Planning collection & permissions for collections

Plan your collections

Types of collections

First, plan the collections structure for your organization. Determine what types collections you need. For example, you can follow the following paradigm.

Create the different types of collections by following this documentation.

Table 1. Types of collections

Type	Usage
Source collections	For each collector output.
Domain collections	Organizational categories that map to the domains of your business or organization. Domain collections are likely curated by data stewards and can include subdomain collections (that is, hierarchical collections).
Glossary collections	For business glossary in the organization.

Hierarchy of collections

Plan if you want to create a flat list of collections or a hierarchy of collections. Collection hierarchy is a feature allows you to create collections within collections to better organization your resources in small logical groups under a larger umbrella.

Plan permissions for collections

Assign View, Edit, or Manage permissions to members/user groups for the entire catalog or specific collections.

Setting granular permissions on collections helps you achieve the following business needs:

Targeted management: Assign limited roles without full administrative control over the catalog.
Role distribution: Separate responsibilities like managing data collection and glossary curation.
Focused notifications: Ensure users receive alerts only for their tasks, directing suggestion approvals to specific groups.
Selective visibility: Hide certain catalog sections selectively. Be cautious: this may disrupt user experience by blocking access to certain resources/related resources or lineage data.
Important
Collections, datasets, and projects have separate permission systems. Currently, datasets and projects are not part of collections.

Overview of how access control works

Levels of access

You can grant permissions for metadata resources at two levels:
- Catalog level - For the entire metadata catalog: Permissions can be granted to organization groups.
- Collection level - For a specific collection within the catalog: Permissions can be granted to groups, individual users or other organizations.

Supported access levels for the metadata resources at the collection level:

Note

If the access level is not set, members cannot search for or navigate to the resource, and the resource does not exist for the member.

If members have access to the collection through organization level or parent collection level settings, they will be able to access the collection.

Table 2. Permissions for Metadata Resources and Terms

Permissions granted by access level	Access levels
Permissions granted by access level	View	Edit	Manage
Brief summary of permissions	Can view this collection, its resources, terms, and subcollections	Can edit this collection, its resources, terms, and subcollections. Can create resources and terms in this collection. Can approve suggested changes	Can edit and delete this collection. Can create, delete, and edit collection resources, terms and subcollections. Can manage member access to the collection
Can view any resource in this collection or its subcollections	✅	✅	✅
Can suggest changes to any resource in this collection or its subcollections	✅	-	-
Can approve changes for any resource in this collection or its subcollections	-	✅	✅
Can edit any existing resource in this collection or its subcollections	-	✅	✅
Can edit a forward relationship on any resource in this collection or its subcollections	-	✅	✅
Can edit a backward relationship on any resource in this collection or its subcollections	-	✅ ️⃣ ️⃣ IF: They can also edit the target resource that owns the forward relationship	✅ ️⃣ ️⃣ IF: They can also edit the target resource that owns the forward relationship
Can create a new resource for this collection or its subcollections from the organization profile page	-	-	-
Can create a new resource for this collection or its subcollections from the collection pages	-	✅	✅
Can bulk edit any resources in this collection or its subcollections	-	✅	✅
Can delete any resource in this collection or its subcollections	-	-	✅

Table 3. Permissions for Collections

Permissions granted by access level	Access levels
Permissions granted by access level	View	Edit	Manage
Brief summary of permissions	Can view this collection, its resources, terms, and subcollections	Can edit this collection, its resources, terms, and subcollections. Can create resources and terms in this collection. Can approve suggested changes	Can edit and delete this collection. Can create, delete, and edit collection resources, terms and subcollections. Can manage member access to the collection
Can view this collection and its subcollections	✅	✅	✅
Can suggest changes to the metadata of this collection and its subcollections	✅	-	-
Can suggest changes to the hierarchy (collection parent) of this collection or its subcollections	-	-	-
Can approve suggested metadata changes for this collection or its subcollections	-	✅	✅
Can edit metadata for this collection or its subcollections	-	✅	✅
Can edit the hierarchy (parent collection) of this collection or its subcollections	-	-	✅ ️⃣ ️⃣ IF: They can also manage the new parent collection
Can delete this collection or its subcollections	-	-	✅
Can create a new collection with no parent	-	-	-
Can create a new subcollection for this collection or its subcollections	-	-	✅
Can grant access to this collection or its subcollections	-	-	✅

