Managing Default Access Policies

Default Access Policies are the security policies that are applied by default to the artifacts that are stored in Anzo. Artifacts are all of the objects that are created when connections to data sources and applications are made and when data is onboarded to Anzo. For example, when users connect to a database or a file source, those connections are stored as artifacts, and when the data from a data source is ingested, the resulting schema, model, graphmart, and any generated datasets are also artifacts. All artifacts of the same type are stored in a particular registry, and each registry has an access policy associated with it. A registry is a system-level graph that stores metadata about artifacts of the same type. For example, metadata about all of your data source artifacts is stored in a Data Sources Registry, and metadata about all of your data model artifacts is stored in an Ontology Registry. A Default Access Policy defines the base permissions to assign to a type of artifact when it is created—before permission inheritance and user-configured sharing is applied.

Any Permission Inheritance that is applied by Anzo and artifact-level Sharing that is configured by users is applied to artifacts in addition to the permissions supplied by the Default Access Policy. For more information about permission inheritance and artifact sharing, see Artifact Access Control Concepts.

This topic provides information about the permission sets that can be assigned to users and groups and describes the default access policies for each registry. This topic also includes instructions for changing access policies.

Default Access Policy Permissions Reference

Default access policies use the same predefined permission sets and mechanism for assigning permissions as other artifacts in the Anzo application (see Share Access to Artifacts for more information).

There are three predefined permission sets that include a combination of six permissions that can be assigned to the creator of an artifact and other users and groups. The tables below list the predefined sets and describe the privileges that are granted for each permission that is part of the set.

View

The following table describes the permissions in the View set.

Permission Description
View This permission allows a user to:
  • See an artifact in the Anzo application.
  • Create versions of the artifact.
Meta View Relates only to an artifact's permissions. A user with Meta View can see the permissions on the artifact's Sharing tab but they cannot change permissions.

Modify

In addition to the View and Meta View permissions described above, the Modify set includes the Add/Edit and Delete permissions described below.

Permission Description
Add/Edit This permission allows a user to:
  • Change an artifact, such as to rename it or edit its description.
  • Add a related entity to an artifact. For example, add a schema to a data source or a layer to a graphmart.
Delete This permission allows a user to:
  • Remove a related entity from the artifact. For example, delete a layer from a graphmart or a schema from a data source.
  • Does not give permission to remove the parent artifact. For example, a user can remove a schema from a source but cannot delete the data source.

Admin

In addition to the View, Meta View, Add/Edit, and Delete permissions described above, the Admin set includes the Meta Add/Edit and Meta Delete permissions described below.

Permission Allows a user to:
Meta Add/Edit Relates only to an artifact's permissions. A user with Meta Add/Edit can add permissions to a user or group. They cannot remove permissions from any user or group.
Meta Delete This permission allows a user to:
  • Remove permissions from a user or group.
  • Delete the parent artifact and its related entities.

Default Access Policy Reference

There is a configurable Default Access Policy for several of the Anzo registries. To see and manage the Default Access Policies, go to the Administration application, expand the User Management menu, and click Default Access Policies.

Never modify any of the registries. Changing or removing a registry can irreparably damage your Anzo server.

The sections below provide details about each of the registries for which you can configure Default Access Policies:

Data Sources Registry

The Data Sources Registry is the system graph that stores metadata about all of the File Store, Anzo Data Store, Data Source, and Schema artifacts that have been created in Anzo. Since data sources and schemas have a fundamental relationship in that schemas are derived or imported from data sources, one registry stores metadata about both types of artifacts. The Data Sources Registry access policy is applied by default when a user creates a data source or an Anzo Data Store.

Default Permissions Configuration

  • The Creator of a source is assigned the Admin permission set for that source and the associated schemas. In addition, the Creator of an Anzo Data Store is also assigned the Admin permission set for that data store.
  • The Everyone role is assigned the View permission set for a new source and its schemas. The Everyone role is also assigned the View permission set for any Anzo Data Stores.
  • The Creator Default Group is assigned the Modify permission set for new source, schema, and Anzo Data Store artifacts.

Elastic Search Configuration Registry

The Elastic Search Configuration Registry is the system graph that stores metadata about all of the Elasticsearch connection artifacts in Anzo. This access policy is applied by default when an Elasticsearch connection is created.

Default Permissions Configuration

  • The Creator of an Elasticsearch connection is assigned the Admin permission set for that artifact.
  • The Everyone role is assigned the View permission set for that Elasticsearch connection artifact.
  • The Creator Default Group is assigned the Modify permission set for that artifact.

Global Linked Data Configuration

The Global Linked Data Configuration Registry is a global policy that applies to all artifacts created in Anzo—unless another Default Access Policy (such as the Data Sources Registry, Graphmarts Registry, or Ontology Registry) applies.

If a user created a model and the Ontology Registry Default Access Policy was removed or unset, the Global Linked Data Configuration access policy would be applied to that model artifact.

