship Entities and Advancing Data Access", Health Serv Res. 2010 Oct; 45(5 Pt 2): 1442-1455.
Subject Matter Expert Producer A Subject Matter Expert:
- Has a recognized level of expertise in a particular domain
- Performs specific data-related tasks
- Is consulted with to provide guidance and feedback.
This user proposes and formalizes (edits) changes to the metadata for the assigned assets and terminology
Most cited reference:
This is an individual who has certain expertise in a particular domain. "Expertise" is usually broken down into knowledge and skills; either the SME knows about a particular topic or knows how to get something done. Since we are talking about data, the SME is typically someone who knows about a particular data topic in the enterprise or how to do a particular thing with data. It is important to recognize that a SME is an individual person, rather than a role. You do not become a SME by being assigned as one.
- Dataversity
Data Owner Producer A Data Owner:
- is responsible for the accuracy, integrity, and timeliness of data in a particular data domain
- establishing the controls for its generation, import, processing, access, dissemination and disposal.
- ensure that the data under their purview is governed throughout the organization
This user:
- proposes, formalizes (edits), and approves changes to the metadata for the assigned assets and terminology
- Has access to the actual sampled data and profiling information.
Most cited reference:
Data Owners - A data owner is responsible for the data in a particular data domain. They may belong to the steering committee and ensure that the data under their purview is governed throughout the organization. Data owners approve data glossaries and definitions as well as initiate data quality activities.
- The Data Administration Newsletter
Stakeholder Producer A Stakeholder:
- Is directly affected or responsible for organizational activities which are impacted by a particular data domain or terminology
- Can use, affect or be affected by an asset under discussion
This user wants to be involved or notified, but can only provide comments and reviews.
"The Wide Sense of Stakeholder: Any identifiable group or individual who can affect the achievement of an organization's objects or who is affected by the achievement of an organization's objects." -Freeman, R. Edward and Reed, David L., "Stockholders and Stakeholders A New Perspective on Corporate Governance"
Corporate governance has been defined as a set of relationships between a company's management, its board, its shareholders and other stakeholders that provide a structure for determining organizational objectives "and monitoring performance, thereby ensuring that corporate objectives are attained."
-Khatri, Vijay and Brown, Carol V., "Designing Data Governance", Communications of the ACM, January 2010
Data Analyst Producer This role is assigned to a user who is an analyst, is active in the curation and is allowed to see a data profiling and sample of this object
Data User Consumer This role is assigned to a user who has full access to the data. The Data Access Request workflow assigns the requester the role for each assigned data model and is notified via email of the successful completion of the request.
Data Custodian Producer A user who collects and holds information on behalf of a data provider or requester and who is responsible for managing the use, disclosure and protection of data.
Content Technical Steward Producer A user who is designated as the main technical point of contact for ensuring models are harvested properly and stitched properly. Also, the point of contact for harvesting issues (logged errors, etc.)
Regular user Producer General viewer who may provide curation, comments, and labels.
Guest User Consumer Casual viewer of metadata
Workflow Administrator Producer Administers one or more models with workflows.
Workflow Editor Producer Edits one or more models with workflows.
Workflow Approver Producer Approver for one or more models with workflows.
Workflow Reviewer Producer Reviews changes for one or more models with workflows.
Workflow Publisher Producer Publishes one or more models with workflows.
View Restricted Consumer A View Restricted user is given permission to view the metadata for portions of the repository which should be restricted to viewing by most other users. Assigning this role to an object in the repository causes that object (and its contained objects) to NOT have Metadata Viewer permissions for Everyone. In addition, assigning View Resticted to the repository root or any folder in the repository allows you to then assing restricted viewing permissions to contained folders or model. In that was, you may assign “negative permissions” or viewing restrictions to a subset of the users allowed at a higher level in the hierarchy. By default, Metadata Viewer responsibilities areassigned on the repository root for Everyone.

The list of object roles above are provided by default for new installations only. If you have upgraded from an earlier version you may not see all of these and may see others which were migrated. You may still import the list of object roles above which are in the installation path at /conf/Roles/ObjectRoles.csv.

Assignment of the Object Administrator role to a user means that user has all object capabilities on all objects in the repository.

Object Roles and Producers vs. Consumers

A concurrent user license can be split in two maximum limits:

  • Metadata producers who are read-write concurrent users such as data architects, data stewards, data modelers, glossary editors, mapping designers, developers and any advanced users with access to all functionalities.

