Versions Compared

Old Version 4

changes.mady.by.user Mark Fitzpatrick

Saved on

compared with

New Version 5

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

YOUnite groups an organization'sresources by the organization's structure (e.g. divisions, departments, districts, etc) and uses these groupings to create relationships within the organization.  With YOUnite these groupings are called zones.

It's important to understand the distinction that:

  • Access to resources is granted through permissions
  • Access to data is manged through scopes (covered in the Scopes page).

Zones

As mentioned above, YOUnite provides zones so an organization can group master data resources along its organization structure.

Zones are associated with each other in a hierarchical structure with parent, child and sibling zones e.g. the following illustrates a college district as the parent zone with three child college zones (siblings of each other):

Image Removed

Zone characteristics:

  • Zones generally have two types of users associated with them:
    • Zone admin is responsible for general zone management. A zone admin is defined when the zone is created.
    • Zone data steward is responsible for the domains, data and data governance.

User types are defined by polices. Polices are covered below.

  • Zones receive notifications of master data changes and operational events.
  • Zones can have zero, one or more adaptors tied to services containing federated master data.
  • The Zone Admin controls access to zone resources with the exception of the master data and domains
  • The Zone Data Steward controls access to the master data associated with a zone
  • The Zone Data Steward can restrict either out-bound or in-bound data shared with or from other zones.
  • Centralized YOUnite logs are indexed on a per-zone basis
  • A Zone Data Steward can define and share data domains (domains) but generally a single top-level domain creates domains for the entire YOUnite deployment. 

The Ultimate Root Zone

Upon initial deployment, YOUnite creates a root zone called root with a zone admin user mdmadmin.  All zones created are subordinate to it. The UUID of the root zone is always 6c5a754b-6ce0-4871-8dec-d39e255eccc3. The root zone's UUID was necessary when creating the "College District" zone below:

Image Removed

Image Removed

Zone Users

A zone is created by a user with an SSO ID (TODO See YOUnite and SSO Providers). The zone creation requires an SSO ID. The first zone user is tied to this zone and becomes the zone's Zone Admin (more on user types and permissions to follow). The Zone Admin has full administrative privileges for the zone.

If this is the first zone associated to a SSO ID, a YOUnite User (User) is created that is tied to the associated SSO ID.

For example, if the IT admin created above for the college district zone (senor_jefe@college_district.edu) creates a zone called "Central College" and assigns Cece Jones SSO ID to it as the IT admin for the zone, then a new YOUnite User (cece@college_district.edu) is created and she will be associated with the "Central College" zone:

Image Removed

If two more zone's are created and Cece is associated with them, the same YOUnite User name is used for all associated zones. So now the one YOUnite User (with SSO ID cece@college_district.edu) is associated with three zones:

Image Removed

The  User's permissions are specific to the zone they are logged into so the YOUnite User's permissions can be different from one zone to another. This is accomplished using permissions, roles and groups. 

Image Removed

Permissions

YOUnite users can be granted or denied access to resources by setting appropriate permissions. Permissions do not stand on their own but are grouped into Polices (which are explained below). Generally permissions are managed by the Zone Admin or other users that have been given control over a zone's permissions.

Permissions are broken out into two properties:

  1. Resource URI: The YOUnite resource that is part of the user's zone. If the zone user has the appropriate permissions, they can allow other users to access a resource such as a domain, MDRs, logs, adaptors, etc.
  2. Actions: These are the actions the user can perform on the resource. They include GET, PUT, POST, DELETE, PATCH (and ALL).

Permission Example

In this example a user is granted full access to all domains in the zone except for:

  • staff: The user has no access to the staff domain
  • students: The user has full access except DELETE to the students zone
ActionsResourceGETPUTPOSTDELETE/domains/*YESYESYESYES/domains/staff/*NONONONO/domains/students/*YESYESYESNO

Any user with this permission can create, modify, delete and view all other user's for a zone.

Image Removed

Rolies

A role is a group of permissions that can be used to manage user access to resources. YOUnite has two default managed roles. These two managed roles are visible to all zones and can not be deleted.

Image Removed

Image Removed

Typically there are two types of users associated with a zone that leverage these roles:

  1. Zone Admin: These users have zone admin privileges. As mentioned above, the first Zone Admin has full administrative privileges for the zone but additional roles and permissions can be configured that restrict access to other Zone Admins. The Zone Admin has general zone management responsibilities such as creating subordinate zones, adding adaptors, creating/managing groups and Users and attaching Roles to Groups and Users.
  2. Zone Data Steward (ZDS): Zone Admins can create additional Users with data steward permissions. These Users have access and manage control (scope) to the master data (covered in the Scopes & Metadata and Metadata pages).

Image Removed

Image Removed

See the YOUnite API documentation for more specific on roles.

Image Removed

Groups

A Group is a collection of Users in a zone that has roles associated with it. A Group can have multiple roles associated with it and Users can belong to more than one group. 

Effective Permissions

In particular zone, the User's effective permissions are a union of all the permissions associated with all of the groups they are in and any roles directly associated with them.

The following diagram pulls all of the above topics together and shows how the user's effective permissions are calculated

Image Removed

See the YOUnite API documentation for more specifics on zones, users, groups and roles.

Image Removed

Notifications

TODO

Image Removed

Logging

TODO

Image Removed

API Users

An API consumer for the zone can register a callback URL to receive notifications of events such as completed transactions. TODO

Image Removed

An introduction to YOUnite and Adaptors can be found on the Introduction to YOUnite page.

Developing adaptors can be found on the YOUnite Adaptor Guide for Java Developers page.


Adaptors

Adaptors are custom... blah blah from intro. Adaptors connect to the datahub via the message broker using the YOUnite SDK.  Belong to a zone and typically created by the zone admin or zone data steward.

Adaptors States

blah blah

StateDescription
PostedAdaptor is successfully POSTed. An API consumer can make this request or it can be done through the YOUnite UI.
Configured

The adaptors had a:

  • Successful connection to the YOUnite Datahub via the message bus/broker
  • Subscribed to the appropriate message broker topics
  • Its message broker queue has been created
PauseThe adaptors is running but not accepting adaptor (read/write) requests.

Play Read-Only

The adaptor is accepting read requests only.
PlayThe adaptor is accepting read and write requests.


Posting and Configuring an Adaptor 

By default only the zone data steward role has permission to create an adaptor and view its credentials.  User must have XX permission.

UI screenshots. Router doc (ADAPTOR: POST & CONFIGURATION)

Adaptor Startup Sequence

Controlling an Adaptor

Permissions needed

U Screen shots

API endpoints


Updating an Adaptor


Deleting an Adaptor





Image Added