Overview: Operationalizing Data Governance
The Governance model in EDG lets you operationalize the governance structures and institutionalize the governance principles you have adopted. It let's you:
- Bring your organization’s governance framework down to the level of roles, responsibilities, reporting lines, and communications
- Organize operational, risk management, and reporting processes to ensure adherence to governance practices necessary for the business units to conduct their activities in ways that comply with regulations and serve strategic ends
- Help all stakeholders to answer questions such as, “Why are we doing this?” “Is this okay?” “Whose call is this?” and “Who do we need to tell about this?” and to know when to ask such questions
- Sustain governance by creating a feedback loop in which the governance board and management can identify and respond to new business, operational, competitive, and regulatory needs
The Governance Model and Workflows
The Governance Model is a special EDG asset collection that uniquely captures enterprise contexts for other asset collections. It groups all collections governed by EDG into enterprise governance areas for which users can be given various governance roles. Users can also be grouped according to organizational structures. These dual settings bring together collections and users through EDG workflows, which orchestrate teams of users, via their roles, in the development and maintenance of the assets.
Governance model is also used to define metrics for governance areas and to manage organization's governance policies, issues and other relevant items.
Unlike other asset collection types, governance is a singleton. There is only one instance of the governance asset collection and it is pre-built. It offers specialized pages for managing governance assets. These are displayed in bold on the horizontal bar at the top of any of the pages that let you work with the governance framework.
Other tabs in this menu bar (e.g., Import, Export, etc.) work the same as they do for all asset collections in EDG.
Users and Access Control
EDG offers three categories of of access controls.
- Governance roles provide business control over assets and associated workflows (business processes).
- Permission profiles (viewer, editor, and manager) provide direct authorizations for asset collection functions.
- Rights groups control access to system-level application resources (e.g., directories, files).
Governance roles represent rights and responsibilities of stakeholders engaged in various aspects of data governance processes. The roles can be associated with a subject area, individual collection or an individual asset and their asset.
The governance roles can convey both permission-profile access to the collections as well workflow permissions for the governance processes that maintain the collections.
While the use of governance areas and roles is optional in EDG, using them provides a lot of flexibility and unlocks additional functionality such as asset-level roles.
Users access to each asset collection and available functions is controlled via permission profiles, which comprise three nested access levels: viewer, editor, and manager. Each level contains the permissions of the preceding level and more. The permission profiles assigned to users for each collection determine what each user can see or do with assets in the collection.
Rights groups convey low-level EDG file system access to users. These settings are largely separate from permission profiles and governance roles, except that users require a
Create right to create new asset collections, and administrators (users in the AdministratorGroup) have full manager permissions for all collections.
You can see all users defined in the EDG system (e.g., via LDAP) by clicking on the Users link in the left hand side Navigation Bar. Each user listed can be clicked on to see user details. For each user, the details presented consist of:
- Settings (Tomcat users only): Non-LDAP users can define the email address that receives notifications. Users with administrator privileges can edit the email addresses of all users.
- Governance Roles: Lists the governance roles of the selected user, if any. The list displays the name of the area or asset collection (including a link to the details page) and the governance role of the user.
Note that there is also Users tab in the horizontal menu at the top of the page. This works the same way as Users page for any collection. It supports defining permissions and roles for the governance model itself.
Managers of a collection can assign users various permission profiles and governance roles. Managers can assign roles to individual users or to security roles, which represent groups of users. Individual users and their security roles are defined externally to the EDG application, during Tomcat configuration for the EDG installation. Typically, individuals and their security roles come into EDG (via Tomcat) from LDAP, but they can also be defined within Tomcat itself, via the
EDG administrators can assign security roles (but not individuals) to rights groups, and they can define custom rights groups. Rights management also provides a pre-defined users role, ANY_ROLE, which automatically includes any EDG user (for assigning rights groups universally).
Finally, the governance model lets you define organizations (see below). Organizations can then also be assigned governance roles.
Summary of Resources and Access Type Assignments
Governance Areas (and Roles)
Governance subject areas group asset collections according to an organization's business or data subject concerns. Governance areas are used to define a delineated part of stewardship. They partition and delegate ownership of assets, and define a meaningful context for assets that are associated with a governance area.
A business area may have subareas that are either the business or data subject areas. Any data subject area may have only data subject subareas.
There are two ways to connect an asset collection with a governance area:
- by selecting a governance area and either creating a new asset collection or adding existing collection; thereby, automatically associating it with the selected area, or
- by updating collection's Metadata using Settings > Metadata > Edit > subject area.
Creating governance areas
To create a governance area, click on the Business and Data Subject Area root or on one of already existing areas and select either Add Business Sub-Area or Add Data Subject Sub-Area.
After creation, you can add governance roles to the area by selecting the area and clicking on Add governance role. Clicking on the Details button will let you work with the full information about a governance area.
If you select one of the roles assigned to a governance area you will be able to:
- Set a permission profile for the role
- Assign roles to users of EDG - either directly or indirectly through security oles and organizations
- Disable the role
Each governance area may have associated governance roles, where each role represents a business-oriented set of user rights and responsibilities pertaining to managing assets associate with a given area. Governance roles can be used in various workflows (see workflow templates), which orchestrate users in the governance processes that create and maintain the area's assets.
