Managing Default Access Policies
Default Access Policies are the security policies that are applied by default to the artifacts that are stored in Anzo. Artifacts are all of the objects that are created when connections to data sources and applications are made and when data is onboarded to Anzo. For example, when users connect to a database or a file source, those connections are stored as artifacts, and when the data from a data source is ingested, the resulting schema, model, graphmart, and any generated datasets are also artifacts. All artifacts of the same type are stored in a particular registry, and each registry has an access policy associated with it. A registry is a system-level graph that stores metadata about artifacts of the same type. For example, metadata about all of your data source artifacts is stored in a Data Sources Registry, and metadata about all of your data model artifacts is stored in an Ontology Registry. A Default Access Policy defines the base permissions to assign to a type of artifact when it is created—before permission inheritance and user-configured sharing is applied.
Any Permission Inheritance that is applied by Anzo and artifact-level Sharing that is configured by users is applied to artifacts in addition to the permissions supplied by the Default Access Policy. For more information about permission inheritance and artifact sharing, see Artifact Access Control Concepts.
This topic provides information about the permission sets that can be assigned to users and groups and describes the default access policies for each registry. This topic also includes instructions for changing access policies.
- Default Access Policy Permissions Reference
- Default Access Policy Reference
- Configuring Default Access Policies
Default Access Policy Permissions Reference
Default access policies use the same predefined permission sets and mechanism for assigning permissions as other artifacts in the Anzo application (see Share Access to Artifacts for more information).
There are three predefined permission sets that include a combination of six permissions that can be assigned to the creator of an artifact and other users and groups. The tables below list the predefined sets and describe the privileges that are granted for each permission that is part of the set.
View
The following table describes the permissions in the View set.
Permission | Description |
---|---|
View | This permission allows a user to:
|
Meta View | Relates only to an artifact's permissions. A user with Meta View can see the permissions on the artifact's Sharing tab but they cannot change permissions. |
Modify
In addition to the View and Meta View permissions described above, the Modify set includes the Add/Edit and Delete permissions described below.
Permission | Description |
---|---|
Add/Edit | This permission allows a user to:
|
Delete | This permission allows a user to:
|
Admin
In addition to the View, Meta View, Add/Edit, and Delete permissions described above, the Admin set includes the Meta Add/Edit and Meta Delete permissions described below.
Permission | Allows a user to: |
---|---|
Meta Add/Edit | Relates only to an artifact's permissions. A user with Meta Add/Edit can add permissions to a user or group. They cannot remove permissions from any user or group. |
Meta Delete | This permission allows a user to:
|
Default Access Policy Reference
There is a configurable Default Access Policy for several of the Anzo registries. To see and manage the Default Access Policies, go to the Administration application, expand the User Management menu, and click Default Access Policies.
Never modify any of the registries. Changing or removing a registry can irreparably damage your Anzo server.
The sections below provide details about each of the registries for which you can configure Default Access Policies:
- Data Sources Registry
- Elastic Search Configuration Registry
- Global Linked Data Configuration
- Graphmarts Registry
- Linked Data Set Registry
- Ontology Registry
- Orchestration Configuration Registry
- Query Builder Registry
- Role and Permissions Registry
- SDI Registry
Data Sources Registry
The Data Sources Registry is the system graph that stores metadata about all of the File Store, Anzo Data Store, Data Source, and Schema artifacts that have been created in Anzo. Since data sources and schemas have a fundamental relationship in that schemas are derived or imported from data sources, one registry stores metadata about both types of artifacts. The Data Sources Registry access policy is applied by default when a user creates a data source or an Anzo Data Store.
Default Permissions Configuration
- The Creator of a source is assigned the Admin permission set for that source and the associated schemas. In addition, the Creator of an Anzo Data Store is also assigned the Admin permission set for that data store.
- The Everyone role is assigned the View permission set for a new source and its schemas. The Everyone role is also assigned the View permission set for any Anzo Data Stores.
- The Creator Default Group is assigned the Modify permission set for new source, schema, and Anzo Data Store artifacts.
Elastic Search Configuration Registry
The Elastic Search Configuration Registry is the system graph that stores metadata about all of the Elasticsearch connection artifacts in Anzo. This access policy is applied by default when an Elasticsearch connection is created.
Default Permissions Configuration
- The Creator of an Elasticsearch connection is assigned the Admin permission set for that artifact.
- The Everyone role is assigned the View permission set for that Elasticsearch connection artifact.
- The Creator Default Group is assigned the Modify permission set for that artifact.
Global Linked Data Configuration
The Global Linked Data Configuration Registry is a global policy that applies to all artifacts created in Anzo—unless another Default Access Policy (such as the Data Sources Registry, Graphmarts Registry, or Ontology Registry) applies.
If a user created a model and the Ontology Registry Default Access Policy was removed or unset, the Global Linked Data Configuration access policy would be applied to that model artifact.
