Versions Compared

Old Version 21

changes.mady.by.user Mark Fitzpatrick

Saved on

compared with

New Version 22

changes.mady.by.user Mark Fitzpatrick

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Governance refers to Data Governance in MDM.

What is Governance?

Governance describes the act of managing data access (i.e. who accesses certain data sets based on role, application, etc.).

Governance...
defineswhere the Master Data is stored
providesvisibility to data between zones and adaptors
contains
  • policies that get applied by the Data Governance Steward (DGS) as regards to the data taxonomy of the tenant
  • data content managed by the Zone Data Steward, who is designated by the DGS to:
    • ensure their zone's data accuracy
    • provide domain modeling input to the DGS
    • assign Access Control Lists (ACLs) and zone access
    • works with adaptor developers and implementors
    • manages error notifications from MDM, and,
    • resolves duplicate data detected by MDM

ACLs and ACL Chains

ACLs

An access control list, or ACL, is a list of permissions that controls data flow between zones and adaptors. The list includes:

  • Source Zone - The zone the data originated from
  • Source Adaptor - The adaptor the data originated from
  • Destination Zone - The zone the data is flowing to
  • Destination Adaptor - The adaptor the data is flowing to
  • Domain Version - The data domain the ACL applies to
    • Domain Version Properties - One or more properties in the data domain that are applied to the ACL
  • Data Records - One or more data records that are applied to the ACL
  • Allow/Deny settings for an ACL control which operations are either allowed or denied:
    • GET
    • PUT
    • POST
    • DELETE

If any of the above controls are omitted from an ACL, then ALL is assumed.  (TODO - Add this later)

ACL Chains

ACLs are linked together to form ACL chains. They behave similar to network firewall chains but apply to an organizations data entities linked to YOUnite. When a data event occurs to a source entity, the changes is transmitted to YOUnite and the appropriate ACL chains are consulted and data is propagated or restricted based on the ACLs in the ACL chains.




TODO Mark

ACLs are defined similarly to firewall rules where rules are put in on inbound and outbound chains for a given zone.

ACLs can allow or restrict data flow.

Care must be taken to order the ACLs on a chain properly since the first ACL match is applied to a data event.

...

  • Need to include "allow" PUT and/or POST for them to take effect.
  • The domain properties are a list of properties that should be restricted from flowing outbound
  • The domain properties are ignored when "restrict" (e.g. restrict PUT or POST) is used since restrict is applied to the entire data event.

What is Governance?

Governance describes the act of managing data access (i.e. who accesses certain data sets based on role, application, etc.).

...


Governance: InboundAclEntries and OutboundAclEntries

...

  • On the diagram's left side is a source zone’s single Source Adaptor (abcd-1234) that sends data changes (data records) in its domain(s) to the router.
    • Note: A zone can have many adaptors.
  • The data records sent from the source adaptor to the router have Operational ACL applied to them. Operational ACL limits which data operations are allowed from the source zone’s adaptor(s) and adaptor domain(s) and are defined by the zone's DGS.
  • Next, the data records from the source zone’s domains/adaptors are linked to YOUnite Data Records to avoid data record duplication. 
    • Note: The data records published by the source adaptor could be updates, deletes, or new records.
  • Outbound ACLs then get applied to the source adaptor’s data records. The Outbound ACLs are defined by the source zone’s ZDS and define what data the Zone can send out (i.e .restricting data, or elements of data, of certain domains from flowing out of certain adaptors in the zone to other zones).
  • After Outbound ACLs are applied the data records are published to the YOUnite Data Hub and subscribing/desitnation zones and their adaptors (on the diagram's right side) are notified of the updated data.
  • Any destination zone that has subscribed to data records from the source zone has Inbound ACLs in place to define which data operations are allowed in the source zone and its adaptor(s). Inbound ACL is defined by the destination zone’s ZDS. Any data or operations that are configured to be ignored are filtered out. The Destination Adaptor (zyxw-9876) in the image above is shown receiving data records and/or operations it has subscribed to, as filtered by its zone’s Inbound ACL.

ACLs

ACLs can be thought of as a series of filters that get applied to a data operation.

...

Operation ACLs are not part of zone data governance but should be mentioned briefly here. By default, the DGS has permission to modify ACLs to data records (DRs) to zone users and adaptors to create new DRs. Operational ACLs control operations to the underlying DRs are granted by the DGS to Zone Users and Adaptors; typically the ZDSs.