TopBraid EDG ships with a pre-built set of governance roles commonly used by organizations, but customers can modify this set. Pre-defined roles can be disabled and new ones can be added. This is accomplished by modifying EDG ontology that describes governance assets. Pre-built governance roles are properties with associated property shapes defined in the EDG Shapes - Governance Assets ontology. For information on customizing EDG ontologies, see this page.
Governance roles are assigned to users by specifying, for a governance role:
- individual users or
- user security roles (e.g., from LDAP) or
- organizations, which are defined in the Governance Model's Organizational Structure (see below).
Role assignments specified for an area apply to all of the area's own asset collections and to all of its descendant-areas' collections.
Each asset collection can also have its own additional governance role assignments, made via its User Roles > Governance Roles settings. Such collection-specific assignments are shown in a governance area's listing of associated Asset Collections. If a collection has its own governance role assignments (i.e., in addition to its area's) it will be indicated by showing the assigned roles' initials in the +Roles column. A governance role applicable to an asset collection is applicable to all assets in this collection.
Finally, governance roles can be assigned on an asset level. This feature is enabled as a choice on the Manage tab of a collection.
Governance roles vs. permission profiles
Asset collections use three standard permission profiles: viewer, editor, and manager. (See: Rights Entailed by Permission Profiles for details.) Compared to the v/e/m profiles, which focus on read and write permissions, governance roles are more abstract and more representative of an enterprise's business processes for data governance.
- Governance roles represent how a team of business users relate to a governance area's business and technical assets. In contrast, the v/e/m levels represent only permissions for given asset collection and its workflows.
- Governance roles can be defined for governance areas or an individual collection or an individual asset, whereas the v/e/m permissions must be specified at the collection level.
- The set of governance roles available in EDG is customizable, but the three v/e/m permission levels are neither customizable nor extensible.
- Custom workflows (via templates, see below) can generally* be defined in terms of either governance roles or the v/e/m permissions. (The provided Basic workflow uses v/e/m only. *Voting steps pertain to governance roles only.)
- Any user that has a governance role for a collection is automatically granted a view permission profile for that collection and for any workflow on the collection.
- Further, each governance role can be given specific permissions. For example, you can say that a data steward always has editor permissions. You can also say that for Change Approval workflows, data steward has manager permissions.
EDG lets you describe and document an organizational breakdown to capture social units of people that participate in the governance process. Organizations can have sub organizations. This structure often corresponds to functional divisions in an enterprise.
EDG organizations are groupings of users specified either individually or via their security roles (e.g., from LDAP). Each organization instance can have various associated metadata. Organizations represent users abstractly, which provides various benefits such as:
- documenting governance responsibility at an organizational level instead of a user account level, and
- representing users before having to identify and onboard specific individuals, and
- facilitating reassignment of responsibilities when personnel change.
Typically, when you start your governance initiative, your organizational breakdown and your governance area breakdown may be very similar or even identical.However, as your governance processes mature, these breakdowns often diverge.
You can create different types of organizations such as departments, committees, boards and working groups - as shown below:
When you click on an organization in the organizational breakdown, you can describe it in more detail including assigning it governance roles and associating users with it.
Clicking on the Details button will let you work with the full information about an organization. The type of information you will want to capture is fully customizable through modifying governance ontology.
EDG administrators can activate metrics dashboards: EDG Configuration Parameters > Teamwork Platform Parameters > Metrics dashboards activated. And they can also edit the resulting GOVERNANCE MODEL > Dashboards item. To activate each dashboard in the governance model, please turn on "Enable Options for SWA forms" in Server Administration. The activate property will be on the SWA form and not the SHACL based form. You can toggle between them in the form in the governance model. Note that creating new Metrics Dashboards requires advanced TopBraid developer knowledge in order to generate the scripts needed to supply data and add visualizations. Upcoming releases will include additional scripts for a variety of metrics. If you are interested in the possibilities for tailoring TopBraid EDG Metrics Dashboards to better suit your needs, please contact TopQuadrant to explore the following options:
Have TopQuadrant quickly configure a customized EDG solution to meet your detailed requirements. We will be pleased to quote and provide affordable customization and tailoring services.
Enable your organization to develop and maintain customizations for EDG by guiding and training your selected personnel to perform the variety of customization capabilities.
TopBraid EDG lets you capture policies relevant to the data governance.
TopBraid EDG lets you create a work with issues. Typically, this will be issues related to establishing and operating your governance processes.
Other Governance Assets
This page gives you access to other types of governance assets that are not explicitly linked in the Navigation Bar such as risks, reports, etc. In fact, it will show all governance assets including those that have a dedicated page linked from the navigation menu. The page provides functions to view, edit, create, delete and perform other actions.
To focus on a specific sub type of governance assets, click on Asset Type Selector icon and make selections.
This shows the collection of templates that define the available workflow types, e.g., the Basic workflow. To customize these workflow types externally from EDG (e.g., via TopBraid Composer - Maestro Edition), users in the Teamwork Administrator Role can download and upload the templates as a Turtle file. For details on developing custom workflows, see EDG Developer Guide: Adding Custom Workflow Templates.