Governance refers specifically to data governance in MDM, and that governance is exercised via Access Control Lists (ACLs) for zones. ACLs control inbound and outbound messages to zones. As a reminder, a zone refers to a collection of systems/applications owned by groups inside of an organization and they act as a boundary for which access permissions may be defined. All resources within MDM belong to a zone. Each zone has a Zone Data Steward and a Zone Admin.
The Zone Data Steward (ZDS) is responsible for the data associated with a zone (through the adaptors) and can restrict outbound data shared with other zones and inbound data coming from other zones.
Outbound Access Control Lists (ACLs)
Outbound ACLs provide data record visibility between zones and adaptors. ACLs are a key component of MDM and are part of what is often referred to as the router. Outbound ACLs can be thought of as permissions on out-bound data.
Out-bound data permission is controlled at various levels. See an example of the data access , below.
| Source of Data | Destination | Priority |
|---|---|---|
| Zone[1] | Zone[2] | 1 |
| Zone[1].Adaptor[x] | Zone[2] | 2 |
| Zone[1].DR[i] | Zone[2] | 3 |
| Zone[1].DR[i].DRproperty[X] | Zone[2] | 4 |
| Zone[1].Adaptor[x].DRproperty[X] | Zone[2] | 5 |
- At the highest prioirty level (Priority 1), Zone[1] can shut off all outbound data record changes to Zone[2]. At the lowest priority level (Prioirty 5), Zone[1] can shut off sharing a single attribute on a single adaptor (that it owns) to Zone[2].
- Sharing precedence is based on the priority e.g. If Zone[1] has turned off access to Zone[2] (Priority 1), then all other sharing actions are null.
- Permissions for each element are based on REST operations GET, PATCH, POST and DELETE. An additional operation is added for PUSH, where a zone allows another zone to receive real-time changes. However, it may be determined that GET will include PUSH.
Inbound ACLs
