Metadata & Data Security

Setting up Security using Data Asset Group (DAG)

What is Data Asset Group (DAG)?

Data Asset Group(DAG) is a way to manage security, ownership, and stewardship at the functional level. When a data source is initially crawled by OvalEdge ADMIN, he becomes the default Owner and Steward for that Schema. If an ADMIN wants to share his responsibility on a specific data asset group, he can assign a new Owner, Steward, and Author at the schema level. The new Owner assigned, shares the responsibility with ADMIN to manage that DAG. See, Users & Roles permissions on a Domain, terms, and DAG Tag to learn about what Owners and Stewards of a Data asset group and a domain can do. 

How is DAG created at the schema level?

Generally, every Database Schema which is connected and crawled creates a Data Asset Group. There are four different types of data asset group types in OvalEdge. The databases at the Schema level, Folders, Report groups, and Asset Group (Similar tags combined under a single asset group tag). To crawl a Database Schema, See Crawl a Database connection. 

What is a DAG Tag?

Data Asset Group tag is responsible for organizing and maintaining the security, ownership, and control of similar data assets grouped such as database schemas, tables, files, reports, and queries(Procedures, views, and functions). 

Example: Two different applications (SalesForce & Oracle Apps), both might contain Customers and Purchasing data. As they are two different applications, their databases are different, and traditionally the security and ownership are initially managed at the database level.  If you want the VP of sales to own all the customer’s data(PII) from both the systems and the Chief procurement officer to maintain the purchase data from both the systems, use DAG tags. Using OvalEdge DAG tags, ownership and stewardship can be changed. Now the Customers' data is owned by the VP of Sales while the Purchasing data is owned by the Chief Procurement Officer. 

2

To monitor and maintain the security for similar data assets, ADMINS creates, organizes, and manages using Data Asset Group Tag(DAG TAG). The DAG TAGS can only be created by a user with the ADMIN role. See Creating a Data Asset Group to learn the steps of creating a DAG TAG.

While creating a DAG TAG (grouped data objects), a new set of Owners, Stewards and Authors are assigned to manage the added objects' security. The DAG TAG owners and stewards now become responsible for these grouped data objects. However, the user roles that the Owner and Steward belong to must be manually associated with the DAG TAG

 While creating a DAG, you can select to

  • Manage Ownership
  • Manage Stewardship
  • Manage Security

Points to Remember:

At least one of the above options must be selected while creating a new DAG to manage the grouped data assets. 

  • Manage ownership: We need to give permissions on dataset level(schema/files/report groups)
  • Manager stewardship: We need to give permissions on dataset level (schema/files/report groups)
  • Manage security: we need to give permissions on DAG level
  • If the Manage Security option is not selected, you would not enable the Security Groups(available user roles on that DAG) of the DAG, but carry the database/Schema/file/report group security group only. In other words, only the user roles defined at the database level will be able to access.
  • If the Manage Security option is selected while creating a DAG, the Security Groups(i.e Available user roles to that DAG) will be having access to the data objects associated with that DAG.
  • Similarly, if Manage Ownership is not checked, then Ownership would be maintained by the Schema level Owner.

    dag1

    Note: Once a user is assigned as an Owner/Steward/Publisher/Author, their predefined role permissions take precedence on their Custom role permissions.

You cannot assign more than one DAG Tag to a Database/Table/Report. But there can be multiple tables, files, and reports associated with a single DAG TAG.

How to Manage Roles and Permissions through DAG

rr

How to control metadata access using DAG Tags?

The data objects assigned to DAG Tags are controlled and managed through predefined user roles(Owners, stewards, and authors). However, the data access to data objects depends on the granted data permissions. Only OE_ADMINS has the right to create a DAG Tag and manage roles and permissions on DAG tags. Additionally, the Owner of a DAG has the right to assign data objects to DAG tags.


Note: When we assign the DAG on a database, it affects the Owner/Steward and Security groups based on the configuration of DAG. It also affects all the associated tables as well EXCEPT on some tables which might have direct DAG.


To manage the custom user role permissions on a DAG TAG,

  1. Go to the Administration tab🡪 Security.
  2. Create a Data Asset Group tag.
  3. Click the Manage roles tab and assign data and metadata permissions.

