Roles & Permissions

Managing access through roles and rights.

The Data Mesh Manager implements role-based access control (RBAC).

An organization is a logical unit (tenant) that covers the data mesh of a company. To implement different environments, e.g. development and production, we recommend creating a separate organization for each environment.

The Data Mesh Manager offers the following roles for all users that are part of an organization:

Organization Roles

A user can be assigned to one or more organizations. A user is either a member or an owner of an organization.

Organization Member (Basic Role)
- can view data products, data contracts, and policies
- can request access for themselves
Organization Owner (Admin Role)
- can view, create, edit, and delete everything
- can edit organization members (invite new members, remove members, change roles)
- can create and delete domains and teams
- can create API keys that have the same rights as an organization owner
- can create API keys that have the same rights as a team owner

Team Roles

An Organization Member or Organization Owner can be assigned to one or more domains or teams. Resources (data products, data contracts, definitions, ...) are owned by domains and teams.

A team member has one of the following roles:

Owner
Approver
Editor
Member
Steward

Each of these roles has different permissions for resources owned by the team:

Permissions	Owner	Approver	Editor	Member	Steward
Can edit team members	✅
Can create subteam	✅
Can edit owned data resources	✅	✅	✅
Can request access (as consumer)	✅	✅	✅	✅
Can edit requested access (as consumer)	✅	✅	✅		✅
Can approve access and edit (as provider)	✅	✅			✅

Roles are inherited along the domain & team hierarchy. For example, a user who is Owner of a domain is also Owner of all teams within that domain.

There is a special case with the Team "Governance Group". This group owns by convention all policies. That's why members with the role "Editor", "Approver", or "Owner" can edit the policies.