Sharing Access to Graphmarts

This topic introduces the concepts to know when working with graphmart and data layer access control and provides instructions for configuring permissions.

Sharing Concepts

This section describes the concepts that are helpful to know when working with graphmart and data layer permissions. It also gives of overview of the graphmart sharing settings and the predefined permission sets and associated privileges.

Default Access Configuration

When a new graphmart is created, the access control configuration of that Graphmart is defined by the Graphmarts Registry Default Access Policy that is configured by your administrator (see Managing Default Access Policies for information). The graphmart also inherits permissions from other artifacts in the onboarding workflow. For example, when a graphmart is created from a data source, the graphmart inherits permissions from the source schema (which inherits permissions from the data source). Users who have permission to modify graphmart access can share that graphmart with other users and groups.

Configuration vs. Data Access Control

Graphmart and data layer sharing is managed on two levels: Configuration and Data Access. When managing access at the Configuration level, you are controlling who can view or modify the configuration of the graphmart, such as who can edit the graphmart settings on the Overview tab, who can enable, disable, modify, or add layers, and who can view or modify the graphmart permissions. The Data Access configuration controls who can view the data that is contained within the graphmart.

Permission Inheritance

When assigning Configuration and Data Access permissions at the graphmart level, you can configure the graphmart to inherit the permissions from another artifact and/or pass on its permissions to additional artifacts. For example, you can configure one graphmart to pass its permissions to other graphmarts. Inheritance transmits all of the artifact's permissions for all users and groups.

Since data layers are created in graphmarts, they inherit their permissions from the graphmart by default—with one exception: Layers with Load Dataset Steps inherit their Data Access permissions from the dataset. Data on Demand endpoints also inherit their permissions from the parent graphmart by default.

The following inheritance settings are displayed at the top of the Configuration and Data Access tabs on the graphmart Sharing screen.

Configuration Inheritance

The image below shows a graphmart Configuration tab with the default inheritance settings. The Inherit permissions from field shows that the graphmart inherits permissions from the schema instance that the graphmart was created from.

Data Access Inheritance

The image below shows the Data Access tab for the same graphmart. The Graphmart Level View Permissions are set to Inherit from Graphmart by default. And Default Layer View Permissions (for new Layers) is also set to Inherit from Graphmart.

Below the inheritance settings, the Permissions Overview provides a detailed view of the permission inheritance for each layer, view, and Data on Demand endpoint in the graphmart.

Configuration Permissions

Graphmart Configuration permissions control who can view or modify the graphmart settings, who can enable, disable, modify, or add data layers, and who can view or modify the graphmart permissions. There are three predefined permission sets that can be applied to a user or group. The permission sets include a combination of six permissions. You also have the option to customize the set of permissions that are applied to a user or group.

The tables below list the predefined permission sets and describe the privileges that are granted for each permission that is part of the set:

View

The following table describes the permissions in the View set.

Permission Description
View This permission allows a user to:
  • See the graphmart in the Anzo application.
  • Copy the graphmart URI from the Overview tab.
  • Copy data layer URIs from the data layers tab.
  • See the existing Data on Demand endpoints on the Data on Demand tab.
  • View and clone the dataset editions that are included in the graphmart.
  • Reload and refresh the graphmart.
  • Create and import graphmart versions.
Meta View This permission relates only to the graphmart Sharing tab. A user with this permission can see the Sharing tab, but they cannot modify, add, or remove permissions.

Modify

In addition to the View and Meta View permissions described above, the Modify set includes the Add/Edit and Delete permissions described below.

Permission Description
Add/Edit This permission allows a user to:
  • Rename the graphmart and edit the description.
  • Create Data on Demand endpoints.
  • Add datasets and data sources to the graphmart.
  • Enable, disable, add, or edit layers and steps.
  • Activate and deactivate the graphmart.
Delete This permission allows a user to:
  • Remove datasets from the graphmart.
  • Delete data layers and steps from the graphmart.
  • Cannot delete the graphmart.

Admin

In addition to the View, Meta View, Add/Edit, and Delete permissions described above, the Admin set includes the Meta Add/Edit and Meta Delete permissions described below.

Permission Description
Meta Add/Edit This permission relates only to the graphmart Sharing tab. A user with this permission can modify the sharing settings by adding permissions to a user or group.
Meta Delete This permission allows a user to:
  • Modify the sharing settings by removing permissions from a user or group.
  • Delete the graphmart.

Changing Configuration-Level Access

Follow the steps below if you want to modify the configuration-level access for a graphmart.

  1. In the Anzo application, expand the Blend menu and click Graphmarts. Anzo displays a list of the existing graphmarts. For example:

  2. Click the name of the graphmart for which you want to configure permissions. Then click the Sharing tab. The Sharing screen is displayed and the Configuration tab is selected. For example:

  3. If you want to change how the Configuration permissions are inherited, use the Inherit permissions from field at the top of the screen. To apply all of the permissions from another artifact to this one, select the artifact to inherit from in the Inherit permissions from field.

    For more information about permission inheritance at the graphmart level, see Permission Inheritance.

  4. To modify Configuration access to this graphmart with a particular user or group, type a value in the Search users, roles or groups field to find and display the user or group. The resulting list shows the current permission level that is set for each user or group in the search results. For example, the image below shows the current permissions for the IT group (None):

  5. Select the user or group for which you want to configure permissions. The permissions settings are displayed on the right side of the screen. For example:

  6. To assign a predefined set of permissions, click the View, Modify, or Admin radio button to assign that level of access to the selected user or group. Refer to Configuration Permissions for details about the permission sets. For example, the image below gives Admin permissions to users in the IT group:

    If you want to customize the permissions, click the Custom radio button and then select or deselect the permissions checkboxes. To clear permissions for a user or group, click the trashcan icon () next to the name.

Changing Data-Level Access

Follow the steps below if you want to modify permissions at the Data Access level for a Graphmart.

  1. In the Anzo application, expand the Blend menu and click Graphmarts. Anzo displays a list of the existing graphmarts. For example:

  2. Click the name of the graphmart for which you want to configure permissions. Then click the Sharing tab. The Sharing screen is displayed and the Configuration tab is selected. Click the Data Access tab. For example:

  3. If you want to change how the Data Access permissions are inherited, use the fields at the top of the screen:
    • Graphmart-Level View Permissions controls who can view the data within the entire graphmart.
    • Default Layer View Permissions (for new Layers) controls who can view the data within the data layers.

    For more information about permission inheritance at the graphmart level, see Permission Inheritance.

  4. To change the permissions for an individual layer, Data on Demand endpoint, or another graphmart component that is listed in the Permissions Overview, click the Edit icon () in the Actions column in the in the row for that component.

Changes to graphmart and layer permissions take effect immediately. Users do not need to log out and log back in, and affected graphmarts do not need to be reloaded or refreshed.