Best Practice

Getting Started with ONE DG: Share Access 🔐

  • 1 June 2023
  • 1 reply
  • 123 views

Userlevel 6
Badge +4
  • Community Manager
  • 344 replies

Happy Thursday all!

 

In this post, we will break down and go through all the how-to’s of a functionality we all frequently use in Ataccama - access & sharing.

 

Sharing access is an essential feature that allows you to provide access to other groups and users at the asset level. By default, only admins or users with the appropriate rights can manage access to data assets. This can be configured through the manageAccess operation settings for each node for each access level.

 

Understanding How Sharing Works

 

When you share access to assets with other groups and users, it's important to understand how sharing functions based on group hierarchy, user roles, and node inheritance. Here are some key points to remember:

  • Notifications: When you share a data asset or make changes to shared access levels, users or groups involved will receive notifications about the access changes.
  • User Access: Sharing access with a user or group grants access to all data assets shared with that group. The access level granted depends on the lowest access level allowed by their governance roles within the group and the level the asset was shared with.
  • Individual User Sharing: If you share a data asset with a specific user only (not the user's group), the user receives the access level specified for that asset, unaffected by their governance role in any group.
  • Combined User and Group Sharing: If you share a data asset with both a specific user and the user's group, the user receives the highest access level between their governance role within the group and the access level directly shared with them.
  • Oversight Concept: Users in parent groups automatically receive access to all data assets shared with child groups with the same access level settings. This concept applies to ancestors on the group hierarchy tree as well.
  • Managing Users: It is advisable to avoid adding users directly to the top-level "Organization" parent group to prevent them from automatically accessing all nodes shared with any child groups. Instead, manage individual users within groups under the "Organization" parent group. You can still use the "Organization" parent group to share assets with the entire organization, regardless of user presence, as the access rights will be inherited.

     

Sharing Nodes with Inheritance

When sharing access with users or groups for data assets with a hierarchy, such as parent and child nodes, consider the following:

  • Parent Node Access: Sharing access with a user or group for a parent node's asset automatically grants the same access level to all child nodes' assets.
  • Increasing Access Level: You can increase the access level for a group or user on a specific child node's asset by creating an additional sharing record for that asset.
  • Highest Access Level: When both parent and child nodes' assets are shared with a group or user, the highest access level between the shared ones is applied.
     

Sharing Access: Step-by-Step Guide

To share access or modify access levels for a data asset with a group or user, follow these steps:

  1. Go to the Overview tab of the asset you want to share.
  2. Select the "Share" option.
  3. Search for and select the users or groups you want to share access with. The default access level, based on the node's details on the Access Levels tab, will be displayed next to the user or group name.
  4. Expand the list of access levels and choose the desired level for each user or group.
    • If the desired access level is not available, you may need to add it to the node configuration.
    • If the editing option is unavailable, it means the access level is inherited from the parent node, and you can only edit it from the parent node's asset.
    • Select "Done" to save the changes.
       

       

To revoke access from a user or group, navigate to the data asset, select the access level you want to remove, and choose "Remove Access" from the list of access levels.
 

Remember, the "Share" button is available on major data objects, such as catalog items, glossary terms, and rules. It allows you to make data assets available to specific teams or individuals within your organization.
 

When sharing access, you can choose from different access levels:

  • Full Access: Provides complete permissions for an asset, including delete, create, publish, and share actions.
  • Editing Access: Allows collaboration without the ability to create, delete, publish, or manage access to assets.
  • View Metadata Access: Enables users and groups to access only metadata, without editing capabilities.
  • View Data Access: Provides read-only access to both data and metadata, allowing users and groups to view, review, and add comments without making edits.

You can also remove access by selecting the "Remove access" option from the access level specification.
 

Do you have any tips & tricks? Share them in the comments below 👇


1 reply

Userlevel 1
Badge +1

Hello, is there a way using the metadata model (or something else..) to reverse engineer this and check what data assets have had access shared, with who and what level of access? A use case for example is I am creating a user audit report to see which data sources/catalog items/monitoring projects have had access shared with a group/user to check if they should continue to have access to see the data. Thanks!

Reply