The image below depicts Collibra Data Quality & Observability's security architecture.
Whether leveraging a Local User Store, Active Directory, or using the out of the box user accounts that come with Collibra Data Quality & Observability via LDIF, security stays the same. An admin can create many ROLEs. A user, whether local user, LDIF user, or AD user can be part of one or many roles. And a ROLE maps to a data set within Collibra Data Quality & Observability.
When dataset security is enabled and you want to access a dataset, or want to see, add, or remove an existing business unit for a dataset, you must have a role that is attached to that dataset.
For datasets, when dataset security and default dataset owner access is enabled, a user with a role attached to a dataset or the dataset owner can:
- Add - User with no dataset access (with no role attached to any existing dataset) can still create a dataset. After creating it, this user (who is the default dataset owner) can see the dataset, profile, and business units, and add and remove business units to their (owned) dataset.
- Retrieve/See - User can retrieve/see datasets, based on dataset access.
- Edit - User can edit datasets, based on dataset access.
- Remove - User can remove datasets, based on dataset access.
For business units, when dataset security and default dataset owner access is enabled, a user can:
- Retrieve/See - User can retrieve/see business units, based on dataset access.
- Edit - User can edit business units, based on dataset access.
- Remove - User can remove business units, based on dataset access.
Note You must be an admin to create a business unit, which can then be added to a dataset.
A unique feature within Collibra DQ is the fact that we do not store information about external user accounts. This avoids the need to sync external users from an external user store such as AD to Collibra DQ. Instead, Collibra DQ will map the external group to an internal role. From here the ROLE can be mapped to the different functionality within Collibra DQ whether they are Admins / Users / and have access to different datasets and future functionality. The other benefit is that if a specific userid within the external user store is terminated, when the user is purged from the external user store such as AD they will immediately not have access to Collibra DQ’s web application. This is because when the user logs into Collibra DQ’s web application that is backed by AD their login will interrogate AD to authenticate the user account. See logical flow below for how the group to role mappings work.
RBAC Usages
Collibra DQ supports RBAC configuration with both core roles and custom roles. The following table shows the core roles of Collibra DQ's RBAC configuration:
| Role | Access Description |
|---|---|
| ROLE_ADMIN | Allows you to modify any access, config settings, connections, and role delegation. |
| ROLE_DATA_GOVERNANCE_MANAGER | Allows you to manage (create / update / delete) Business Units and Data Categories. |
| ROLE_USER_MANAGER | Allows you to create or modify users and add users to roles. |
| ROLE_OWL ROLE_MANAGER | Allows you to create roles and edit role mappings to users, AD groups, and datasets. |
| ROLE_CONNECTION_MANAGER | Allows you to add, edit, and delete connections. |
| ROLE_DATASET_MANAGER | Allows you to create or modify datasets to roles and mask dataset columns. |
| ROLE_OWL_CHECK | This is the only role that can run DQ scans when DQ Job Security is enabled. |
| ROLE_DATA_PREVIEW | This is the only role that can view source data if Data_Preview security is enabled. |
| ROLE_DATASET_TRAIN | This is the only role that can train datasets if Dataset_Train security is enabled. |
| ROLE_DATASET_RULES | This is the only role that can add / edit / delete rules if Dataset_Rules security is enabled. |
| ROLE_VIEW_DATA | Controls which users can access the DQ SQL editor to run the SQL against the database. |
| ROLE_PUBLIC | Public: Access to scorecards, no dataset access when dataset security is enabled. |
| ROLE_GENAI_USER | Allows you to use SQL assistant for data quality for automated SQL rule writing and troubleshooting. |
| ROLE_USER | Do not use. |
| ROLE_SETUP | Do not use. |
Custom roles can be added via the Role Management page by navigating to the Admin Console and clicking on the Roles Icon. Custom roles can also be added 'on the fly' during the Active Directory Role Mapping step.
It is these custom roles that will determine the users that have access to data sets (including profile/rules/data preview/scoring), and database connections
Additional information regarding setting up Dataset and Connection security can be found in those documents respectively.