Operationalizing Data Governance

The Governance Model consists of governance areas, organizational structure, metrics, issues, policies and other governance assets.

Overview: Operationalizing Data Governance

The Governance model in EDG lets you operationalize the governance structures and institutionalize the governance principles you have adopted. It let’s you:

  • Bring your organization’s governance framework down to the level of roles, responsibilities, reporting lines, and communications

  • Organize operational, risk management, and reporting processes to ensure adherence to governance practices necessary for the business units to conduct their activities in ways that comply with regulations and serve strategic ends

  • Help all stakeholders to answer questions such as, “Why are we doing this?” “Is this okay?” “Whose call is this?” and “Who do we need to tell about this?” and to know when to ask such questions

  • Sustain governance by creating a feedback loop in which the governance board and management can identify and respond to new business, operational, competitive, and regulatory needs

The Governance Model and Workflows

The Governance Model is a special EDG asset collection that uniquely captures enterprise contexts for other asset collections. It groups all collections governed by EDG into enterprise governance areas for which users can be given various governance roles. Users can also be grouped according to organizational structures. These dual settings bring together collections and users through :ref:’workflows_target’, which orchestrate teams of users, via their roles, in the development and maintenance of the assets.

Governance model is also used to define metrics for governance areas and to manage organization’s governance policies, issues and other relevant items.

Unlike other asset collection types, governance is a singleton. There is only one instance of the governance asset collection and it is pre-built. It offers specialized pages for managing governance assets. These are displayed in bold on the horizontal bar at the top of any of the pages that let you work with the governance framework.

TopBraid Other Governance Assets Tab

TopBraid Other Governance Assets Tab

Other tabs in this menu bar (e.g., Import, Export, Users, Settings etc.) work the same as they do for all asset collections in EDG.

Users and Access Control

EDG offers three categories of access controls.

  • Governance roles provide business control over assets and associated workflows (business processes).

  • Permission profiles (viewer, editor, power user and manager) provide direct authorizations for asset collection functions.

  • Rights groups control access to system-level application resources (e.g., directories, files).

Governance roles

Governance roles represent rights and responsibilities of stakeholders engaged in various aspects of data governance processes. The roles can be associated with a subject area, individual collection or an individual asset.

The governance roles can convey both permission-profile access to the collections as well workflow permissions for the governance processes that maintain the collections.

While the use of governance areas and roles is optional in EDG, using them provides a lot of flexibility and unlocks additional functionality such as asset-level roles.

Permission profiles

Users access to each asset collection and available functions is controlled via permission profiles, which comprise three nested access levels: viewer, editor, and manager. Each level contains the permissions of the preceding level and more. The permission profiles assigned to users for each collection determine what each user can see or do with assets in the collection.

Rights groups

Rights groups convey low-level EDG file system access to users. These settings are largely separate from permission profiles and governance roles, except that users require a Create right to create new asset collections, and administrators/power users (users in the AdministratorGroup, PowerUserGroup) have full manager permissions for all collections.

Upon installation of EDG the following rights can be assigned through rights management:

  • AdministratorGroup. Users is this group have full manager access to all collections as well as full access to all server administrator features. This group does not apply to SaaS installations hosted by TopQuadrant.

  • PowerUserGroup. Users is this group have full manager access to all collections and a limited subset of server administrator features. These include: Product Configuration Parameters (but not System Configuration Parameters), Default Namespaces and Prefixes, EDG Permission Management, Layouts, View EDG Log, Process Management, Scheduled Jobs, Count Triples, and Query TopBraid Platform API using GraphQL.

  • ManagerGroup. Users in this group have the ability to create new collections

  • ExplorerGroup. When applicable for setup of Explorer server, these users have permission to all published collections and will count as Explorer users for licensing purposes.

Users

You can see all users defined in the EDG system by clicking on the Users link in the left hand side Navigation Bar. Each user listed can be clicked on to see user details. For each user, the details presented consist of:

  • Settings: Non-LDAP users can define the email address that receives notifications. Users with administrator privileges can edit the email addresses of all users.

  • Governance Roles: Lists the governance roles of the selected user, if any. The list displays the name of the area or asset collection (including a link to the details page) and the governance role of the user.

Note

There is also Users tab in the horizontal menu at the top of the page. This works the same way as Users page for any collection. It supports defining permissions and roles for the governance model itself.

