The Operational Side of MDM: Zones
One of the key design goals of YOUnite is the ability to group an organization's master data resources by the organization's structure (e.g. divisions, departments, districts, schools, etc.) and then create relationships within that organization. YOUnite calls these groupings zones. A zone example might be the California Community College (CCC) system, where a zone could be the CCC Chancellor's Office, Butte College, and the Los Rios Community College District.
Zones contain domains, adaptors, logs, scopes, and other resources. Zones are associated with each other in a hierarchical structure with parent, sibling, and child zones. In the example of the college school district, the schools within that district might be considered child zones, for example.
<insert pic>
Zone Users
When a zone is created, two distinct users are defined:
- Zone Superuser: The superuser is responsible for operational tasks, such as:
- Setting policies
- Creating subordinate zones
- Creating users
- Granting API Access
- Managing operational notifications that are sent and received from other zones
- Managing and viewing operational logs and notifications
- Managing operational permissions between zones i.e. allowing users of other zones to perform the responsibilities listed above
- Zone Data Steward: The data steward:
has access rights to all of the master data relevant to the zone
has control over the domains and master data associated with a zone.
controls inbound and outbound scope for permissions to the data
Create users that have access to the data
Can limit or expand user access to the data
Grant API access to the data
Manage data related notifications that are sent and received from other zones
Manage and view domain and master data logs
Manage inbound/outbound Scopes to master data
Manage other metadata related to the master dat
By default, the superuser and data steward privileges are mutually exclusive. The superuser controls the operational aspects of the zone while the data stewards controls the data.
YOUnite works with Single Sign-On services (SSO). When a zone is created, the SSO IDs for the zone's superuser and data steward must be provided. The same SSO ID can be used for both the superuser and data steward, creating a user that has control of both the operational AND data elements of a zone.
NOTE: As a security measure, the superuser of a parent zone does not have access to its subordinate zones by default.
You can add additional users (individually or as part of a group) to a zone and grant them permissions. YOUnite's permissions model involves policies (grouped permissions) and groups (grouped users) so that policies can be assigned to groups. This creates and easy-to-manage permission paradigm:
Identity | Description |
---|
User | A user in the YOUnite system that is tied to an SSO ID. |
Groups | A group contains multiple users. |
Permissions | Specifies access or denial to operations and resources. |
Polices | A grouping of permission settings. |
For more a more on zones see the Zones, Users, Groups, Policies and Permissions guide.