Hello Madhan,
I was thinking through our common use cases for metadata security.  For 
most metadata entities and relationships, we would want to enforce that 
metadata is readable by logged on users but edit access is limited to the 
user identified in the createdBy property. 

Then we have special cases for entities such as connections and some 
governance actions.
For example there may be a connection to an audit log and that can only be 
seen by members of the security team since having access to the connection 
means you can connect to the data store.
Some governance actions may be updateable by anyone in the governance team 
- not just the creator.

When it comes to classifications, we have 2 scenarios 
- where a classification can only be added to an entity by a user that has 
edit access to the entity.
- where a classification can only be added to any entity by a user with 
create rights on the classification.

I was trying to think through similar examples for relationships - for 
example, where edit access to an entity is required before a relationship 
can connect it to something else - but I can't think of one - and it would 
be good from a graph decoupling point of view if adding relationships 
could be done independently of the access rights to either entity.

All the best
Mandy Chessell CBE FREng CEng FBCS
IBM Distinguished Engineer

Master Inventor
Member of the IBM Academy of Technology
Visiting Professor, Department of Computer Science, University of 

Email: mandy_chess...@uk.ibm.com
LinkedIn: http://www.linkedin.com/pub/mandy-chessell/22/897/a49

Assistant: Janet Brooks - jsbrook...@uk.ibm.com

Reply via email to