Access policies are sets of rules that you use to define permissions and control the level of access to organizational assets.
To implement access control, you can use predefined access policies or define access policies in Metadata Command Center. Predefined access policies are associated with predefined user roles defined in Administrator. For information about predefined access policies, see Introduction and Getting Started.
To define access policies, you create rules that provide specific permissions and privileges to users or user groups on asset types or attribute groups. The access policies control the level of access that users have based on the assigned user role, stakeholder role, or the user group.
The following table describes the access policies that you can create in Metadata Command Center:
Access policy
Description
User role policy
Defines the access level of users who are assigned a user role in Administrator.
Stakeholder role policy
Defines the access level of users who are assigned a stakeholder role on assets.
Defines the access level of users who are added to a user group in Administrator. You can also use this access policy to control the access level of all users in the organization.
The following image shows the Access Policies tab with a list of access policies:
Effective permissions granted by access policies
Users inherit the intersection of the permissions granted by all access policies assigned to them.
For example, if a user is assigned the following access policies, then only the intersection of those permissions are granted to the user on the asset:
•User role policy for the Governance Owner
•Stakeholder role policy for the Governance Owner
•User group policy for the Finance user group
When you create a user role or stakeholder role policy and override other access policy types, then this access policy provides access regardless of other access policies that might apply.
You can use user role policies or user group policies to control permissions based on asset groups. The access to asset groups is enforced when at least one access policy grants permission on an asset group.
Permissions to work with catalog sources
To work with catalog sources, the administrator needs to configure asset privileges for the user role in Administrator. Before you create, update, delete, purge, and run a catalog source, verify that the administrator granted the required permissions for your user role in the Catalog Source Configuration asset privilege for Metadata Command Center.
The administrator also needs to configure an access policy with the required permissions in Metadata Command Center.
The following table describes the permissions required to create, view, update, purge, copy, and run a catalog source:
Action
User role permissions
Access policy permissions
Create a catalog source
Create, Read, Update
Create, Read
View the catalog source configuration
Read
Read
Update a catalog source
Read, Update
Update
Purge and delete a catalog source
Read, Delete
Delete
Copy a catalog source
Create, Read, Update
Create, Read
Run a catalog source
-
For a catalog source that does not have connection assignments, grant the Read permission to the user role policy.
For a catalog source that has connection assignments, grant the Read and Update permissions to the user role and stakeholder role policies on the reference and endpoint datasources.