  • Metadata consumers who are ready-only concurrent users such as data users, analysts, reviewers who can create worksheets/dashboards, add comments/social curation)

With this split license, users are considered to be metadata consumers by default. A user will automatically be designated as a producer, if they have are assigned to any roles with capability assignments that make them a Producer.

If a user is assigned any role of License type Producer, then they are counted as a Producer, otherwise if all roles they are assigned are Consumer only, then they are counted as a Consumer.

Similarly, if a role has any capability type Producer, then it is of type Producer, otherwise if all capabilities for that role are Consumer only, then it is of type Consumer.

Consumers are those with object capabilities responsibilities to only either view objects or provide feedback.

Add an Object Role

You may add any number of new object roles on an object (repository model) and to one or more users or groups.

Capabilities which are assigned through object roles are always granted to the entire repository model. Permissions based upon capabilities assigned are NOT checked (and thus cannot vary) at the individual contained (within the repository model) object level, thus assigning such a role at the contained object level will not change anything.

There is one special use case for roles with workflow capabilities, because they are checked at the contained object level and also appear to grant some permissions (e.g., if you are a workflow editor and the object is in the right workflow status, then you can edit, otherwise you cannot). But these are not authorization permissions, they are just allowed actions in the workflow process.

Steps

  1. Sign in as a user with at least the Security Administrator capability global role assignment.

  2. Go to MANAGE > Object Roles in the banner

  3. Click Add.

  4. Provide Name and Definition.

  5. Use the Capabilities pick list to select capability assignments for the role.

  6. Click OK.

You may create a new role based upon an existing one by using the Duplicate Role context menu item on the existing line.

Example

Sign in as Administrator and go to MANAGE > Object Roles.

A screenshot of a computer Description automatically generated

Right click on the Content Custodian role and select Duplicate Role.

A screenshot of a computer Description automatically generated

Enter "Finance Content Custodian" for the Name and "Users who act as content custodians for the Finance systems" in Definition.

A screenshot of a computer Description automatically generated

No need to pick any additional capabilities and we are only creating this role to assign to the Finance system folder in the Repository.

Click OK.

A screenshot of a computer Description automatically generated

The License is of type Producer. This is assigned automatically. If a role has any capability type Producer, then it is of type Producer, otherwise if all capabilities for that role are Consumer only, then it is of type Consumer.

Edit an Object Role

One may change the Name, Definition and Capability assignments for any global role.

The capabilities include:

Capability Name Type Definition
Repository Management Producer Allows to create, update, delete repository objects.
Metadata Import/Export Producer Allows to import/export metadata
Data Management Producer Allows to import data profiling and sampling information
Security Management Producer Allows to set roles on repository objects
Workflow Management Producer Allows to enable and configure workflow on model objects
Certification Management Producer Allows to update, delete any certifications on objects
Endorsement Management Producer Allows to update, delete any endorsements on objects
Warning Management Producer Allows to update, delete any warnings on objects
Comment Management Producer Allows to update, delete any comments on objects
Watcher Management Producer Allows to add/remove any watcher assignment
Metadata Management Producer Allows to edit metadata including attribute and relationships local to the model
Business Documentation Editing Producer Allows to set the business name and business definition on an object
Diagram Editing Producer Allows to create / edit diagrams in database models
Data Classification Editing Producer Allows to approve, propose, reject a data class or sensitivity label on an object
Label Editing Producer Allows to update labels on an object
Attachment Editing Producer Allows to add / remove attachments to an object
Certification Editing Producer Allows to create, update, delete your own certifications on objects
CSV Exporting Consumer Allows to export metadata using CSV including attributes and relationships
Endorsement Editing Consumer Allows to create, update, delete your own endorsements on objects
Warning Editing Consumer Allows to create, update, delete your own warnings on objects
Comment Editing Consumer Allows to create, update, delete your own comments on objects
Watcher Editing Consumer Allows a user to add / remove themselves as a watcher on an object
Repository Viewing Consumer Allows to view the repository tree and interact with versions
Metadata Viewing Consumer Allows to view the metadata stored in a model
Data Viewing Consumer Allows to view the imported data including data sampling and all data profiling information
Workflow Editing Producer Allows to assign and adjust workflow processes
Workflow Reviewing Producer Allows to review in workflow processes
Workflow Approving Producer Allows to approve in workflow processes
Workflow Publishing Producer Allows to publish in workflow processes
Steps

  1. Sign in as a user with at least the Security Management capability object role assignment.

  2. Go to MANAGE > Object Roles in the banner.

  3. Select a row and click Edit.

  4. Update Name and Definition.

  5. Use the Capabilities pick list to select capability assignments for the global role.

  6. Click OK.

You may simply double-click a cell in the sheet of capabilities vs. roles to set or unset a particular capability assignment (responsibility).