Custom User-role permissions on DAG TAGs

When a User role has,

META_READ ONLY- they will be able to just view the metadata details but will not be able to update the following: Title, Business Description (wiki), Technical Description (New Field), add tags, edit Lineage.

META_READ_WRITE - allows users to view the metadata and edit the metadata like Title, Business Description (wiki), Technical Description (New Field), add custom tags, edit Lineage.

DATA_PREVIEW allows the user to see the preview of data and profiling results. Not able to query the data through the data catalog page and cannot query the table using Query Sheet

DATA_READ will allow users to read the data and profile results. Using a Query sheet, they will be able to query on these tables. Data Read permission will only allow you to perform SELECT queries. User has no permission to Insert/Update/ Delete data from these tables

DATA_WRITE will allow users to write Insert/Update/Delete queries.

For more information on how to create a Data asset Group and set up metadata and data permissions on a DAG Tag, See Managing User-roles on components of Security🡪Data Asset Group.

Creating a Data Asset Group Tag

Note: Before you create a DAG tag, create a domain. To create a domain refer How to create a domain.

To add a new data asset group tag (DAGTAG),

  1. Expand the Administration tab in the object browser and Select  Security.
  2. Select the Data Asset Group tab from the security menu bar.
  3. Click the + plus icon to add a data asset group.
    A dialogue box opens for user input.
  4. Select the domain and enter the data asset group name, data asset group description, and select the Owner, Steward, and Author/(s) from the drop-down list. 
    For information about Owner and Steward and Approver, See <Domain Management>.
  5. Choose and select the options to manage the ownership, stewardship and security of this DAG TAG.
  6. Click to save the data asset group name and return to the security page
    dag2

Delete a Data Asset Group Tag

To delete a data asset group tag(DAGTAG),

  1. Expand the Administration tab in the object browser and Select  Security.
  2. Select the Data Asset Group tab from the security menu bar. 
  3. Select an asset group name.
  4. Click the delete button to Delete data, asset group.
  5.  A pop-up dialogue box asking for user permission to delete the data asset group is displayed. Deleting the DAG will delete all the associated tags and the user can no longer manage the data objects using tags. Select confirm to permanently delete the data, asset group.

 


Edit a Data Asset Group Tag

To edit a data asset group tag(DAGTAG) from the security module,

  1. Navigate to Administration > Security.
  2. Select the Data Asset Group tab from the security menu bar. 
  3. Choose an asset group name and click the Edit icon.
  4. Make changes and click Save.

To edit the DAG tag Owners and Stewards from Home Page,

  1. Navigate to the Home page > Data Asset Groups.
  2. Select a DAG TAG.
  3. Click the Edit icon to edit  the tag. A pop up window appears where the information can be edited.
  4. Scroll down the page to change the new owner and steward for the selected DAG Tag and edit the DAG security.

Assigning DAG to the data asset

DAG can be assigned to Database schemas, Tables, Files, Reports, and queries. DAGs can be assigned to the data objects through Tags.

Before Assigning DAG to a Table, Admin is the Owner and the Steward.

After Assigning DAG to a Table, JOHN will become the Owner and the Steward for this Table. These ownership details are copied from DAG Tag.

Users can also DAG tags from the home screen. Select the Parent tag “Data Asset Group” and choose the DAG child tags created from the list.

Approval Workflow

Approval Workflow allows the Administrator to set up the approval process for Access permissions, Content change permissions, Data Quality Issues, New data assets, 

Business Glossaries, and other requests. OvalEdge provides multiple options so that users can design their own Approval Workflow process. 

Set Up Approvals

To set up a workflow,

1. Navigate to the Administration-->Security module.

2. Click the icon.

The following pop-up displays.

3. Select a request type.
4. Each request type has default Approvers assigned. For
    • Access, Data Owner is default Approver

    • Content Change, Data Steward is default Approver

    • Data Quality, Data Steward is the default Approver

    • New Data Asset, Data Owner is default Approver

    • Business Glossary, Steward is the  default Approver

    • Other, Data Steward is the default Approver

5. ADMIN can save the default approvers or add multiple levels of approvals. However, in each level ADMIN must define one approver from the following:
    • User Manager
    • Data Governance Manager
    • Data Control Manager
    • Data Owners
    • Data Stewards
    • User

    • Anyone from the Role