Ownership model
In Data Access, a combination of your global permissions and specific ownership rights determines what you can see and do. While global permissions provide broad access, ownership provides granular, targeted control over individual data sources, data objects, and access controls. Ownership is managed directly in Data Access.
Important To work with Data Access or access the Data Access product, you must have the Product Rights > Data Access global permission.
Global roles
The following table describes the Data Access global roles.
| Global role | Default global permissions | Description |
|---|---|---|
| Data Access Business User |
|
Create access controls, even if you do not own any data object. |
| Data Access Observer |
|
View all access controls and access requests, and monitor access and usage of all data, even if you are not the owner. This includes the ability to see the beneficiaries of access controls, issues, audit logs, and more. |
| Data Access Manager |
|
Manage all access controls, and monitor access and usage of all data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully. |
| Data Access Admin |
|
Manage the Data Access settings and add data sources. |
Global permissions
The following table describes the Data Access global permissions.
| Global permission | License | Description |
|---|---|---|
| Product Rights > Data Access | Viewer |
Access the Data Access product. |
| Data Access > Create Access Controls | Contributor |
Create access controls, even if you do not own any data object. This global permission is used by Data Product Owners and Data Stewards to manage roles, column masks, and row filters. |
| Data Access > View All Access And Usage | Viewer |
View all access controls and access requests, and monitor access of data, even if you are not the owner. This includes details on who has access to what data, audit logs, and issues. This global permission is used by Chief Data Officer, Chief Information Officer, Chief Information Security Officer, or an auditor to centrally monitor data access and usage. |
| Data Access > Manage All Access | Contributor |
Manage all access controls, and monitor access and usage of data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully. This global permission is used by your super user to manage Data Access. Limit this to as few users as possible. |
| Data Access > Manage Settings | Contributor |
Manage the Data Access settings and add data sources. |
Ownership
Ownership of data objects is crucial for access management because only data owners can manage access to their data or delegate this responsibility to the owner of an access control.
You can be the owner of a data source, data object, or access control. You become the owner of a data source when you add it to Data Access or when the current owner makes you the owner. Similarly, you become the owner of an access control when you create it in Data Access or when the current owner makes you the owner. You can set the owner of an entity by clicking in the Owners field in the Details sidebar.
The following table describes the capabilities of each ownership level.
| Ownership level | Capabilities |
|---|---|
| Data source |
As the owner of a data source, you can:
Additionally, you become the owner of all the data objects in your data source. |
| Data object |
As the owner of a data object, you can:
Additionally, you become the owner of all the data objects that are descendants of your data object. |
| Access control |
As the owner of an access control, you can:
Note If you are the owner of all the data objects in an access control that is created by someone else, you automatically gain permissions to view and edit the Who component, delete the access control, edit the access control name, and perform other actions, as if you were the owner of the access control itself.
|