Mandy, > edit access is limited to the user identified in the createdBy property. It will be possible to support authorization as above. However, there are few issues to be aware of in such approach. For example: - 'createdBy' property may not be present in all entity-types - the username in 'createdBy' property might have to be normalized or mapped, to be able to compare with the username logged into Atlas. - for example john.sc...@example.com vs jscott I would recommend to handle such username normalization/mapping in a later phase.
> where a classification can only be added to an entity by a user that has edit > access to the entity. > where a classification can only be added to any entity by a user with create > rights on the classification. Wouldn't it be more flexible to allow different set of users to edit and classify entities? Similar to the following scenario. > where edit access to an entity is required before a relationship can connect > it to something else > and it would be good from a graph decoupling point of view if adding > relationships could be done independently of the access rights to either > entity. I agree on decoupling authorization to create relationship from access rights to the entities at both ends. Thanks, Madhan On 2/14/18, 10:06 AM, "Mandy Chessell" <mandy_chess...@uk.ibm.com> wrote: Hello Madhan, I was thinking through our common use cases for metadata security. For most metadata entities and relationships, we would want to enforce that metadata is readable by logged on users but edit access is limited to the user identified in the createdBy property. Then we have special cases for entities such as connections and some governance actions. For example there may be a connection to an audit log and that can only be seen by members of the security team since having access to the connection means you can connect to the data store. Some governance actions may be updateable by anyone in the governance team - not just the creator. When it comes to classifications, we have 2 scenarios - where a classification can only be added to an entity by a user that has edit access to the entity. - where a classification can only be added to any entity by a user with create rights on the classification. I was trying to think through similar examples for relationships - for example, where edit access to an entity is required before a relationship can connect it to something else - but I can't think of one - and it would be good from a graph decoupling point of view if adding relationships could be done independently of the access rights to either entity. All the best Mandy ___________________________________________ Mandy Chessell CBE FREng CEng FBCS IBM Distinguished Engineer Master Inventor Member of the IBM Academy of Technology Visiting Professor, Department of Computer Science, University of Sheffield Email: mandy_chess...@uk.ibm.com LinkedIn: http://www.linkedin.com/pub/mandy-chessell/22/897/a49 Assistant: Janet Brooks - jsbrook...@uk.ibm.com