I was thinking through our common use cases for metadata security. For
most metadata entities and relationships, we would want to enforce that
metadata is readable by logged on users but edit access is limited to the
user identified in the createdBy property.
Then we have special cases for entities such as connections and some
For example there may be a connection to an audit log and that can only be
seen by members of the security team since having access to the connection
means you can connect to the data store.
Some governance actions may be updateable by anyone in the governance team
- not just the creator.
When it comes to classifications, we have 2 scenarios
- where a classification can only be added to an entity by a user that has
edit access to the entity.
- where a classification can only be added to any entity by a user with
create rights on the classification.
I was trying to think through similar examples for relationships - for
example, where edit access to an entity is required before a relationship
can connect it to something else - but I can't think of one - and it would
be good from a graph decoupling point of view if adding relationships
could be done independently of the access rights to either entity.
All the best
Mandy Chessell CBE FREng CEng FBCS
IBM Distinguished Engineer
Member of the IBM Academy of Technology
Visiting Professor, Department of Computer Science, University of
Assistant: Janet Brooks - jsbrook...@uk.ibm.com