2021.10
Collibra DIC Integration
Powered By GitBook
Role Based Access Control (RBAC)
High-level view of Owl’s Security architecture depicted below.
Whether leveraging a Local User Store, Active Directory, or using the out of the box user accounts that come with Owl via LDIF, security stays the same. An admin can create many ROLE’s. A user, whether local user, LDIF user, or AD user can be part of one or many roles. And a ROLE maps to a Dataset within Owl.
A unique feature within Owl is the fact that Owl does not store information about external user accounts. This avoids the need to sync external users from an external user store such as AD to owl. Instead Owl will map the external group to an internal role. From here the ROLE can be mapped to the different functionality within Owl whether they are Admins / Users / and have access to different datasets and future functionality. The other benefit is that if a specific userid within the external user store is terminated, when the user is purged from the external user store such as AD they will immediately not have access to Owl’s web application. This is because when the user logs into Owl’s web application that is backed by AD their login will interrogate AD to authenticate the user account. See logical flow below for how the group to role mappings work.

RBAC Usages

Owl supports RBAC configuration with both core roles and custom roles. Core roles include the following:
Role
Access Description
ROLE ADMIN
Modify any access, config settings, connections, role delegation
ROLE DATA GOVERNANCE MANAGER
Ability to manage (create / update / delete) Business Units and Data Concepts
ROLE USER MANAGER
Create / modify users, add users to roles
ROLE OWL ROLE MANAGER
Create roles, edit role mappings to users / AD groups / datasets
ROLE DATASET MANAGER
Create / modify datasets to roles, masking of dataset columns
ROLE OWL CHECK
Only role that can run DQ scans if Owlcheck security is enabled
ROLE DATA PREVIEW
Only role that can view source data if data preview security is enabled
ROLE DATASET TRAIN
Only role that can train datasets if dataset train security is enabled
ROLE DATASET RULES
Only role that can add / edit / delete rules if dataset rules security is enabled
ROLE PUBLIC
Public: Access to scorecards, no dataset access when dataset security is enabled
Custom roles can be added via the Role Management page by navigating to the Admin Console and clicking on the Roles Icon. Custom roles can also be added 'on the fly' during the Active Directory Role Mapping step.
It is these custom roles that will determine the users that have access to datasets (including profile/rules/data preview/scoring), and database connections
Additional information regarding setting up Dataset and Connection security can be found in those documents respectively.
Last modified 19d ago
Copy link
Contents
RBAC Usages