Create or edit roles
In Data Access, a role is a type of access control that grants identities specific access on data objects.
You can create a new role to define which identities receive specific permissions on your selected data objects.
You can also edit a role that was imported into Data Access. Editing an imported access control internalizes it, which changes the value in the Managed in field in the Details sidebar from Data source to Collibra. As a result, Data Access overwrites any further changes made to the access control in the data source.
Prerequisites
- To create a role: You have a global role with the Data Access > Create Access Controls global permission, or you own a data object.
- To edit a role: You have a global role with the Data Access > Create Access Controls global permission, or you own the role or all its data objects.
Steps
- On the Data Access landing page, click ACCESS CONTROLS > Roles.
- Do one of the following:
- To create a role: Click Create role. On the Create role page, enter the information, and then click Create.
- To edit a role: Click the name of the role and click Edit. Edit the information, and then click Save or Internalize & Save (shown when you edit an imported role).
Result
- You become the owner of the role that you created. You can add more owners by using
in the Owners field in the Details sidebar. - Data Access automatically triggers a synchronization to push the role to the underlying data source. Until the role is created or updated in the data source, the Sync status field in the Details sidebar shows Not connected (for a new role) or Out of sync (for an edited role). After the synchronization finishes, the synchronization status changes to Synced.
- If you selected a data object or an access control that you do not own, it is not added to the role immediately. Instead, an access request is generated and assigned to the respective owner. If the owner approves the access request, the data object or access control is added to the role. When this happens, the synchronization status of the role changes to Out of sync briefly while Data Access pushes the changes to the data source. After the synchronization finishes, the synchronization status returns to Synced.
Field reference
Use this section to guide you when you create or edit a role.
General
In the General section, specify the basic properties of the role.
| Field | Description |
|---|---|
| Name |
A unique display name for the role, for example, Finance Read. Tip The technical name of an access control is used to generate the name of the corresponding access control in the underlying data source. By default, the technical name matches the display name. To specify a different technical name, use the Advanced option. This option applies only to data sources that use named entities to represent access controls. If you change the name in the Name field after generating a technical name, the corresponding access control in the underlying data source is renamed during the next synchronization.
|
| Description |
A brief explanation of the role's purpose, for example, Read-only access for Finance team. |
Access granted on
Specify the data objects on which you want to grant access. You can also specify other roles, column masks, and row filters. If the role was already created, on the role page, click Edit and complete the following steps.
- In the Access granted on section, click Add.
- In the Data source dialog box, select the data source for the role and click Continue.
- In the Add access on dialog box, select one of the following options.
Option Description Data objects Grants your role's beneficiaries specific access on the data objects you select. Roles Inherits access from the other roles you select. By selecting another role, you allow your role's beneficiaries to inherit the access provided by the other role.
Masks Creates a local exception for the column masks you select. A column mask masks data in specific columns for everyone except its beneficiaries, who see unmasked data. By selecting a column mask, you allow your role's beneficiaries to bypass the mask and see unmasked data—but in only those columns that belong to the tables on which your role grants access.
Filters Links your role to the row filters you select. A row filter hides rows from a specific table or view from everyone except its beneficiaries, who see rows that match specific criteria. By selecting a row filter, you allow your role's beneficiaries to see the same filtered rows.
Tip Adding other access controls to your role is how you build inheritance, wherein your role automatically inherits the permissions and exceptions of the other access controls. - Click Continue and select one or more data objects, roles, column masks, or row filters.
- Click Add.
Note The default permission group (access) for the selected data objects is Read, and the default end date for the selected access controls is Unlimited. The end date indicates when access is officially revoked.
- To check or edit the permissions for the data objects:
- In the What access is granted section, double-click the current value in the Permissions column.
The Edit permissions dialog box appears. The underlying permissions for each permission group (Read, Write, and Admin) are indicated by checkboxes. The permissions and their descriptions vary by data source. - To select more permissions, select the corresponding checkboxes. If you want to entirely exclude the permission group, click the corresponding tab.
- To select other permission groups such as Write or Admin, click the corresponding tabs. Clicking the tab again clears your selection.
- In the What access is granted section, double-click the current value in the Permissions column.
- To change the end date for the access controls:
- In the What access is granted section, double-click the current value in the End date column.
- In the Edit end date on dialog box, select the new end date and click Apply.
- In the What access is granted section, double-click the current value in the End date column.
Access granted to
Specify the identities to whom you want to grant access. You can also specify groups and other roles. If the role was already created, on the role page, click Edit and complete the following steps.
- In the Access granted to section, click Add.
- In the Add access to dialog box, select one of the following options, and then click Continue.
Option Description Identities Grants the identities you select access to the data objects. Groups Grants all the identities within the groups you select access to the data objects. Roles Grants all the beneficiaries of the other roles you select access to the data objects. - Select one or more identities, groups, or roles. If you previously selected Dynamic rule, in the Dynamic rule dialog box, enter the required information.
- Click Continue.
- In the Select an access type dialog box, select one of the following options, which are applicable only to identities, groups, and dynamic rule.
Option Description Granted Identities receive immediate access to see the unmasked data until the end date, which is set to Unlimited by default.
On request Identities must request access when they need it. Once requested, they receive access immediately, but only for the duration set in the Grant access for field, which is set to 14 days by default. They can request access multiple times until the end date, which is set to Unlimited by default. Each new request grants access for the specified duration (time does not accumulate). On the end date, the access is revoked and the identity can no longer request it.
- Click Add.
- To change the end date (which indicates when access is revoked) for the identities, groups, or roles that you selected:
- In the Who has access section, double-click the current value in the Expires at column.
- In the Edit end date on dialog box, select the new end date, and then click Apply.
- In the Who has access section, double-click the current value in the Expires at column.