Default Permissions Configuration
- The Creator of an artifact that follows this policy is assigned the Admin permission set for that artifact.
- The Creator Default Group is assigned the Modify permission set for that artifact.
Graphmarts Registry
The Graphmarts Registry is a system graph that stores metadata about all of the Graphmart artifacts in Anzo. All graphmarts inherit permissions from the Graphmarts Registry Default Access Policy. In addition, since data layers and steps are created in the context of a graphmart, they inherit permissions from the graphmart by default.
Default Permissions Configuration
- The Creator of a graphmart is assigned the Admin permission set for that artifact.
- The Everyone role is assigned the View permission set for that graphmart.
- The Creator Default Group is assigned the Modify permission set for the graphmart.
Linked Data Set Registry
The Linked Data Set Registry is a system graph that stores metadata about all of the linked data sets, notably the File-Based Linked Data Sets (FLDS) that are listed in the Datasets catalog. This includes datasets that are generated from unstructured pipelines as well as datasets that are created by users, such as empty datasets, dataset from Export Steps, and Existing RDF imports directly to the Datasets catalog.
Default Permissions Configuration
FLDS artifacts inherit from the workflow that created it. If raw RDF files are imported to the catalog or an empty dataset is created, the Linked Data Set Registry Default Access policy is applied to the resulting FLDS artifact.
Ontology Registry
The Ontology Registry is the system graph that stores metadata about all of the model artifacts in Anzo. This access policy is applied by default if a model is imported or manually created by a user. When a model is generated from an unstructured pipeline or the automated Direct Data Load workflow, however, the model inherits the permissions from the related data source.
Default Permissions Configuration
- The Creator of a model is assigned the Admin permission set for that artifact.
- The Everyone role is assigned the View permission set for that model.
- The Creator Default Group is assigned the Modify permission set for that artifact.
Orchestration Configuration Registry
The Orchestration Configuration Registry is a system graph that stores metadata about workflows. This access policy is applied by default when a workflow is created.
Default Permissions Configuration
- The Anzo Administrator is assigned the Admin permission set for the artifact.
- The Creator of a workflow that follows this policy is assigned the Admin permission set for that artifact.
- The Creator Default Group is assigned the Modify permission set for that artifact.
Query Builder Registry
The Query Builder Registry is a system graph that stores metadata about saved Query Builder queries. This access policy is applied by default when a new query is saved.
Default Permissions Configuration
The user who saves a query is assigned the Admin permission set. By default, saved queries are unique to each creator, and other users do not see the creator's queries.
Role and Permissions Registry
The Role and Permissions Registry is a system graph that stores metadata about roles and permissions. Roles are not treated like other artifacts in Anzo. Unlike a data source, model, or graphmart artifact, for example, the permissions for a single role or subset of roles cannot be configured separately. Access to create and edit roles is controlled by the Manage Users, Groups, and Roles permission. For more information, see Role Permissions and Registries.
Default Permissions Configuration
- The System Administrator is assigned the Admin permission set for all role artifacts.
- The Everyone role is assigned the View permission set for all role artifacts.
- A member of a role that is assigned the Manage Users, Groups, and Roles permission has the Admin permission set for all role artifacts.
SDI Registry
The SDI Registry is a legacy system graph that stored metadata about the mapping, pipeline, and job artifacts that were manually created by a user.
Default Permissions Configuration
- The Creator of a mapping, pipeline, or job is assigned the Admin permission set for that artifact.
- The Everyone role is assigned the View permission set for the new artifact.
- The Creator Default Group is assigned the Modify permission set for that artifact.
Configuring Default Access Policies
Follow the instructions below to change the default access policy for a registry.
Changing default access control policies does not change permissions on any existing artifacts. The changes affect only new artifacts that are created after the change.
- In the Administration application, expand the User Management menu and click Default Access Policies. The Default Access Policies screen is displayed.
- On the left side of the screen, select the access policy that you want to configure. The current configuration for that policy is shown on the right side of the screen. For example, the image below shows the Ontology Registry. The model creator has Admin permissions, the Everyone role has View permissions, and the Creator Default Group has Modify permissions.
- To change a configured user or group, select a name in the list to view the permissions on the right side of the screen. To add a user or group, type a term in the Search field. Then select a name in the result list to view the permissions details. For example, the image below shows the search results for additional groups and selects the Data Modeler Developer group:
Though Anzo is flexible and allows you to assign default access policies to roles, the recommendation is to control access to artifacts in a registry with users and groups. For more information, see User Management Concepts.
- On the right side of the screen, click the tab for the predefined permission set that you want to assign to the selected user or group. For information about the permission sets, see Default Access Policy Permissions Reference above. For example, the image below assigns the Modify permission set to the Data Modeler Developer group.
To clear permissions for a user or group, click the trashcan icon () next to the user, role, or group name.
- To configure additional users or groups, select the name and then repeat the step above to apply a permission set. Changes to access control policies are automatically saved.