Data360 Govern

Is there a way to hide assets for certain users? 

In settings > Site Navigation, we hide Technical Assets for all users except those in certain Govern Groups. For users that have Technical Assets hidden, they can still navigate to the assets via relationships: 

You are able to use the filter tools in the top right hand corner on the diagram window to filter out asset based on Type, Predicate or even responsibility.

It sounds like you require an enhancement request in order to be able to set this at an enterprise level and not at a user level, with the ability to lock the setting.

I have a similar request to default to number of hops shown on a lineage diagram to 1, rather the the current default of 3, which slows down the load time of some of our more complex lineage diagrams.

The related technical assets would still show on the relationship tab however, this may be harder to solve for, but also less of an issue 

Hi John -  I think my title of "hide" might have been misleading. I'm really looking to restrict access to these technical assets - there are some security conerns with having all users able to view all technical paths to find data. 

Hi Marissa,

We have the same requirement to comply with some internal policies. One solution is to put all the users who cannot see these assets in a group.

After that, you create a responsibility type link to this asset with no rights (even not read) and you add a rule saying that the members of this group are automatically assign to the asset with this responsibility type (not visible).

A little bit tricky but it works.

Maybe we should ask for an enhancement to get a more convenient solution.

What do you think ?

JP

Hi Jean-Paul,

I absolutely think there should be an enhancement! 

In the meantime, do you have to do this for each asset type, or do you have a way to include all restricted asset types in 1 rule? 

Note: This was originally posted by an inactive account. Content was preserved by moving under an admin account.

Hello Marisa,

As discussed, we have created Enhancement ticket for your request and our Product Management  team is going to review request. 

<x-zendesk-user data-user-name="Marisa Macho">366880069407</x-zendesk-user> - You can easily assign a responsibility to multiple assets using the responsibility option under customisation. You will however need to create a rule for each Asset to help govern understand which users to assign to which asset type. You can of course make these users hidden from the responsibility tab so that other users don't see the big long list of users that are only there to disable their access.

The rules will then happily refresh themselves and apply anyone new in a given group to the assignment and this will remove those assets from the users.

HOWEVER. . . . and this is the reason I didn't suggest this as an option is security is a real issue. 

1) The asset names will still show on the relationship tab and the diagrams tabs, although no details on those asset can be clicked through to. You need to consider if showing the relationship and the name of the related asset is a security concern for you.

2) principle of least privilege (PoLP) is something I am a massive supporter of and this approach is the complete opposite of PoLP. This approach assumes everyone has access to everything UNLESS we capture them in a rule and then REMOVE access to those users. If information security is real concern then you also need to consider the implication if one of you rules missed a certain user due to some unforeseen reason, that user would have full access to the entire environment without restriction.

3) Group maintenance, as <x-zendesk-user data-user-name="Jean-Paul Otte">365631894427</x-zendesk-user> has pointed out, for this approach to work, you need to work out which users you don't want to see those assets. How do you keep that group up to date? You are now able to link groups to Active directory, but that would only work if those users all belonged to the same AD group. When EXCLUDING users, it's unlikely that everyone sits in one group. So now we are dealing with a scenario where you need to have a rule that assigned multiple groups (linked to ADFS) and need to consider an new joiners or business transformation activity to might impact this approach or fall foul of point 2.

To summarise, its do-able and if you have a relatively small users base that is fairly static and if an employee did somehow fall down the cracks, it wouldn't be the end of the world, then it might just work really well for your use case.

P.S - You can of course use the APIs to run a report of user activity, including the assets they view. So you could use this as a quick sense check and audit that you rules are being applied to the users in the relevant groups and none of those users have accessed any of the hidden assets / asset types.

I couldn't agree more - this is definitely the opposite of the logic we want. We want to say "only allow when users ARE in these groups" not "allow when users aren't in these groups"

I thought I had an appropriate solution when the navigation rule was "Only show for these groups" but have since learned that only limits what shows on the left navigation and not what assets they have access to view. <x-zendesk-user data-user-name="Suhas Kotha">365021274968</x-zendesk-user> looping you in so the ticket can be updated with John's comments. If "Site navigation" actually meant "Site access", we'd have a solution :) 

<x-zendesk-user data-user-name="Suhas Kotha">365021274968</x-zendesk-user> please add me to this enhancement ticket, thanks

<x-zendesk-user data-user-name="Suhas Kotha">365021274968</x-zendesk-user> Can you please also keep me in the loop of this enhancement ticket?  I also have a concrete case to configure in our environment.  Thx!