Operationalizing Data Governance
The Governance Model consists of governance areas, organizational structure, metrics, issues, policies and other governance assets.
Overview: Operationalizing Data Governance
The Governance model in EDG lets you operationalize the governance structures and institutionalize the governance principles you have adopted. It let’s you:
Bring your organization’s governance framework down to the level of roles, responsibilities, reporting lines, and communications
Organize operational, risk management, and reporting processes to ensure adherence to governance practices necessary for the business units to conduct their activities in ways that comply with regulations and serve strategic ends
Help all stakeholders to answer questions such as, “Why are we doing this?” “Is this okay?” “Whose call is this?” and “Who do we need to tell about this?” and to know when to ask such questions
Sustain governance by creating a feedback loop in which the governance board and management can identify and respond to new business, operational, competitive, and regulatory needs
The Governance Model and Workflows
The Governance Model is a special EDG asset collection that uniquely captures enterprise contexts for other asset collections. It groups all collections governed by EDG into enterprise governance areas for which users can be given various governance roles. Users can also be grouped according to organizational structures. These dual settings bring together collections and users through :ref:’workflows_target’, which orchestrate teams of users, via their roles, in the development and maintenance of the assets.
Governance model is also used to define metrics for governance areas and to manage organization’s governance policies, issues and other relevant items.
Unlike other asset collection types, governance is a singleton. There is only one instance of the governance asset collection and it is pre-built. It offers specialized pages for managing governance assets. These are displayed in bold on the horizontal bar at the top of any of the pages that let you work with the governance framework.
Other tabs in this menu bar (e.g., Import, Export, Users, Settings etc.) work the same as they do for all asset collections in EDG.
Users and Access Control
EDG offers three categories of access controls.
Governance roles provide business control over assets and associated workflows (business processes).
Permission profiles (viewer, editor, power user and manager) provide direct authorizations for asset collection functions.
Rights groups control access to system-level application resources (e.g., directories, files).
Governance roles
Governance roles represent rights and responsibilities of stakeholders engaged in various aspects of data governance processes. The roles can be associated with a subject area, individual collection or an individual asset.
The governance roles can convey both permission-profile access to the collections as well workflow permissions for the governance processes that maintain the collections.
While the use of governance areas and roles is optional in EDG, using them provides a lot of flexibility and unlocks additional functionality such as asset-level roles.
Permission profiles
Users access to each asset collection and available functions is controlled via permission profiles, which comprise three nested access levels: viewer, editor, and manager. Each level contains the permissions of the preceding level and more. The permission profiles assigned to users for each collection determine what each user can see or do with assets in the collection.
Rights groups
Rights groups convey low-level EDG file system access to users.
These settings are largely separate from permission profiles and governance roles, except that users require a Create
right to create new asset collections, and administrators/power users (users in the AdministratorGroup, PowerUserGroup) have full manager permissions for all collections.
Upon installation of EDG the following rights can be assigned through rights management:
AdministratorGroup. Users is this group have full manager access to all collections as well as full access to all server administrator features. This group does not apply to SaaS installations hosted by TopQuadrant.
PowerUserGroup. Users is this group have full manager access to all collections and a limited subset of server administrator features. These include: EDG Configuration Parameters, Default Namespaces and Prefixes, EDG Permission Management, Layouts, View EDG Log, Process Management, Scheduled Jobs, Count Triples, and Query TopBraid Platform API using GraphQL.
ManagerGroup. Users in this group have the ability to create new collections
ExplorerGroup. When applicable for setup of Explorer server, these users have permission to all published collections and will count as Explorer users for licensing purposes.
Users
You can see all users defined in the EDG system (e.g., via LDAP) by clicking on the Users link in the left hand side Navigation Bar. Each user listed can be clicked on to see user details. For each user, the details presented consist of:
Settings (Tomcat users only): Non-LDAP users can define the email address that receives notifications. Users with administrator privileges can edit the email addresses of all users.
Governance Roles: Lists the governance roles of the selected user, if any. The list displays the name of the area or asset collection (including a link to the details page) and the governance role of the user.
Note
There is also Users tab in the horizontal menu at the top of the page. This works the same way as Users page for any collection. It supports defining permissions and roles for the governance model itself.
Managers of a collection can assign users various permission profiles and governance roles.
Managers can assign roles to individual users or to security roles, which represent groups of users.
