Versions Compared

Old Version 23

changes.mady.by.user Mark Fitzpatrick

Saved on

compared with

New Version 24

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Governance refers to Data Governance in MDM.

...

Governance describes the act of managing data access (i.e. who accesses certain data sets based on role, application, etc.).

Governance...
definesreferenceswhere the Master Data is stored
providesvisibility to data between zones and adaptors
contains
  • policies that get applied by the Data Governance Steward (DGS) as regards to the data taxonomy of the tenant
  • data content managed by the Zone Data Steward, who is designated by the DGS to:
    • ensure their zone's data accuracy
    • provide domain modeling input to the DGS
    • assign Access Control Lists (ACLs) and zone access
    • works with adaptor developers and implementors
    • manages error notifications from MDM, and,
    • resolves duplicate data detected by MDM

ACLs and ACL Chains

An ACL chain can be thought of as a series (chain) of filters (ACLs) that can be applied to a data event that occurs in the MDM ecosystem.

ACLs

An access control list, or ACL, is a list of permissions properties that controls data flow between zones and adaptors. The list of ACL properties includes:

  • Source Zone - The zone the data originated from
    • Source Adaptor - The adaptor the data originated from
  • Destination Zone - The zone the data is flowing to
    • Destination Adaptor - The adaptor the data is flowing to
  • Domain Version - The data domain the ACL applies to
    • Domain Version Properties - One or more properties in the data domain that are applied to the ACL
  • Data Records - One or more data records that are applied to the ACL
  • Allow/Deny settings for an ACL control which operations are either allowed or denied:
    • GET
    • PUT
    • POST
    • DELETE

Data events in YOUnite parallel the HTTP requests GET, PUT, POST and DELETE

...

If any of the above controls are omitted from an ACL, then ALL is assumed.  (TODO - Add this later).

Not all ACL types use all of the ACL properties.

ACL Chains

ACLs are linked together to form ACL chains. They behave similar to network firewall chains but apply to an organizations data entities linked to YOUnite. When a data event occurs to a source entity, the change is transmitted to YOUnite and the appropriate ACL chains are consulted and data is propagated (allowed) or restricted based on the ACLs in the ACL chains. Care must be taken to order the ACLs on a chain properly since the first ACL match is applied to a data event.

...

Outbound ACLs can be thought of as permissions on out-bound data. By default, all ACLs are open. Outbound ACLs are the restrictions controls a Source Zone's data steward sets on Destination Zones:

...

...

OperationData Event Description
PUTWhen the source zone allows or restricts the changes that occur inside the source zone from flowing outbound to destination zones.
POSTWhen the source zone allows or restricts new data that is created on adaptors in the source zone from flowing outbound to destination zones.

DELETE

When the source zone allows or restricts "deletes" that occur inside the source zone from flowing outbound to destination zones.
GETWhat destination zones are allowed or restricted from using the source zone's data when assembling data.


Restrictions Controls can be set on the following:

EntityDescriptionDefault Value
Source AdaptorThe adaptor in the source zone where the data event originates.ALL
Destination Zone
he
The destination zone where the data event can be delivered (i.e. it has adaptors that are capable of handling the event)ALL
Adaptor
A Source Zone's adaptor(s)DRThe union of all data for a specific DR stored on the adaptors (unless constrained to an adaptor) inside the Source ZoneDomainThe union of all data stored on adaptors (unless constrained to a subset of adaptors) inside the Source Zone that maps to a given Data DomainDomainProperty
An adaptor in the destination zone capable of handling the data event.ALL
Domain VersionThe data associated with a data event will contain data that belongs to one or more domain versions. ALL
DROne or more federated data records that belong to the Domain VersionALL
Domain VersionData events contain a federated data records that belong to one or more Domain Versions.ALL
Domain Version PropertyThe union of all instances of a specific domain property stored on adaptors inside of the Source zone (unless constrained to a subset of adaptors)

Outbound ACLs are applied from left to right in the following order:

    Destination Zone → Destination Adaptor → Domain → DomainProperty → DR

Inbound ACLs

...

ALL
Allow GET / Restrict GETAllow or restrict GET data events.neither is set
Allow PUT / Restrict PUTAllow or restrict PUT data events.neither is set
Allow POST / Restrict POSTAllow or restrict POST data events.neither is set
Allow DELETE / Restrict DELETEAllow or restrict DELETE data events.neither is set


Inbound ACLs

Inbound ACLs can be thought of as permissions on in-bound data. By default, all ACLs are open. Inbound ACLs are controls a Destination Zone sets on Incoming data requests (GET) and operations (DELETE, PUT, POST) from Source Zones.:

OperationData Event Description
PUTWhen the destination zone allows or restricts changes that occur in source zones/adaptors from flowing into the destination zone.
POSTWhen the destination zone allows or restricts new data that is created in source zones from flowing into the destination zone.
DELETEWhen the destination zone allows or restricts deletes that occur in source zone/adaptors from flowing into the destination zone.
GETWhat source zone/adaptors are allowed or restricted (ignored) by the destination zone when assembling data.