Managers of a collection can assign users various permission profiles and governance roles. Managers can assign roles to individual users or to security roles, which represent groups of users.

EDG administrators can assign security roles (but not individuals) to rights groups, and they can define custom rights groups. Rights management also provides a pre-defined users role, ANY_ROLE, which automatically includes any EDG user (for assigning rights groups universally).

Finally, the governance model lets you define organizations (see below). Organizations can then also be assigned governance roles.

Summary of Resources and Access Type Assignments

Resources and Access Type Assignments Table

Resources

Access Control Type

Levels

Assignment to Users

Details

Asset collections (production & workflow versions)

Permission profile

1. viewer 1. editor (incl. viewer) 2. manager (incl. editor)

Can be assigned to:
  • individual users

  • security roles

  • governance roles

See Workflows that Edit Multiple Asset Collections and Access Control > EDG Permissions Management in the Administrator Guide.

Governance role

  • Data Steward

  • Business Steward

  • Subject Matter Expert

  • …, etc. (customizable)

Can be assigned to: * individual users * security roles * organizations

See Overview: Operationalizing Data Governance.

EDG workspace contents (application file system)

Rights group

  • AdministratorGroup

  • readAnyGraphGrp

  • …, etc. (customizable)

Can be assigned to: * security roles

See Rights Management Admin Page

Note

Users: To configure individual users and their security roles, see Authentication Overview. To customize user organizations for governance roles, see Organization Structure – below.

Governance Areas (and Roles)

Governance subject areas group asset collections according to an organization’s business or data subject concerns. Governance areas are used to define a delineated part of stewardship. They partition and delegate ownership of assets, and define a meaningful context for assets that are associated with a governance area.

A business area may have subareas that are either the business or data subject areas. Any data subject area may have only data subject subareas.

There are two ways to connect an asset collection with a governance area:

  • by selecting a governance area and either creating a new asset collection or adding existing collection; thereby, automatically associating it with the selected area, or

  • by updating collection’s Metadata using Settings > Metadata > Edit > subject area.

Creating governance areas

To create a governance area, click on the Business and Data Subject Area root or on one of already existing areas and select either Add Business Sub-Area or Add Data Subject Sub-Area.

After creation, you can add governance roles to the area by selecting the area and clicking on Add governance role. Clicking on the Details button will let you work with the full information about a governance area.

If you select one of the roles assigned to a governance area you will be able to:

  • Set a permission profile for the role

  • Assign roles to users of EDG – either directly or indirectly through security oles and organizations

  • Disable the role

TopBraid EDG Manage Your Governance Areas and Roles Page

TopBraid EDG Manage Your Governance Areas and Roles Page

Governance roles

Each governance area may have associated governance roles, where each role represents a business-oriented set of user rights and responsibilities pertaining to managing assets associate with a given area. Governance roles can be used in various Workflows, which orchestrate users in the governance processes that create and maintain the area’s assets.

TopBraid EDG ships with a pre-built set of governance roles commonly used by organizations, but customers can modify this set. Pre-defined roles can be disabled and new ones can be added. This is accomplished by modifying EDG ontology that describes governance assets. Pre-built governance roles are properties with associated property shapes defined in the EDG Shapes – Governance Assets.

Governance roles are assigned to users by specifying, for a governance role:

  • individual users or

  • user security roles (e.g., from SSO; see security roles)

  • organizations, which are defined in the Governance Model’s Organizational Structure (see below).

Role assignments specified for an area apply to all of the area’s own asset collections and to all of its descendant-areas’ collections.

Each asset collection can also have its own additional governance role assignments, made via its User Roles > Governance Roles settings. Such collection-specific assignments are shown in a governance area’s listing of associated Asset Collections. If a collection has its own governance role assignments (i.e., in addition to its area’s) it will be indicated by showing the assigned roles’ initials in the +Roles column. A governance role applicable to an asset collection is applicable to all assets in this collection.

Finally, governance roles can be assigned on an asset level. This feature is enabled as a choice on the Manage tab of a collection.

In order to customize the available governance roles follow this process:

  1. Create a new Ontology asset collection

  2. Use Settings->Includes to include EDG Schema – Governance Assets

  3. In the users tab for this collection, give read permission to all users or security roles for EDG.

  4. Navigate to the Settings tab of the Governance Model asset collection, include the Ontology containing your customizations. New to EDG 7.3, every user in EDG will automatically be granted viewer access to any collection included in the Governance Model.

