YOUnite groups an organization's master data resources by the organization's structure (e.g. divisions, departments, districts, etc) and uses these groupings to create relationships within the organization. With YOUnite these groupings are called zones.
It's important to gain the distinction that:
- Access to resources is granted through permissions
- Access to master data is controlled by scopes and metadata (covered in the Scopes and Metadata pages.
Zones
- Have users associated with them generally of two types:
- Zone admin Responsible for general zone management.
- Master data steward Responsible for the domains, data and data governance.
- Receive notifications of master data changes and other relevant events.
- Own adaptors tied to services containing federated master data.
- Control access to the adaptors and master data stored in the services.
- Can restrict in-bound data shared by other zones.
- Have log entries associated with them.
- Can define and share data domains (domains) but generally a single top-level domain creates domains for the entire deployment.
Zones are associated with each other in a hierarchical structure with parent, child and sibling zones e.g. the following illustrates a college district as the parent zone with three child college zones (siblings of each other):
The Ultimate Root Zone
Upon deployment YOUnite creates a root zone called root with a zone admin called mdmadmin. All zones created are subordinate to it. The UUID of the root zone is always 6c5a754b-6ce0-4871-8dec-d39e255eccc3.The root zone's UUID was necessary when creating the "College District" zone below:
Zone Users
A zone is created by a user with an SSO ID (TODO See YOUnite and SSO Providers). If this is the first zone created by a given SSO ID, two YOUnite users are created:
- Zone admin: This user has zone admin privilges and is tied to the SSO ID of the user that created the zone
- Data Steward
If the same user creates subsequent zones a new YOUnite user is not created but the SSO ID is associated with the newly created zone.
Each zone can have multiple users and each user must be tied to an SSO ID.
The following is needed to create a zone:
- An OAuth bearer token returned from the YOUnite OAuth service (see
Authorizationheader) - The parent zone's UUID (see
parentZoneUuidin the request body) - The SSO ID of the user designated as the zone admin (see
zoneAdminSsoIdin the request body)
For example:
POST /zones
Headers:
Content Type: application/json
Authorization: Bearer bearer-token
{
"name": "College District",
"description": "The College District Zone for the West, Central and East Colleges",
"parentZoneUuid": "6c5a754b-6ce0-4871-8dec-d39e255eccc3",
"zoneAdminSsoId": "admin@college_district.edu"
}
There are two distinct zone responsibilities:
- General Zone Management The primary zone management user is the zone admin but other users can be created with a subset of permissions.
- Master Data Stewardship The user responsible for the domains, data and data governance.
The zone admin has general zone management responsibilities such as creating subordinate zones and other users and attaching policies and permissions to users.
The zone admin can associate users from other zones with their zone and set policies and permissions for them to operate in the zone as well.
Permissions
YOUnite users can be granted or denied access to resources by setting appropriate permissions for them. Generally permissions are managed by the zone admin or other users that have been given control over a zone's permissions.
Policies
A policy is a group of permissions that can be used to manage the general role of YOUnite users. By default ....
Groups
A group is a collection of YOUnite users. The zone admin can use groups to specify permissions for a collection of users.
See the API documentation for TODO UES.
Notifications
TODO
Logging
TODO
API Users
An API consumer for the zone can register a callback URL to receive notifications of events such as completed transactions.
