Setting up Control Tower involves enabling the product, configuring access permissions, and assigning resource roles so that users can build and run control queries. Before you begin, review the relevant permissions. For a list of global permissions and resource permissions, go to Control Tower permissions.
Before you begin
- The latest Collibra user interface is enabled for your Collibra environment. Control Tower only works in conjunction with the latest Collibra user interface.
- The knowledge graph database is available for your Collibra environment. If it isn't, you can't enable Control Tower. In this case, contact Collibra Support.
1 Enable Control Tower
On the main toolbar, if you click
and
Control Tower is shown in the list of apps, then it is already enabled and you can skip this step.
Prerequisites
- You have a global role with the Product Rights > System administration global permission. The out-of-the-box AI Governance Admin global role has this permission.
Steps
- In
Settings, click Control Tower. - Switch on Enable Control Tower.
Control Tower is enabled.
Important If the knowledge graph database is not available for your Collibra environment, you can't switch on the Enable Control Tower setting. In this case, contact Collibra Support.
2 Add the Product Rights global permission to a global role
The Product Rights > Control Tower global permission allows users to access the Control Tower product pages. However, it is only configured for the Sysadmin global role. There are no out-of-the-box Control Tower-related global roles that allow you to convey the permission to non-administrators.
Therefore, we recommend that you add the Product Rights > Control Tower global permission to an existing out-of-the-box or custom global role that you can then assign to the users or user groups that will access the Control Tower product pages.
Alternatively, you can create a new global role and add the global permission to that role.
Prerequisites
- You have a global role with the Product Rights > System administration global permission.
Steps
- On the main toolbar, click → Settings.
The Settings page opens. - Click Roles and Permissions.
The roles and permissions settings appear on the Global Roles tab page. - In the tab pane, click Global Permissions.
The matrix of global permissions and roles appears. - If required, add the relevant global role, for example Policy Manager, to the matrix:
- On the content toolbar, click
and select the global role.
- On the content toolbar, click
- Above the table, to the right, click Edit.
You can now edit the matrix of permissions and roles.
- Scroll down to the Product Rights > Control Tower permission, and select the checkbox for relevant global role.
- Above the table, to the right, click Save.
3 Assign the global role to Control Tower users
Once the Product Rights > Control Tower global permission is assigned to a global role, you can assign that role to Control Tower users.
Prerequisites
- You have a global role with the Product Rights > System administration global permission.
Steps
- In Settings, click Roles and permissions.
- In the row of the global role to which you assigned the Product Rights > Control Tower permission, double-click
in the Members column.
The Update Members dialog box appears. - Click in the field, start typing and select the users and user groups that you want to assign.
- Click Update.
4 Assign Control Manager resource role for the Managed Control domain
The Control Manager resource role has the Asset > Control > Activate and Run permission, which allows users to build and enable control queries. Therefore, you need to assign the Control Manager resource role to any domain in which Managed Control assets will be stored. Alternatively, you can assign the Control Manager resource role at the community level.
Control Tower comes with the Managed Control domain, which is intended as a register for your Managed Control assets. We recommend that you assign the resource role on this domain or its parent community Data Governance Council.
Prerequisites
- You have a global role with at least the Resources > Manage all resources global permission.
- Alternatively, you have a resource role with a Community or Domain > Responsibilities > Add resource permissions for the relevant community or domain.
Steps
- Open the community or domain to which you want to assign a Control Manager.
- In the tab bar, click
Responsibilities. - In the Responsibilities section, click + Add responsibility.
- Enter the required information:
- Role: Start typing and select Control Manager.
- People: Enter the users or user groups who will act as Control Managers for the community or domain.
- Click Add.
Important If you want to import controls, you need to assign a resource role with the Asset > Add resource permission on the Managed Controls domain, which is the domain to which controls are imported.
5 Add the Failed controls widget to relevant asset page layouts
When a control query identifies non-compliant assets, the name of the associated Managed Control asset is shown on the asset page of the failed asset. This visibility is enabled by the Failed controls widget, which must be manually added to the asset page layout of all relevant asset types by an administrator.
For example, if you want to create controls that ensure reports comply to certain control criteria, you need to manually add the Failed controls widget to the Reports asset page layout.
Prerequisites
- You have a global role with the Product Rights > System administration global permission.
Steps
- In Settings, click Operating Model.
- Search for and click on a relevant target asset type.
- In the tab pane, expand the relevant assignment, and then click Characteristics.
- Click Edit layout.
The Edit layout page opens. - Drag the Failed controls widget from the left pane to the layout. You can position it anywhere you want.
- Click Publish.
Users can now start creating controls and building control queries.