Roles & Permissions
Enterprise EditionManaging access through roles and rights.
The Data Mesh Manager implements role-based access control (RBAC).
An organization is a logical unit (tenant) that covers the data mesh of a company. You can have multiple organizations in a Data Mesh Manager instance, and use it to separate different environments, e.g. development and production.
The Data Mesh Manager offers the following roles for all users that are part of an organization:
Organization Roles
A user can be assigned to one or more organizations. A user is either a member or an owner of an organization.
- Organization Member (Basic Role)
- can view data products, data contracts, and policies
- can request access for themselves
- Organization Owner (Admin Role)
- can view, create, edit, and delete everything
- can edit organization members (invite new members, remove members, change roles)
- can create and delete domains and teams
- can create API keys that have the same rights as an organization owner
- can create API keys that have the same rights as a team owner
Team Roles
An Organization Member or Organization Owner can be assigned to one or more domains or teams. Resources (data products, data contracts, definitions, ...) are owned by domains and teams.
A team member has one role.
Here's a list of the default roles:
- Owner
- Approver
- Editor
- Member
- Steward
Each of these default roles has different permissions for resources owned by the team:
| Permissions | Owner | Approver | Editor | Member | Steward |
|---|---|---|---|---|---|
| Can edit team members | ✅ | ||||
| Can create subteam | ✅ | ||||
| Can edit owned data resources | ✅ | ✅ | ✅ | ||
| Can request access (as consumer) | ✅ | ✅ | ✅ | ✅ | |
| Can edit requested access (as consumer) | ✅ | ✅ | ✅ | ✅ | |
| Can approve access and edit (as provider) | ✅ | ✅ | ✅ |
Roles are inherited along the domain & team hierarchy. For example, a user who is Owner of a domain is also Owner of all teams within that domain.
There is a special case with the Team "Governance Group". This group owns by convention all policies. That's why members with the role "Editor", "Approver", or "Owner" can edit the policies.
Custom Team Roles
You can create custom roles based on the supported permissions in the organization "Settings" under "Permissions & Roles".
Permissions
The Data Mesh Manager supports a list of permissions.
Resource Permissions
- RESOURCES_ADD: Can add data resources (data products, data contracts, business definitions, tags) for their team. If change process is enabled, the user can add the resource directly without approval.
- RESOURCES_EDIT: Can edit owned data resources (data products, data contracts, business definitions, tags). If change process is enabled, the user can edit the resource directly without approval.
- RESOURCES_DELETE: Can delete owned data resources (data products, data contracts, business definitions, tags). If change process is enabled, the user can delete the resource directly without approval.
Change Request Permissions
- CHANGE_REQUEST_SUBMIT: If change process is enabled: Can submit change requests for data resources (data products, data contracts, business definitions, tags).
- CHANGE_REQUEST_APPROVE: If change process is enabled: Can approve change requests (not their own).
Access Permissions
- ACCESS_ADD: Can add access to a data product output port without request and approval workflow.
- ACCESS_EDIT: Can edit existing access agreements. When access has been approved, only the provider can edit the access.
- ACCESS_DELETE: Can delete existing access immediately.
- ACCESS_REQUEST: Can request access (as consumer).
- ACCESS_APPROVE: Can approve access requests.
- ACCESS_TERMINATE: Can terminate access agreements as provider or consumer.
Team Permissions
- TEAM_ADD: Can create subteam.
- TEAM_EDIT: Can edit its own team. Does not include editing team members.
- TEAM_DELETE: Can delete its own team.
- TEAM_MEMBER_ADD: Can add team members.
- TEAM_MEMBER_EDIT: Can edit team members and their roles.
- TEAM_MEMBER_DELETE: Can remove team members from the team.