Open Metadata Security Samples

The open metadata security samples provide sample implementations of the open metadata security connectors that can be added to the OMAG Server Platform and to any OMAG server running on the platform. With these samples it is possible to experiment with how security authorization works with the governance zones that control the visibility of assets through the Open Metadata Access Services (OMASs).

The open metadata platform security connector provides authorization services for the platform services and the admin service to create a new server. The open metadata server security connector is specific to an OMAG server instance and is defined in the configuration document for a server.

The samples show how a security connector extends the appropriate base class and uses their methods to provide a security service.

The samples are based on the Coco Pharmaceuticals persona.

Gary Geeke (garygeeke) is the IT Infrastructure Administrator and the IT Infrastructure Governance Officer. He is the only person able to issue platform services requests, and work with assets in the infrastructure zone.

Peter Profile (peterprofile), Information Analyst, and Erin Overview (erinoverview), their Information Architect and Deputy Chief Data Officer, are the only people permitted to onboard new assets through the quarantine zone using the Asset Owner OMAS. Specifically only Erin can remove the quarantine zone from an Asset.

The other zones defined in the sample are:

An asset may be in multiple zones and a person is typically able to access the asset if any of its zones permit access to them. However, the implementation of your connector may also look for specific combinations of zones and apply special rules. For example, the quarantine zone rules override any other zone’s rules to allow the onboarding team to set up the zones as part of the onboarding process. Only when the quarantine zone is removed, do the other zones take effect.

It is also possible to have special rules for particular services. Coco Pharmaceuticals have decided that the assetDelete method from Asset Owner OMAS is too powerful to use and so they have disabled it using this connector. Only non-personal accounts (NPA) can use this method. Coco Pharmaceutical’s staff delete an asset by moving it to the “trash-can” zone where it is cleaned up by automated archiver processes the next day.

Finally Coco Pharmaceuticals only permit non-personal accounts (NPAs) to access Connection object that have security information in it such as userIds and passwords.

License: CC BY 4.0, Copyright Contributors to the ODPi Egeria project.