Individual users and their security roles are defined externally to the EDG application, during Tomcat configuration for the EDG installation.
Typically, individuals and their security roles come into EDG (via Tomcat) from LDAP, but they can also be defined within Tomcat itself, via the conf/tomcat-users.xml
file.
EDG administrators can assign security roles (but not individuals) to rights groups, and they can define custom rights groups. Rights management also provides a pre-defined users role, ANY_ROLE, which automatically includes any EDG user (for assigning rights groups universally).
Finally, the governance model lets you define organizations (see below). Organizations can then also be assigned governance roles.
Summary of Resources and Access Type Assignments
Resources |
Access Control Type |
Levels |
Assignment to Users |
Details |
---|---|---|---|---|
Asset collections (production & workflow versions) |
Permission profile |
1. viewer 1. editor (incl. viewer) 2. manager (incl. editor) |
|
See Workflows that Edit Multiple Asset Collections and Access Control > EDG Permissions Management in the Administrator Guide. |
Governance role |
|
Can be assigned to: * individual users * security roles * organizations |
||
EDG workspace contents (application file system) |
Rights group |
|
Can be assigned to: * security roles |
Note
Users: To configure individual users and their security roles, see Authentication for TopBraid EDG. To customize user organizations for governance roles, see Organization Structure – below.
Governance Areas (and Roles)
Governance subject areas group asset collections according to an organization’s business or data subject concerns. Governance areas are used to define a delineated part of stewardship. They partition and delegate ownership of assets, and define a meaningful context for assets that are associated with a governance area.
A business area may have subareas that are either the business or data subject areas. Any data subject area may have only data subject subareas.
There are two ways to connect an asset collection with a governance area:
by selecting a governance area and either creating a new asset collection or adding existing collection; thereby, automatically associating it with the selected area, or
by updating collection’s Metadata using Settings > Metadata > Edit > subject area.
Creating governance areas
To create a governance area, click on the Business and Data Subject Area root or on one of already existing areas and select either Add Business Sub-Area or Add Data Subject Sub-Area.
After creation, you can add governance roles to the area by selecting the area and clicking on Add governance role. Clicking on the Details button will let you work with the full information about a governance area.
If you select one of the roles assigned to a governance area you will be able to:
Set a permission profile for the role
Assign roles to users of EDG – either directly or indirectly through security oles and organizations
Disable the role
Governance roles
Each governance area may have associated governance roles, where each role represents a business-oriented set of user rights and responsibilities pertaining to managing assets associate with a given area. Governance roles can be used in various Workflows, which orchestrate users in the governance processes that create and maintain the area’s assets.
TopBraid EDG ships with a pre-built set of governance roles commonly used by organizations, but customers can modify this set. Pre-defined roles can be disabled and new ones can be added. This is accomplished by modifying EDG ontology that describes governance assets. Pre-built governance roles are properties with associated property shapes defined in the EDG Shapes – Governance Assets.
Governance roles are assigned to users by specifying, for a governance role:
individual users or
user security roles (e.g., from LDAP) or
organizations, which are defined in the Governance Model’s Organizational Structure (see below).
Role assignments specified for an area apply to all of the area’s own asset collections and to all of its descendant-areas’ collections.
Each asset collection can also have its own additional governance role assignments, made via its User Roles > Governance Roles settings. Such collection-specific assignments are shown in a governance area’s listing of associated Asset Collections. If a collection has its own governance role assignments (i.e., in addition to its area’s) it will be indicated by showing the assigned roles’ initials in the +Roles column. A governance role applicable to an asset collection is applicable to all assets in this collection.
Finally, governance roles can be assigned on an asset level. This feature is enabled as a choice on the Manage tab of a collection.
In order to customize the available governance roles follow this process:
Create a new Ontology asset collection
Use Settings->Includes to include EDG Schema – Governance Assets
In the users tab for this collection, give read permission to all users or security roles for EDG.
Navigate to the Settings tab of the Governance Model asset collection, include the Ontology containing your customizations. New to EDG 7.3, every user in EDG will automatically be granted viewer access to any collection included in the Governance Model.