Using this ontology, to disable existing governance roles:

  1. Navigate to the class Stewardship

  2. In the Properties Group panel select the role to be disabled, e.g., application steward

  3. Edit and set deactivated to true

To add a new governance role:

  1. Add RDF/OWL Properties List panel to your editor layout

  2. Use New button in this panel to create a new property. Provide the label for your new role. Select property type as Workflow property. Provide a value for abbreviation for the role. You will see a warning about needing a shape for this property. Click “Submit Anyway”.

  3. Add comment to provide a description of the responsibilities of the new governance role

  4. Navigate to the class Stewardship

  5. For this class, create a new Relationship using the new property as the path. In the Create dialog’s label, type the label exactly the same as the label you provided for the new property. This will ensure that the right ID (URI) is used. Make sure that the Property Group is Governance Roles.

  6. Edit the new relationship to set the value of editor to Workflow participant editor and value of viewer to Workflow participant viewer. Optionally, adjust the order in which the governance roles will appear in the EDG user interface.

Governance roles vs. permission profiles

Asset collections use three standard permission profiles: viewer, editor, and manager. (See: Workflows that Edit Multiple Asset Collections for details.) Compared to the v/e/m profiles, which focus on read and write permissions, governance roles are more abstract and more representative of an enterprise’s business processes for data governance.

Comparison details:

  • Governance roles represent how a team of business users relate to a governance area’s business and technical assets. In contrast, the v/e/m levels represent only permissions for given asset collection and its workflows.

  • Governance roles can be defined for governance areas or an individual collection or an individual asset, whereas the v/e/m permissions must be specified at the collection level.

  • The set of governance roles available in EDG is customizable, but the three v/e/m permission levels are neither customizable nor extensible.

  • Custom workflows (via templates, see below) can generally be defined in terms of either governance roles or the v/e/m permissions. (The provided Basic workflow uses v/e/m only. Voting steps pertain to governance roles only.)

  • Any user that has a governance role for a collection is automatically granted a view permission profile for that collection and for any workflow on the collection.

  • Further, each governance role can be given specific permissions. For example, you can say that a data steward always has editor permissions. You can also say that for Change Approval workflows, data steward has manager permissions.

Organizational Structure

EDG lets you describe and document an organizational breakdown to capture social units of people that participate in the governance process. Organizations can have sub organizations. This structure often corresponds to functional divisions in an enterprise.

EDG organizations are groupings of users specified either individually or via their security roles (e.g., from SSO). Each organization instance can have various associated metadata. Organizations represent users abstractly, which provides various benefits such as:

  • documenting governance responsibility at an organizational level instead of a user account level, and

  • representing users before having to identify and onboard specific individuals, and

  • facilitating reassignment of responsibilities when personnel change.

Typically, when you start your governance initiative, your organizational breakdown and your governance area breakdown may be very similar or even identical. However, as your governance processes mature, these breakdowns often diverge.

You can create different types of organizations such as departments, committees, boards and working groups – as shown below:

TopBraid EDG Manage Your Organizational Structure View

TopBraid EDG Manage Your Organizational Structure View

When you click on an organization in the organizational breakdown, you can describe it in more detail including assigning it governance roles and associating users with it.

TopBraid EDG Governance Roles and Associating Users

TopBraid EDG Governance Roles and Associating Users

Clicking on the Details button will let you work with the full information about an organization. The type of information you will want to capture is fully customizable through modifying governance ontology.

TopBraid EDG Architecture Board

TopBraid EDG Architecture Board

Policies

TopBraid EDG lets you capture policies relevant to the data governance.

Issues

TopBraid EDG lets you create a work with issues. Typically, this will be issues related to establishing and operating your governance processes.

Other Governance Assets

This page gives you access to other types of governance assets that are not explicitly linked in the Navigation Bar such as risks, reports, etc. In fact, it will show all governance assets including those that have a dedicated page linked from the navigation menu. The page provides functions to view, edit, create, delete and perform other actions.

TopBraid EDG Other Governance Assets Page

TopBraid EDG Other Governance Assets Page

To focus on a specific sub type of governance assets, click on Asset Type Selector asset type icon and make selections.

TopBraid EDG Asset Type Selector Dropdown

TopBraid EDG Asset Type Selector Dropdown