Defining users, roles, and permissions
Effective data governance and efficient operation in Collibra rely on a well-structured framework of users, roles, and permissions. This framework determines who can access Collibra, what actions they can perform, and which data assets they can view or modify. It ensures both security and compliance. Collibra uses a standard role-based access control (RBAC) model to manage access, providing flexibility for various organizational needs, based on three interconnected concepts:
- Users: Individuals who interact with Collibra. Their access and actions are determined by their assigned roles and the permissions they inherit.
- Roles: Collections of permissions that define specific capabilities in Collibra. Assigning roles to users or groups simplifies the management of permissions and responsibilities.
- Permissions: Granular authorizations that grant access to specific applications, features, or the ability to view and edit particular resources, such as assets or workflows. Permissions are not assigned directly to users. Instead, users inherit permissions through their assigned roles.
Managing users
Collibra offers several methods for managing user accounts to suit different organizational structures and integration requirements. The Users and Subscriptions settings page serves as the central hub for managing user access.
Adding and managing users
You can manage users through the following methods:
- SCIM provisioning: Manage users and groups via your identity provider (IdP) using SCIM (System for Cross-domain Identity Management) for automated provisioning and de-provisioning.
- LDAP integration: Connect Collibra to your company LDAP server to import users and groups, synchronizing user data and group-related information. When LDAP is configured, authentication is handled directly by the LDAP server.
- Manually: Create individual user accounts directly in Collibra.
User statuses and types
Each user account has a status that determines whether they can sign in to Collibra. An enabled user contributes to the license count, while a disabled user does not.
The Collibra licensing model defines user types that correspond to different levels of access and capabilities:
- Viewer: Allows users to access and browse Collibra, view content, add comments and ratings, create collections, and start workflows. Viewer licenses are typically unlimited.
- Contributor: In addition to Viewer capabilities, a Contributor license allows users to perform a deeper exploration of Collibra, participate in workflows for data product improvement, provide feedback, update asset tags, and apply classification rules.
- Creator: Grants users full access to all available products and capabilities, often including platform administration, configuration, and customization.
Out-of-the-box user accounts
Collibra includes specific pre-configured user accounts:
- Admin Istrator: The default administrator account used for initial Collibra configuration. You can delete this account once there are other users with the Sysadmin global role.
- System user: A fixed user that performs system-level functions and triggers specific processes in Collibra. You cannot modify or delete this user.
- Workflow user: A fixed user responsible for actions triggered by workflows that are not directly a result of user tasks or synchronous scripts. You cannot modify or delete this user.
Defining roles
A role is a collection of permissions that can be assigned to users and user groups. Roles are crucial for structuring user capabilities and defining responsibilities within Collibra. The Roles and Permissions settings page allows you to view and edit roles and their associated permissions.
Types of roles
The type of role is based on their scope:
- Global roles: Apply across all Collibra applications and modules, controlling system-wide actions. You can manage global roles and their membership on the Roles and Permissions settings page.
- Resource roles: Apply to specific data assets or resources, controlling actions related to those particular items. You can view and edit resource roles on the Roles and Permissions settings page. However, you manage membership on individual resources.
Role management
You manage roles to define the actions that users who are assigned that role can perform. This includes viewing and editing existing role permissions and managing their membership by adding or removing users and groups.
Granting permissions
Permissions are the granular authorizations that dictate what a user can see or do in Collibra. They are the basis of access control and are always inherited through roles, never assigned directly to individual users.
Understanding permissions
A permission authorizes access to a specific application or feature or allows users to view or edit a particular resource such as an asset, workflow, or data quality rule. Collibra provides a set of predefined permissions included in default roles, serving as a starting point for managing access control.
Types of permissions
Permissions are classified into two types, similar to roles:
- Global permissions: Apply broadly across all of Collibra.
- Resource permissions: Apply to specific resources or data assets.
Permission and license interdependence
Permissions directly influence the license type a user occupies. Collibra has several types of permissions, each requiring a specific license type: Viewer, Contributor, Creator. For example, the Product Rights > Catalog global permission requires a Viewer license or higher and
Note You cannot add new permissions, delete existing ones, or change the license they require.
Using groups for efficient management
Groups are logical collections of users, primarily used to simplify the assignment of roles and responsibilities. When a role is assigned to a group, all users in that group automatically inherit the role and the associated permissions.
Managing groups
Collibra offers the following distinct options for group management controlled by the Groups DGC managed Console configuration option:
- Manage groups through SCIM or LDAP: Configure SCIM or LDAP to manage groups externally. Collibra synchronizes group information with your IdP or LDAP server.
- Manage groups in Collibra: Create and assign users to groups directly in Collibra.
Out-of-the-box groups
Collibra includes several pre-configured groups:
- Everyone: Contains all users and is primarily used to manage view permissions across Collibra. This group is hidden.
- Users: Contains all users and can be used for actions affecting all users. This group is hidden.
- Data Custodians: Intended for users with the Data Custodian resource role for specific actions. However, users assigned the Data Custodian resource role are not automatically added to this group.
Collibra licensing model and usage moderation
The Collibra licensing model provides an in-depth approach to user and asset moderation, aligning platform usage with organizational and budgetary requirements.
Automatic license assignment
Collibra automatically calculates the required license type for each user; licenses are not assigned individually. A license type of a user is determined by the highest license required by any permission included in any role assigned to them, either directly or through group membership. For example, if a user holds a role with a permission that requires a Contributor license and another role with a permission that requires a Creator license, that user occupies a Creator seat.
Monitoring usage and allowance limits
The Seats and Assets settings pages help you monitor license and asset consumption against your contractual allowances. Collibra calculates consumption hourly and evaluates it weekly. You benefit from a 20% buffer to manage consumption without interruption to daily activities.
Exceeding 120% of the allowed usage for more than nine consecutive weeks triggers limitations on user or asset management. These limitations are automatically removed once usage falls below the 120% threshold for one week. In exceptional cases where usage cannot be normalized by available administrators, contact your Collibra Account Team.
Best practices for user, role, and permission management
To maintain a secure and efficient Collibra environment:
- Apply the principle of least privilege: Grant users only the minimum permissions necessary to perform their tasks.
- Leverage groups: Use groups to simplify role assignments and manage access for multiple users efficiently.
- Conduct regular reviews: Periodically review and audit user accounts, roles, and permissions to ensure they remain appropriate and align with current organizational needs and security policies.