How access controls sync

In Data Access, access controls are independent of the specific technical implementation that enforces them in your underlying data sources. To keep your rules consistent, Data Access supports a bidirectional flow for access controls: it pulls from data sources (inbound) and pushes to data sources (outbound). However, each access control synchronizes in only one direction, depending on whether you manage it in the data source or in Collibra.

Source of an access control

Every access control has a Managed in field, which defines the source of truth. This field indicates which system owns the access control (that is, the data source or Data Access) and, consequently, determines the direction of data flow to prevent permissions from being unintentionally overwritten.

Managed in data source (inbound)

If the Managed in field in an access control is Data Source, the synchronization direction is inbound, that is, from the data source to Data Access. An inbound direction indicates that the access control already existed in your data source and was imported into Data Access during data source synchronization. During subsequent synchronizations, Data Access pulls any changes made to the access control in the data source, which ensures alignment between both systems.

An inbound direction gives you immediate visibility into your current setup, and it does not require you to recreate access controls in Data Access. You can see who has access to what directly in Data Access. We recommend inbound direction for access controls that administrators or specific service accounts use and that you simply want to set and forget.

Managed in Collibra (outbound)

If the Managed in field in an access control is Collibra, the synchronization direction is outbound, that is, from Data Access to the data source. An outbound direction indicates that the access control was either created directly in Data Access or initially imported from the data source but later edited in Data Access.

When the direction is outbound, Data Access pushes any access control that you create or edit in Data Access to the data source. You do not need to manually start the synchronization or wait for the next scheduled synchronization for your changes to be applied to the data source. However, Data Access no longer pulls any further changes made to the access control in the data source, which ensures that your Collibra-defined rules remain intact.

With an outbound direction, you can manage access from a single place, which ensures that your data source always reflects the most current access control. We recommend outbound direction for access controls that support self-service access.

Partially managed in Collibra

This is a hybrid state in which you apply locking to specific parts of an access control. The Managed in field remains Collibra, but the access control is partially managed in Data Access and partially managed in the data source. You can edit the locked parts only through the API.

We recommend the hybrid state for DevOps teams who want to manage access as code (for example, through Terraform). It allows your pipelines to securely manage the What component (data objects and permissions) through the API, while business owners can still manage the Who component (the identities that receive access) directly in the Data Access user interface. The hybrid state benefits from versioning, peer reviews, and CI/CD integration, while leaving identity permissions to business stakeholders.

Note The exact synchronization behavior depends on the data source type, such as whether it uses a Role-Based Access Control (RBAC) model or an Access Control List (ACL) model.

Outcome of editing an imported access control

When you edit an imported access control:

The value in the Managed in field (in the Details sidebar on the access control page) changes from Data Source to Collibra.
The synchronization direction changes from inbound to outbound.
Data Access automatically pushes any further changes that you make to the access control in Data Access to the data source. However, Data Access no longer pulls any changes that you make to the access control in the data source.

Sync status of an access control

An access control can have one of the following synchronization statuses.

Synchronization status	Description
Synced	The access control is synchronized with the data source. Data Access applies your changes to the data source.
Out of sync	The access control is edited in Data Access and will automatically synchronize with the data source. This is a temporary status that leads to either Synced or Sync error.
Not connected	The access control is created in Data Access and will automatically synchronize with the data source. This is a temporary status that leads to either Synced or Sync error.
Sync error	The last attempt to synchronize the access control with the data source failed. The Issues tab of the access control shows the error details.