Again, if a role has any capability type Producer, then it is of type Producer, otherwise if all capabilities for that role are Consumer only, then it is of type Consumer.

Example

Sign in as Administrator and go to MANAGE > Object Roles.

A screenshot of a computer Description automatically generated

Pick the Finance Content Custodian role (added earlier). Edit the Definition by adding "workflow editor" to the list of capabilities. Then add the Workflow Editing capability.

A screenshot of a computer Description automatically generated

Click SAVE.

Delete an Object Role

You may delete any global role.

If you delete a role that is already assigned to a user or group then they will lose those capabilities.

Steps

  1. Sign in as a user with at least the Security Management capability object role assignment.

  2. Go to MANAGE > Object Roles in the banner.

  3. Select a row and click Delete.

  4. Click OK.

Import Object Roles

You may import object roles from a CSV file.

The format of this CSV file may be determined by first exporting to that format.

Steps

  1. Sign in as a user with at least the Security Management capability object role assignment.

  2. Go to MANAGE > Object Roles in the banner.

  3. Click IMPORT.

  4. Browse for a file and click OK.

The import action will produce a log and will update and merge, reporting on the number of roles affected.

Export Object Roles

You may export the list of object roles to a CSV file.

Steps

  1. Sign in as a user with at least the Security Management capability object role assignment.

  2. Go to MANAGE > Object Roles in the banner.

  3. Click EXPORT.

  4. The file is pushed to your browser.

You may download either CSV files or XLSX files. The XLSX file have special handling which safeguards against CSV Injection, also known as Formula Injection, which is a security vulnerability that occurs when untrusted input is included in a CSV file.

Check Responsibilities

You may see a list of role assignments for users and groups by going to the respective MANAGE > Users and MANAGE > Groups pages.

Insufficient Permissions

A message like the following is presented if you do not have sufficient permissions (object role assignment with the proper object capabilities):

Graphical user interface, text, application, email Description automatically generated

Restricting Viewer Permissions of Objects in the Repository

For viewing rights to a model (or glossary, etc.), the simplest best practice is to control viewing via configuration access, and not through restricting viewer rights to specific objects which may be in a configuration. This suggestion follows from the fact that any user who needs to open a configuration MUST ALSO have view permissions to all of the models in the configuration (either by explicitly assigning the Metadata Viewing capability object role assignment to all the objects contained, or if no such assignment has been made, then the object is by default viewable). So, the easiest way to manage access to a model is to simply not include it in any open configuration.

However, if there is a need to define view restrictions on portions of the repository, limiting viewing (even in the repository manager) to a certain set of users, you may use either the View Restricted or the Metadata Viewing capability object role assignment.

Using View Restricted to Limit Viewing of Objects in the Repository

Generally, one assigns the View Restricted role to the group Everyone for the repository root. Then all users have Metadata Viewing access, unless restricted at a lower level in the repository folder structure.

The advantage of this approach is that access remains for common system type objects like Naming Standards without having to explicitly assign those permissions, as one is only restricting further at lower levels in the folder structure.

Example

Sign in as Administrator and go to MANAGE > Servers.

Select the repository root and the Responsibilities tab.

A screenshot of a computer Description automatically generated

By default the View Restricted role to the group Everyone for the repository root.

Select the Demo Enterprise Edition folder and the Responsibilities tab.

A screenshot of a computer Description automatically generated

The View Restricted role is inherited to the group Everyone for the repository root.

To override this role and restrict it to only a subset of users, you may assign the View Restricted to that subset of users. Click EDIT next to the View Restricted role and pick Business Users.

A screenshot of a group Description automatically generated

Click OK and then SAVE.

A screenshot of a computer Description automatically generated

Business Users are now the only users who can see this folder and thus the contained configuration and its models.