Controls can be set on the following - the zone data steward in the destination zone, creates the ACL on behalf of the destination zone:

EntityDescriptionDefault Value
Source ZoneThe originating source zone of data flowing into the destination zone.ALL
Source AdaptorThe originating source zone's adaptor(s).ALL
Destination AdaptorThe destination zone's adaptor(s).Domaindata associated with a data event will contain data that belongs to one or more domain versions. ALL
Domain VersionThe union of all data stored on adaptors (unless constrained to a subset of adaptors) inside the zource zone that maps to a given data domain.ALL
DomainPropertyDomain Version Property

The union of all instances of a specific domain property stored on adaptors inside of the source Source zone (unless constrained to a subset of adaptors).

ALL
DRThe union of all data for a specific DRs stored on the adaptors (unless constrained to an adaptor) inside the source zone.

Inbound ACLs are applied from left to right in the following order:

...

One or more federated data records that belong to the Domain Version.ALL
Allow GET / Restrict GETAllow or restrict GET data events.neither is set
Allow PUT / Restrict PUTAllow or restrict PUT data events.neither is set
Allow POST / Restrict POSTAllow or restrict POST data events.neither is set
Allow DELETE / Restrict DELETEAllow or restrict DELETE data events.neither is set


Operational ACLs 

Operation ACLs are not part of zone data governance but should be mentioned briefly here. By default, the DGS has permission to modify ACLs to data records (DRs) to zone users and adaptors to create new DRs. Operational ACLs control operations to the underlying DRs are granted by the DGS to Zone Users and Adaptors; typically the ZDSs.


TODO: Add a POST/DELETE chart

ACLs Illustrated


TODO - Survey examples

I very simple example it illustrate this point:

  • There are four zones: ZoneW, ZoneX, ZoneY and ZoneZ each with only one adaptor. All adaptors are capable of storing/retrieving data entries for the "Customer" domain
  • ZoneW has the following outbound ACL chain
    1. ALLOW all outbound data events from to flow through to ZoneY
    2. RESTRICT all outbound data events from flowing to all zones
  • A Customer PUT data event is raised on adaptor1 in ZoneW
  • YOUnite can see that the adaptors in ZoneX, ZoneY and ZoneZ are all capable of consuming this data event
    • YOUnite attempts to route the data event to ZoneX
      • YOUnite inspects ZoneW's outbound ACL chain and gets a match on the first ACL in the chain and routes the  event to the adaptor in ZoneX
    • YOUnite attempts to route the data event to ZoneY
      • The first ACL does not match but the second does restricting the event, so the data event is NOT routed to ZoneY
    •  ZoneZ experiences the same fate as ZoneY

TODO: Illustrate this

Examples worth mentioning:

...

  • Permissions on outbound data
  • Controls on what inbound data a zone or adaptor should receive

ACLs

...

TODO: Redraw and move to the top and re-use down here



For example, if an update (PUT or PATCH) operation is performed on data under YOUnite control, ACLs would control:

  • What zones and adaptors would have visibility to the change (outbound ACLs)
  • Which zones and adaptors receive (or reject) the change (inbound ACLs) e.g. a zone may be granted ACLs to a change but the ZDS for the zone may choose not to accept it.

...

Example Outbound ACLs for GET

...

  • At the highest prioirty level (Priority 1), Zone[1] can shut off all outbound data record changes to Zone[2]. At the lowest priority level (Prioirty 5), Zone[1] can shut off sharing a single attribute on a single adaptor (that it owns) to Zone[2].
  • Sharing precedence is based on the priority e.g. If Zone[1] has turned off access to Zone[2] (Priority 1), then all other sharing actions are null.
  • Permissions for each element are based on REST operations GET, PATCH, POST and DELETE. An additional operation is added for PUSH, where a zone allows another zone to receive real-time changes. However, it may be determined that GET will include PUSH.

PROBABLY WANT TO REMOVE MOST OF THE FOLLOWING - Illustration is for devs but should be modified

...

ACL Data Flow Illustration

The image below represents an example of MDM domain-related permissions and operational, outbound, and inbound ACLs (traveling left to right). Additional text below the image describes the process in addition to the embedded in-image text.

...

  • On the diagram's left side is a source zone’s single Source Adaptor (abcd-1234) that sends data changes (data records) in its domain(s) to the router.
    • Note: A zone can have many adaptors.
  • The data records sent from the source adaptor to the router have Operational ACL applied to them. Operational ACL limits which data operations are allowed from the source zone’s adaptor(s) and adaptor domain(s) and are defined by the zone's DGS.
  • Next, the data records from the source zone’s domains/adaptors are linked to YOUnite Data Records to avoid data record duplication. 
    • Note: The data records published by the source adaptor could be updates, deletes, or new records.
  • Outbound ACLs then get applied to the source adaptor’s data records. The Outbound ACLs are defined by the source zone’s ZDS and define what data the Zone can send out (i.e .restricting data, or elements of data, of certain domains from flowing out of certain adaptors in the zone to other zones).
  • After Outbound ACLs are applied the data records are published to the YOUnite Data Hub and subscribing/desitnation zones and their adaptors (on the diagram's right side) are notified of the updated data.
  • Any destination zone that has subscribed to data records from the source zone has Inbound ACLs in place to define which data operations are allowed in the source zone and its adaptor(s). Inbound ACL is defined by the destination zone’s ZDS. Any data or operations that are configured to be ignored are filtered out. The Destination Adaptor (zyxw-9876) in the image above is shown receiving data records and/or operations it has subscribed to, as filtered by its zone’s Inbound ACL.

...