Supported access levels for the metadata resources at the catalog level:

Table 4. Permissions for Metadata Resources and Terms

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view any metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can receive notifications	-	Receives notifications about changes they have suggested and comment threads they have participated in on metadata resources	Receives notifications about suggested changes and comments on metadata resources	Receives notifications about suggested changes, comments, and access requests on metadata resources
Can view any resource in the organization	-	✅	✅	✅
Can suggest changes to any resource in the organization	-	✅	-	-
Can approve changes for any resource in the organization	-	-	✅	✅
Can edit any existing resource in the organization	-	-	✅	✅
Can edit a forward relationship on any resource in the organization	-	-	✅	✅
Can edit a backward relationship on any resource in the organization	-	-	✅	✅
Can delete any resource in the organization	-	-	-	✅
Can create a new resource on the organization main profile page	-	-	✅	✅
Can create a new resource from any collection page in the organization	-	-	✅	✅
Can bulk edit any resources in the organization	-	-	✅	✅

Table 5. Permissions for Collections

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view all metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can view any collection in the organization	-	✅	✅	✅
Can suggest changes to the metadata of any collection in the organization	-	✅	-	-
Can suggest changes to the hierarchy (parent collection) of any collection in the organization	-	-	-	-
Can approve suggested metadata changes for any collection in the organization	-	-	✅	✅
Can edit metadata for any collection in the organization	-	-	✅	✅
Can edit the hierarchy (parent collection) of any collection in the organization	-	-	-	✅
Can delete any collection in the organization	-	-	-	✅
Can create a new collection in the organization	-	-	-	✅
Can create a new subcollection for any collection in the organization	-	-	-	✅
Can manage access to any collection in the organization	-	-	-	✅

Table 6. Permissions for Metadata profile

Permissions granted by access level	Access levels
Permissions granted by access level	No Access	View	Edit	Manage
Brief summary of permissions	Cannot view all metadata resources, terms, and collections	Can view all metadata resources, terms, and collections	Can create and edit all metadata resources and terms. Can edit all collections and approve suggested changes	Can create, delete and edit all metadata resources, terms, and collections. Can manage member access and perform catalog sync tasks
Can view the metadata profile configuration	-	-	-	-
Can edit the metadata profile configuration	-	-	-	-
Can manage connection tasks to sync metadata for the organization catalog	-	-	-	✅ ️⃣ ️⃣ IF: They can also manage datasets and projects access
Can create tasks for the connections available from the Connection manager configuration settings in the Settings tab of the Organization profile page.	-	-	-	✅ ️⃣ ️⃣ Note: As a prerequisite, user groups need Manage access to datasets and projects to able to view the Connection manager configuration settings. As a result, user groups with this combined access will be able to manage the connections and the tasks for the connection.

When resources belong to multiple collections:

If a resource belongs to two collections and you have Edit access on one collection and View access on another, you will get the highest level of access, that is, you will be able to edit the resource.
Likewise, if at the organization level you are granted Edit access to all catalog resources and given View access to a specific collection, you will be able to edit the collection and the resources in it.
If at the organization level you are NOT granted any access to catalog resources and given View access to a specific collection, you will be able to view the collection and the resources in it.
Also note that when you have access to tables through a collection, you automatically get access to the columns for those tables, even if the columns are not part of the same collection.

When you have collection hierarchy setup:

If you have View access to the parent collection and no access to the child collection, you will be able to see both the parent collection and the child collection and resources in both the collections.
However, if you do not have access to the parent collection, but can View the child collection in it, you will be able to view only the child collection and the resources in it. You will not have access to the parent collection or any resources in that parent collection.
On the child collection page, you will see that the collection has a parent, but that parent will not be something you can view. Clicking on the parent from the child collection will display a page not found error (a 404 page) with a notice that the user may not have access to the resource they are trying to visit.
If a collection has two child collections, and you have View access to the parent collection and Edit access to only one child collection, you will be able to view the parent collection and both child collections, but you will be able to only edit the collections (and the resources in it) for which you have Edit access.

Watch this video for an overview of how access control works:

In this section: