Users & Roles

The Users & Roles module in OvalEdge plays a critical role in enabling secure, role-based access and aligning user responsibilities with organizational data governance policies. It allows administrators to onboard users through manual or Single Sign-On (SSO) methods and assign them appropriate license types—Viewer or Author—based on their roles and responsibilities.

Each user is associated with one or more roles, which determine their access to metadata and data objects. Roles define the scope of actions users can perform, such as viewing metadata, modifying data assets, or managing governance responsibilities. By mapping users to roles and configuring role-based permissions, organizations can enforce data security and maintain control over platform activities.

In addition, teams can be created as collaborative units comprising Author-license users to support governance workflows and shared responsibilities. Governance roles, such as Owner, Steward, and Custodian, can be assigned to individual users or teams to maintain data quality, ensure stewardship, and exercise control across various data domains.

License Types

OvalEdge offers two primary user license types: Viewers and Authors. The assigned roles associated with each license type determine specific metadata and data permissions.

1. Viewer License:

   • User Profile: Suitable for typical business users, like business analysts.

   • Permissions: Users with Viewer licenses can read, browse, and search curated metadata, enabling them to make decisions about their daily business activities.

   • Limitations: Viewers cannot access certain actions and sub-modules within OvalEdge.

2. Author License:

   • User Profile: Suitable for management and administrative roles.

   • Responsibilities: Authors are primarily responsible for curating metadata and determining specific access levels for other users and roles within the organization.

   • Capabilities: Authors have broader permissions than Viewers, enabling them to perform various administrative tasks related to metadata and data governance.

Users

In OvalEdge, users have unique identities, typically represented by an email ID or a Single Sign-On ID. These users can be onboarded through Single Sign-On (SSO) Integration or Manual Sign-in processes. Each user in OvalEdge must have one of the offered license types, Author or Viewer. Additionally, users should be associated with at least one role.

Users in OvalEdge can have multiple roles, allowing for different permissions and access levels based on their assigned roles. It is important to note that only Author users can be assigned a Governance Role. The Governance Roles provide additional responsibilities and permissions related to data governance within the platform.

Roles

Many organizations have predefined roles to define the scope and responsibilities of individuals within those roles.

In OvalEdge, roles enable users to grant access to specific data objects with corresponding privileges, all defined by distinct metadata and data permissions. These roles include permissions that allow users to interact differently with various data objects. For instance, a role configured as a Viewer user license can provide read privileges to a user. In contrast, an Author license enables users to curate metadata for business objects and update data. Roles can be directly mapped to the IAM system for seamless integration.

Example: Tom and Maria, both assigned financial roles in OvalEdge, are granted read and write privileges on the customer table and vendor file. These roles allow them to access and modify data as needed. However, it is important to note that ownership and stewardship of the customer table, vendor file, and balance sheet report is with Sophia and George.

Teams

In OvalEdge, a team is a collaborative unit allowing users to share platform responsibilities. Teams can be assigned to Governance Roles and included in workflows, streamlining collaborative efforts among team members. A user must have an author license to be part of a team at OvalEdge. Hence, users with a Viewer license cannot be part of an OvalEdge team. It is noteworthy that a team can include any number of author users.

Teams are instrumental in distributing responsibilities and are employed for social engagement as part of OvalEdge. Notably, a team's name always begins with the "#" symbol, providing a consistent and identifiable naming convention for teams in the platform.

Permissions in OvalEdge

Administrators must understand the roles and responsibilities essential to the data governance roadmap. This will aid users in efficiently setting up and managing users and roles.

Data permissions are allocated at the role level, allowing any user within the assigned role to execute that role's operations. For instance, if a role is designated to read data and write on metadata, all users assigned to that role possess these permissions.

Users can hold multiple roles, and they have access to objects from each role. When a user is part of two roles with different permissions, the most authoritative permissions take precedence.

• For Metadata permissions, the hierarchy is meta-read, meta-write, and admin.

• For Data permissions, the hierarchy is data-no access, data-preview, data-read, data-write, and admin.

For example, John has the "all analyst" role with meta-read and data-read permissions. Additionally, he is part of the "material analysis" role with meta-right and data-preview permissions. John retains the highest permissions from each role, resulting in meta-right and data-read permissions.

Roles are granted specific Metadata and Data permissions depending on the type of User License.

Metadata Permissions

Data Permissions

To manage users and roles in OvalEdge, navigate to Administration and select the Users & Roles module. Visit the Users tab at the top of the page. To change a user's role, click the edit icon in the Role column and select the desired role.

Although administrators can map users to roles within OvalEdge, it is more common to use Single Sign-On (SSO) to map users and roles, such as through Active Directory or LDAP. When OvalEdge is configured for SSO, administrators must establish rules for syncing OvalEdge roles with SSO roles.

An example rule might involve syncing all roles starting with "OE underscore" or syncing all roles containing "OvalEdge." When a user logs into OvalEdge through SSO, the roles automatically sync with OvalEdge.

Integrating SSO with OvalEdge

Organizations can integrate their Single Sign-On (SSO) with OvalEdge to facilitate seamless access to metadata crawled into OvalEdge for users and groups. Authentication and Authorization can be managed entirely by SSO or in a hybrid approach where authentication is handled by SSO and authorization is managed within OvalEdge.

1. Authentication and Authorization Options:

   1. ovaledge.extauth.authtype is set to Remote: Both Authentication and Authorization are handled by SSO

   2. ovaledge.extauth.authtype defined as Hybrid: Authentication is done by SSO, and Authorization is managed within OvalEdge.

2. Roles Mapping with SSO Groups:

   1. IAM teams can set up roles in OvalEdge that correspond to SSO Groups.

   2. If roles in OvalEdge match SSO Group names, users will be automatically mapped to those roles in OvalEdge.

3. Default Role Assignment:

   1. If no role is assigned to a user, the default role configured in system settings (ovaledge.role.public) is assigned.

   2. This default role is also assigned if a user logs in without an associated role.

4. SSO Configurations:

   1. saml.role.prefix: Removes any defined prefixes for roles in Active Directory when mapping them to OvalEdge roles.

   2. saml.role.suffix: Removes any defined suffixes for roles in Active Directory when mapping them to OvalEdge roles.

   3. ldap.allow.emptyemail: Allows the association of a dummy email address to users without an email id in LDAP for user login.

5. User Interface for Non-Administrator Users:

If a user other than a "Users & Roles Administrator" logs in:

• Users Tab: Displays a list of all OvalEdge users with search, sort, and filter options.

• Users & Roles Tab: Provides information on which roles are associated with each user and user details.

Governance Roles & Responsibilities

Data governance can be complex and multifaceted, requiring the right team to support its implementation and ongoing organizational maintenance. Common roles include data owner, data steward, data custodian, data governance manager, data governance consultant, data governance engineer/administrator, data governance committee members, and various stakeholders such as data quality specialists and security engineers.

Note: Organizations can customize their Governance Roles in OvalEdge.

• Data Owner: A data owner is a high-level executive with influence and control over the data. They oversee the business process of generating the data and understanding its meaning. While not directly involved in data maintenance, they represent business value at the committee level, guiding, prioritizing, and assisting in addressing issues.

• Data Steward: Data stewards, often administrators or subject matter experts, understand the processes behind the data. They draw on their expertise in contributing and reading reports, supporting business practices, and monitoring data quality alerts. Data stewardship is usually performed alongside primary departmental responsibilities.

• Data Custodian: Representing the IT side of data governance, data custodians handle technical responsibilities, including supporting terms definition, reporting changes to data repositories, and collaborating with data stewards on technical debt planning. They often come from the BI or data services team.

These governance roles can be assigned to an individual user of the author license type or a team. When a team is given a governance role, any team member can perform the required operation, such as approving a data quality issue. OvalEdge permits administrators to configure up to six governance roles, with three roles—steward, owner, and custodian—available by default. These roles' names, however, can be customized, for example, renaming a custodian to an expert.

To configure these roles, navigate to Administration on the left panel, select the Security module, and access the Governance Roles tab at the top of the screen. Users can configure the specific governance roles at the data catalog and business glossary level.

Types of Administrators in OvalEdge

OvalEdge has various administrator roles, each serving specific functions across different modules. All OvalEdge Administrator roles fall under the Author License type and are configured from System Settings. Configuring these various administrators is optional, and if not done specifically, then the default admin role, which is configured out of the box and OE_ADMIN, holds all these responsibilities. These additional administrators bring in modularity, and the organization desires they can utilize.

1. Role Admin:

   1. Configuration: “ovaledge.role.admin”

   2. Description: A configurable role is set in System Settings under Users & Roles. This role functions as Super Administrator. Roles defined with this configuration alone can change any configuration in System settings, can set up Application security, can view entries in Audit trails, can change schedules of activities that are setup.

2. Tag Administrator:

   1. Configuration: “ovaledge.tag.role”

   2. Description: A system-configured role that manages tag creation, management, and deletion.

3. Domain Creator:

   1. Configuration: “ovaledge.domain.creator”

   2. Description: A system-configured role designated for creating domains. Only users with this role can create a domain.

4. Users & Roles Administrator:

   1. Configuration: “oe.user&role.admin”

   2. Description: A system-configured role allowing users to add or edit Users & Roles, performing all related operations in Users & Roles Management.

5. Project Administrator:

   1. Configuration: “role.project.admin”

   2. Description: A system-configured role specifically for creating projects. Only users with this role can create a project.

6. Connector Creator:

   1. Configuration: “ovaledge.connector.creator”

   2. Description: A system-configured role responsible for creating connectors within OvalEdge, accessible through the Connectors Tab.

7. Integration Admin:

   1. Configuration: Assigned during connector creation

   2. Responsibilities: Responsible for editing connector settings, crawling, profiling, recrawling, reprofiling, and scheduling crawl/profile.

8. Data Access Administrator:

   1. Description: An administrator role with specific permissions for accessing RDAM screens and performing various reprofiling access management operations. By default, this role has limited permissions, allowing only access to view metadata at the Catalog level.

9. Security & Governance Admin (SGA):

   1. Responsibilities: Act as the admin for a specific connector. Manage metadata and data permissions for the connector. Can provide various permissions to roles and users on each data asset within the connector.

   2. Description: An administrator role with Author license type, defined during Connector creation. SGAs can exist for different system types (e.g., RDBMS, Reporting tools), and multiple SGAs can exist on a Connector. Editing SGAs is possible only from the Security page of the Common Administration.

10. Reference Data Management Admin:

    1. Configuration: “role.rdm.admin”

    2. Responsibilities: A system-configured role designated for creating, updating & deleting Reference Data (RD) units. Other capabilities include, updating the Steward of a RD unit, adding title & description to a RD unit.