Overview: Asset Collections and Governance
EDG asset collections contain individual assets representing various types of business, technical, and operational resources of an organization. Examples of assets could include documents, vocabulary terms and relationships, data schema and profiles, reference data, requirements, and other technical or enterprise resources.
Data governance modelers can define business or data subject areas of concern and populate them with multiple types of asset collections for the resources of interest. Teams comprising different governance roles can maintain the collections in an orchestrated way based on collection workflows.
Users and Access Control
EDG has three categories of resources with access controls.
- Permission profiles (viewer, editor, and manager) provide direct authorizations for asset collection functions.
- Governance roles provide higher-level business control of asset collections and their workflows (business processes).
- Rights groups control access to system-level application resources (e.g., directories, files).
Each asset collection controls user access to its assets and functions via permission profiles, which comprise three nested access- levels: viewer, editor, and manager. Each level contains the permissions of the preceding level and more. The permission profiles assigned to users on each collection control what each user can see or do with the collection.
Governance roles represent types of business users engaged in various aspects of data governance processes. The roles are associated with particular business areas and their asset collections. The governance roles convey both permission-profile access to the collections in their areas and workflow permissions for the governance processes that maintain the collections.
Rights groups convey low-level EDG file system access to users. These settings are largely separate from permission profiles and governance roles, except that users require a
Create right to create new asset collections, and administrators (users in the AdministratorGroup) have full manager permissions for all collections.
Collection managers can assign users to various permission profiles and governance roles. Managers can assign users either as individuals or as security roles, which represent groups of users. Individual users and their security roles are defined externally to the EDG application, during Tomcat configuration for the EDG installation. Typically, individuals and their security roles come into EDG (via Tomcat) from LDAP, but they can also be defined within Tomcat itself, via the
EDG administrators can assign security roles (but not individuals) to rights groups, and they can define custom rights groups. Rights management also provides a pre-defined users role, ANY_ROLE, which automatically includes any EDG user (for assigning rights groups universally).
Finally, the governance model (see below) provides EDG-definable organizations, which are custom user-group hierarchies comprising selected individuals and security roles. Organizations can then be assigned to governance roles, in addition to individuals and security roles.
Summary of Access Types and User Assignment
The Governance Model and Workflows
The Governance Model is a special EDG asset collection that uniquely provides enterprise contexts for other asset collections. It groups all collections governed by EDG into enterprise governance areas for which users can be given various governance roles. Users can also be grouped according to organizational structures. These dual settings bring together collections and users through EDG workflows, which orchestrate teams of users, via their roles, in the development and maintenance of the collections.
Governance model is also used to define metrics for governance areas and to manage organization's governance policies and issues.
Governance Areas (and Roles)
Governance areas group asset collections according to an organization's business or data subject concerns. Governance areas are used to define a delineated part of stewardship. They partition and delegate ownership of assets, and define a meaningful context for assets that are associated with a governance area.
A business area may have subareas that are either the business or data subject areas. Any data subject area may have only data subject subareas.
An asset collection may be assigned to one or more areas. There are two ways to connect an asset collection with a governance area:
- by selecting a governance area and creating a new asset collection; thereby, automatically associating it with the selected area, or
- by updating collection's Metadata using Settings > Metadata > Edit > subject area.
Each governance area may have associated governance roles, where each role represents a business-oriented set of user rights and responsibilities pertaining to the area's collections. Governance roles can be used in various workflows (see workflow templates), which orchestrate users in the governance processes that create and maintain the area's asset collections.
TopBraid EDG's set of available governance roles is configurable. EDG pre-defines several roles commonly used by organizations, but customers can modify this set.
A governance area's roles are assigned to users by specifying:
- individual users or
- user security roles (e.g., from LDAP) or
- organizations, which are defined in the Governance Model's Organizational Structure (see below).
Role assignments in a given governance area automatically apply to all of the area's own asset collections and to all of its descendant-areas' collections.
Each asset collection can also have its own additional governance role assignments, made via its User Roles > Governance Roles settings. Such collection-specific assignments are shown in a governance area's Asset Collections listing, where any collection that has its own governance role assignments (i.e., in addition to its area's) will indicate them by showing the assigned roles' initials in its +Roles column.
Governance roles vs. permission profiles
Underlying the governance roles, asset collections use three standard permission profiles: viewer, editor, and manager. (See: Collection Permission Profiles: Viewer, Editor, and Manager for details.) Compared to the v/e/m profiles, which focus on collection permissions, governance roles are more abstract and more representative of an enterprise's business processes for data governance.
- Governance roles represent how a team of business users relate to a governance area's business and technical assets. In contrast, the v/e/m levels represent only permissions for given asset collection and its workflows.
- Governance roles can be defined for governance areas or an individual collection, whereas the v/e/m permissions must be specified at the collection level.
- The set of governance roles available in EDG is customizable, but the three v/e/m permission levels are neither customizable nor extensible.
- Users that have any governance role for an area automatically receive viewer permissions (at least) for all current and future collections and workflows in the area. In contrast, v/e/m permissions per se must be set manually on each collection or workflow copy.
- Custom workflows (via templates, see below) can generally* be defined in terms of either governance roles or the v/e/m permissions. (The provided Basic workflow uses v/e/m only. * Voting steps pertain to governance roles only.)
EDG organizations are custom hierarchical groupings of users specified either individually or via their security roles (e.g., from LDAP). Each organization instance can also have documentation, various types of metadata, and may contain sub-organizations. Organizations represent users abstractly, which provides various benefits such as:
- documenting governance responsibility at an organizational level instead of a user account level, and
- representing users before having to identify and onboard specific individuals, and
- facilitating reassignment of responsibilities when personnel change.
Other Governance Assets
Governance assets are instances of various governance-related information types (classes) such as agencies, councils, issues, metrics, policies, reports, etc. This item opens the Governance Model editor, listing current instances (if any) and providing functions such as view, edit, create, delete, etc.
EDG administrators can activate metrics dashboards: EDG Configuration Parameters > Teamwork Platform Parameters > Metrics dashboards activated. And they can also edit the resulting GOVERNANCE MODEL > Dashboards item. Note that creating new Metrics Dashboards requires advanced TopBraid developer knowledge in order to generate the scripts needed to supply data and add visualizations. Upcoming releases will include additional scripts for a variety of metrics. If you are interested in the possibilities for tailoring TopBraid EDG Metrics Dashboards to better suit your needs, please contact TopQuadrant to explore the following options:
Have TopQuadrant quickly configure a customized EDG solution to meet your detailed requirements. We will be pleased to quote and provide affordable customization and tailoring services.
Enable your organization to develop and maintain customizations for EDG by guiding and training your selected personnel to perform the variety of customization capabilities.
This lists all users defined in the EDG system (e.g., via LDAP). Each user listing can be viewed for details of its its governance associations within EDG.
For each user, the details presented consist of:
- Settings (Tomcat users only): Non-LDAP users can define the email address that receives notifications. Users with administrator privileges can edit the email addresses of all users.
- Governance Roles: Lists the governance roles of the selected user, if any. The list displays the name of the area or asset (including a link to the details page) and the governance role of the user.
This shows the collection of templates that define the available workflow types, e.g., the Basic workflow. To customize these workflow types externally from EDG (e.g., via TopBraid Composer - Maestro Edition), users in the Teamwork Administrator Role can download and upload the templates as a Turtle file. For details on developing custom workflows, see EDG Developer Guide: Adding Custom Workflow Templates.