Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 51 Next »

YOUnite groups an organization's master data resources by the organization's structure (e.g. divisions, departments, districts, etc) and uses these groupings to create relationships within the organization.  With YOUnite these groupings are called zones.

It's important to gain the distinction that:

  • Access to resources is granted through permissions
  • Access to master data is granted through scopes and metadata (covered in the Scopes and Metadata pages.


Zones

As mentioned above, YOUnite provides zones so an organization can group its master data resource along it's organization's structure.

Zones are associated with each other in a hierarchical structure with parent, child and sibling zones e.g. the following illustrates a college district as the parent zone with three child college zones (siblings of each other):


Zone characteristics:

  • Zones have users associated with them generally of two types:
    • Zone admin Responsible for general zone management. The zone admin is defined when the zone is created.
    • Zone data steward Responsible for the domains, data and data governance.

User types are defined by polices. Polices are covered below.

  • Zones receive notifications of master data changes and operational events.
  • Zones have zero or more adaptors tied to services containing federated master data.
  • The zone admin controls access to zone resources with the exception of the master data and domains
  • The zone data steward controls access to the master data associated with a zone
  • The zone data steward can restrict in-bound data shared by other zones.
  • Centralized YOUnite logs are indexed on a per-zone basis
  • A zone data steward can define and share data domains (domains) but generally a single top-level domain creates domains for the entire YOUnite deployment. 

The Ultimate Root Zone

Upon initial deployment, YOUnite creates a root zone called root with a zone admin called mdmadmin.  All zones created are subordinate to it. The UUID of the root zone is always 6c5a754b-6ce0-4871-8dec-d39e255eccc3.The root zone's UUID was necessary when creating the "College District" zone below:

For example:

POST /zones

Headers:

Content Type: application/json

Authorization: Bearer bearer-token

{
 "name": "Central District",
 "description": "The College District Zone for the West, Central and East Colleges",
 "parentZoneUuid": "6c5a754b-6ce0-4871-8dec-d39e255eccc3",
 "zoneAdminSsoId": "senor_jefe@college_district.edu"
}

Zone Users

A zone is created by a user with an SSO ID (TODO See YOUnite and SSO Providers). The zone creation request includes an SSO ID. This user is tied to this zone and becomes the zone's IT admin (more on user types and permissions to follow).

If this is the first zone associated with the SSO ID, a YOUnite User (user) is created that is tied to the SSO ID. This first zone user has full administrative privileges for the zone and is called the zone's IT Admin (more on user types and privileges to follow). For example, if the IT admin created above for the college district zone (senor_jefe@college_district.edu)  creates a zone called "Central College" and assigns Celia Devopspro's SSO ID as the IT admin for the zone, then a new user (cece@college_district.edu) is created and is associated with the Central College zone:

If two more zone's are created and Cece is associated with them, the same YOUnite user is used. So now the one YOUnite user (with SSO ID cece@college_district.edu) is associated with three zones:

The zone user's permissions are specific to the zone

Typically there are two types of users associated with a zone:

  1. IT Admin: These users have zone admin privileges. As mentioned above, the first Zone Admin has full administrative privileges for the zone but additional policies and permissions can be configured that restrict access to other zone admins.
  2. Data Steward: Zone admins can create additional users with data steward permissions. These users have access to the master data.
    Zone Admin

If the same user creates subsequent zones a new YOUnite user is not created but the SSO ID is associated with the newly created zone. 

Each zone can have multiple users and each user must be tied to an SSO ID.

The following is needed to create a zone:

  1. An OAuth bearer token returned from the YOUnite OAuth service (see Authorization header)
  2. The parent zone's UUID (see parentZoneUuid in the request body)
  3. The SSO ID of the user designated as the zone admin (see zoneAdminSsoId in the request body)

There are two distinct zone responsibilities:

  1. General Zone Management The primary zone management user is the zone admin but other users can be created with a subset of permissions.
  2. Master Data Stewardship The user responsible for the domains, data and data governance.

The zone admin has general zone management responsibilities such as creating subordinate zones and other users and attaching policies and permissions to users.

The zone admin can associate users from other zones with their zone and set policies and permissions for them to operate in the zone as well.

Permissions

YOUnite users can be granted or denied access to resources by setting appropriate permissions for them. Generally permissions are managed by the zone admin or other users that have been given control over a zone's permissions.


Policies

A policy is a group of permissions that can be used to manage the general role of YOUnite users. By default ....

Groups

A group is a collection of YOUnite users. The zone admin can use groups to specify permissions for a collection of users. 

See the API documentation for TODO UES.

Notifications

TODO

Logging

TODO


API Users

An API consumer for the zone can register a callback URL to receive notifications of events such as completed transactions.

  • No labels