Default Permissions Configuration

  • The Creator of an artifact that follows this policy is assigned the Admin permission set for that artifact.
  • The Creator Default Group is assigned the Modify permission set for that artifact.

Graphmarts Registry

The Graphmarts Registry is a system graph that stores metadata about all of the Graphmart artifacts in Anzo. All graphmarts inherit permissions from the Graphmarts Registry Default Access Policy. In addition, since data layers and steps are created in the context of a graphmart, they inherit permissions from the graphmart by default.

Default Permissions Configuration

  • The Creator of a graphmart is assigned the Admin permission set for that artifact.
  • The Everyone role is assigned the View permission set for that graphmart.
  • The Creator Default Group is assigned the Modify permission set for the graphmart.

Linked Data Set Registry

The Linked Data Set Registry is a system graph that stores metadata about all of the linked data sets, notably the File-Based Linked Data Sets (FLDS) that are listed in the Datasets catalog. This includes datasets that are generated from unstructured pipelines as well as datasets that are created by users, such as empty datasets, dataset from Export Steps, and Existing RDF imports directly to the Datasets catalog.

Default Permissions Configuration

FLDS artifacts inherit from the workflow that created it. If raw RDF files are imported to the catalog or an empty dataset is created, the Linked Data Set Registry Default Access policy is applied to the resulting FLDS artifact.

Ontology Registry

The Ontology Registry is the system graph that stores metadata about all of the model artifacts in Anzo. This access policy is applied by default if a model is imported or manually created by a user. When a model is generated from an unstructured pipeline or the automated Direct Data Load workflow, however, the model inherits the permissions from the related data source.

Default Permissions Configuration

  • The Creator of a model is assigned the Admin permission set for that artifact.
  • The Everyone role is assigned the View permission set for that model.
  • The Creator Default Group is assigned the Modify permission set for that artifact.

Orchestration Configuration Registry

The Orchestration Configuration Registry is a system graph that stores metadata about workflows. This access policy is applied by default when a workflow is created.

Default Permissions Configuration

  • The Anzo Administrator is assigned the Admin permission set for the artifact.
  • The Creator of a workflow that follows this policy is assigned the Admin permission set for that artifact.
  • The Creator Default Group is assigned the Modify permission set for that artifact.

Query Builder Registry

The Query Builder Registry is a system graph that stores metadata about saved Query Builder queries. This access policy is applied by default when a new query is saved.

Default Permissions Configuration

The user who saves a query is assigned the Admin permission set. By default, saved queries are unique to each creator, and other users do not see the creator's queries.

Role and Permissions Registry

The Role and Permissions Registry is a system graph that stores metadata about roles and permissions. Roles are not treated like other artifacts in Anzo. Unlike a data source, model, or graphmart artifact, for example, the permissions for a single role or subset of roles cannot be configured separately. Access to create and edit roles is controlled by the Manage Users, Groups, and Roles permission. For more information, see Role Permissions and Registries.

Default Permissions Configuration

  • The System Administrator is assigned the Admin permission set for all role artifacts.
  • The Everyone role is assigned the View permission set for all role artifacts.
  • A member of a role that is assigned the Manage Users, Groups, and Roles permission has the Admin permission set for all role artifacts.

SDI Registry

The SDI Registry is a legacy system graph that stored metadata about the mapping, pipeline, and job artifacts that were manually created by a user.

Default Permissions Configuration

  • The Creator of a mapping, pipeline, or job is assigned the Admin permission set for that artifact.
  • The Everyone role is assigned the View permission set for the new artifact.
  • The Creator Default Group is assigned the Modify permission set for that artifact.

Configuring Default Access Policies

Follow the instructions below to change the default access policy for a registry.

Changing default access control policies does not change permissions on any existing artifacts. The changes affect only new artifacts that are created after the change.

  1. In the Administration application, expand the User Management menu and click Default Access Policies. The Default Access Policies screen is displayed.

  2. On the left side of the screen, select the access policy that you want to configure. The current configuration for that policy is shown on the right side of the screen. For example, the image below shows the Ontology Registry. The model creator has Admin permissions, the Everyone role has View permissions, and the Creator Default Group has Modify permissions.

  3. To change a configured user or group, select a name in the list to view the permissions on the right side of the screen. To add a user or group, type a term in the Search field. Then select a name in the result list to view the permissions details. For example, the image below shows the search results for additional groups and selects the Data Modeler Developer group:

    Though Anzo is flexible and allows you to assign default access policies to roles, the recommendation is to control access to artifacts in a registry with users and groups. For more information, see User Management Concepts.

  4. On the right side of the screen, click the tab for the predefined permission set that you want to assign to the selected user or group. For information about the permission sets, see Default Access Policy Permissions Reference above. For example, the image below assigns the Modify permission set to the Data Modeler Developer group.

    To clear permissions for a user or group, click the trashcan icon () next to the user, role, or group name.

  5. To configure additional users or groups, select the name and then repeat the step above to apply a permission set. Changes to access control policies are automatically saved.