Ownership model

In Data Access, a combination of your global permissions and specific ownership rights determines what you can see and do. While global permissions provide broad access, ownership provides granular, targeted control over individual data sources, data objects, and access controls. Ownership is managed directly in Data Access.

Important To work with Data Access or access the Data Access product, you must have the Product Rights > Data Access global permission.

Global roles

The following table describes the Data Access global roles.

Global role Default global permissions Description
Data Access Business User
  • Product Rights > Data Access
  • Data Access > Create Access Controls

Create access controls, even if you do not own any data object.

Data Access Observer
  • Product Rights > Data Access
  • Data Access > View All Access And Usage

View all access controls and access requests, and monitor access and usage of all data, even if you are not the owner. This includes the ability to see the beneficiaries of access controls, issues, audit logs, and more.

Data Access Manager
  • Product Rights > Data Access
  • Data Access > Manage All Access

Manage all access controls, and monitor access and usage of all data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully.

Data Access Admin
  • Product Rights > Data Access
  • Data Access > Manage Settings

Manage the Data Access settings and add data sources.

Global permissions

The following table describes the Data Access global permissions.

Global permission License Description
Product Rights > Data Access Viewer

Access the Data Access product.

Data Access > Create Access Controls Contributor

Create access controls, even if you do not own any data object.

This global permission is used by Data Product Owners and Data Stewards to manage roles, column masks, and row filters.

Data Access > View All Access And Usage Viewer

View all access controls and access requests, and monitor access of data, even if you are not the owner. This includes details on who has access to what data, audit logs, and issues.

This global permission is used by Chief Data Officer, Chief Information Officer, Chief Information Security Officer, or an auditor to centrally monitor data access and usage.

Data Access > Manage All Access Contributor

Manage all access controls, and monitor access and usage of data. This permission provides the same capabilities as if you were the owner of all data sources, data objects, and access controls. Therefore, it should be assigned carefully.

This global permission is used by your super user to manage Data Access. Limit this to as few users as possible.

Data Access > Manage Settings Contributor

Manage the Data Access settings and add data sources.

Ownership

Ownership of data objects is crucial for access management because only data owners can manage access to their data or delegate this responsibility to the owner of an access control.

You can be the owner of a data source, data object, or access control. You become the owner of a data source when you add it to Data Access or when the current owner makes you the owner. Similarly, you become the owner of an access control when you create it in Data Access or when the current owner makes you the owner. You can set the owner of an entity by clicking Edit icon in the Owners field in the Details sidebar.

The following table describes the capabilities of each ownership level.

Ownership level Capabilities
Data source

As the owner of a data source, you can:

  • Edit the details of your data source.
  • Delete your data source.
  • Manually start a synchronization of your data source.

Additionally, you become the owner of all the data objects in your data source.

Data object

As the owner of a data object, you can:

  • Grant access on your data object to others by creating or editing access controls. This means that if you are the owner of any data object, you can create access controls or edit your own access controls even without the Data AccessCreate Access Controls global permission.
  • View who has access on your data object.
  • Get assigned to any access requests for your data object.
  • Remove your data object from any access control at any time to revoke access, even if you are not the owner of the access control itself.

Additionally, you become the owner of all the data objects that are descendants of your data object.

Access control

As the owner of an access control, you can:

  • Edit your access control, including the name and the Who component. If you add or edit the data objects and access controls that you do not own, an access request is generated for the respective owners for approval.
  • Delete your access control.
  • View the complete What and Who components of your access control.
  • View the audit log and issues associated with your access control.
Note If you are the owner of all the data objects in an access control that is created by someone else, you automatically gain permissions to view and edit the Who component, delete the access control, edit the access control name, and perform other actions, as if you were the owner of the access control itself.