Using this ontology, to disable existing governance roles:
Navigate to the class Stewardship
In the Properties Group panel select the role to be disabled, e.g., application steward
Edit and set deactivated to true
To add a new governance role:
Add RDF/OWL Properties List panel to your editor layout
Use New button in this panel to create a new property. Provide the label for your new role. Select property type as Workflow property. Provide a value for abbreviation for the role. You will see a warning about needing a shape for this property. Click “Submit Anyway”.
Add comment to provide a description of the responsibilities of the new governance role
Navigate to the class Stewardship
For this class, create a new Relationship using the new property as the path. In the Create dialog’s label, type the label exactly the same as the label you provided for the new property. This will ensure that the right ID (URI) is used. Make sure that the Property Group is Governance Roles.
Edit the new relationship to set the value of editor to Workflow participant editor and value of viewer to Workflow participant viewer. Optionally, adjust the order in which the governance roles will appear in the EDG user interface.
Governance roles vs. permission profiles
Asset collections use three standard permission profiles: viewer, editor, and manager. (See: Workflows that Edit Multiple Asset Collections for details.) Compared to the v/e/m profiles, which focus on read and write permissions, governance roles are more abstract and more representative of an enterprise’s business processes for data governance.
Comparison details:
Governance roles represent how a team of business users relate to a governance area’s business and technical assets. In contrast, the v/e/m levels represent only permissions for given asset collection and its workflows.
Governance roles can be defined for governance areas or an individual collection or an individual asset, whereas the v/e/m permissions must be specified at the collection level.
The set of governance roles available in EDG is customizable, but the three v/e/m permission levels are neither customizable nor extensible.
Custom workflows (via templates, see below) can generally be defined in terms of either governance roles or the v/e/m permissions. (The provided Basic workflow uses v/e/m only. Voting steps pertain to governance roles only.)
Any user that has a governance role for a collection is automatically granted a view permission profile for that collection and for any workflow on the collection.
Further, each governance role can be given specific permissions. For example, you can say that a data steward always has editor permissions. You can also say that for Change Approval workflows, data steward has manager permissions.
Organizational Structure
EDG lets you describe and document an organizational breakdown to capture social units of people that participate in the governance process. Organizations can have sub organizations. This structure often corresponds to functional divisions in an enterprise.
EDG organizations are groupings of users specified either individually or via their security roles (e.g., from LDAP). Each organization instance can have various associated metadata. Organizations represent users abstractly, which provides various benefits such as:
documenting governance responsibility at an organizational level instead of a user account level, and
representing users before having to identify and onboard specific individuals, and
facilitating reassignment of responsibilities when personnel change.
Typically, when you start your governance initiative, your organizational breakdown and your governance area breakdown may be very similar or even identical. However, as your governance processes mature, these breakdowns often diverge.
You can create different types of organizations such as departments, committees, boards and working groups – as shown below:
When you click on an organization in the organizational breakdown, you can describe it in more detail including assigning it governance roles and associating users with it.
Clicking on the Details button will let you work with the full information about an organization. The type of information you will want to capture is fully customizable through modifying governance ontology.
Metrics Dashboards
EDG administrators can activate metrics dashboards, see Viewing Metrics Dashboards. And they can also edit the resulting GOVERNANCE MODEL > Dashboards item. To activate each dashboard in the governance model, use the link in the Metrics page to enable individual dashboard widgets.
Note
Creating new Metrics Dashboards requires advanced TopBraid developer knowledge in order to generate the scripts needed to supply data and add visualizations. Upcoming releases will include additional scripts for a variety of metrics. If you are interested in the possibilities for tailoring TopBraid EDG Metrics Dashboards to better suit your needs, please contact TopQuadrant to explore the following options:
Have TopQuadrant quickly configure a customized EDG solution to meet your detailed requirements. We will be pleased to quote and provide affordable customization and tailoring services.
Enable your organization to develop and maintain customizations for EDG by guiding and training your selected personnel to perform the variety of customization capabilities.
Policies
TopBraid EDG lets you capture policies relevant to the data governance.
Issues
TopBraid EDG lets you create a work with issues. Typically, this will be issues related to establishing and operating your governance processes.
Other Governance Assets
This page gives you access to other types of governance assets that are not explicitly linked in the Navigation Bar such as risks, reports, etc. In fact, it will show all governance assets including those that have a dedicated page linked from the navigation menu. The page provides functions to view, edit, create, delete and perform other actions.
To focus on a specific sub type of governance assets, click on Asset Type Selector icon and make selections.