Ontology permissions [Legacy]

Ontology resources refer to object types, link types, and action types along with their metadata (schema).

Two authorization models are currently used to handle permissions of Ontology resources:

1. Ontology roles are the default method for authorizing Ontology resources. Ontology roles enable the direct application of roles onto each Ontology resource, independent of its backing datasource.

• For example, a user only requires the Ontology Editor role on the object type and does not require any permissions on the backing datasource to edit an object type in the Ontology.
• The Ontology Editor role only allows editing Ontology resources and their metadata and does not grant any permission on the data or datasource itself. Access to object data (not metadata) is still governed by the permissions granted on backing datasources.

2. Datasource-derived permissions are the legacy solution for authorizing Ontology resources. Datasource-derived permissions rely on the permissions defined on the backing datasource for each object type, creating a direct 1:1 dependency between object types in the Ontology and the backing datasource. For this reason, object types with datasource-derived permissions require a backing dataset.

• For example, a user must have Editor access to the backing datasource and be a member of the Ontology Administrators group (at the Ontology level) to edit an object type in the Ontology.

Ontology roles

Ontology roles are defined as:

• Ontology Owner: Can edit Ontology resources and has full control over their security and sharing
• Ontology Editor: Can edit Ontology resources
• Ontology Viewer: Can view Ontology resources, but cannot edit them
• Ontology Discoverer: Can only see Ontology resource names and metadata, excluding schema

In addition to directly granting the above roles on Ontology resources, you can also grant these roles at the Ontology level by navigating to the Ontology Configuration tab of an Ontology in the Ontology Manager application. Only the Ontology owner role, granted at the Ontology level, is inherited by all of the resources in that Ontology; the Ontology editor role is only relevant for Ontology-level permissions.

As a best practice, we strongly recommended defining a trusted group of users that would be responsible for the Ontology as a whole (also referred to as the Ontology Governance Board) and grant that user group the Ontology Owner role for the entire ontology.

Create new resources with Ontology roles

Resource creation in the Ontology is restricted to users with Ontology Owner or Ontology Editor roles at the Ontology level. Newly created object types, link types, shared properties, and Action types with roles will show the creating user as an Ontology Owner on that resource and all other users as an Ontology Viewer by default. Once the resource is created, the creating user can apply further roles to the resource.

Type-specific edit permissions with Ontology roles

Permissions for editing object types and their properties

To make changes to an object type and its properties, a user must have Ontology Editor permission on the object type. If the user would like to map datasources/columns to object type properties, then Viewer permissions to the datasource that is being mapped is also required.

Permissions for shared properties

To make changes to a shared property, a user must have Ontology Editor permissions on the shared property. The user must have Ontology Editor on any object types to which the user wishes to add the shared property.

Permissions for editing link types

To make changes to a link type (create, delete, update, and so on), a user must have the following permissions:

• Ontology viewer permission on the object types referenced on both sides of the link type.
• Ontology editor permission on the link type itself.

If the link type uses a join table and the modification made involves changes to the join table, then Viewer permissions to the join table datasource backing the link type is also required.

Permissions for editing action types

To make changes to an action type (create, delete, update, and so on), a user must have the following permissions:

• At least Editor permissions of the action type, either directly or through inheritance from the ontology level
• Ontology Editor on all object types for which the action type can generate edits during execution.

The object types for which an action type can generate edits include the following:

• Object types referenced in create, modify, and delete object rules.
• Object types connected to link types referenced in create and delete link rules.
• Object types edited in functions of function-backed Actions.
• The Action Log object type (if one is configured).

Read-only views

When a user does not have access to edit an object type, link type, shared properties, or action type, the edit views will be disabled and a banner will explain to the user what permissions they do and do not have.

For the Ontology Viewer role:

For the Ontology Discoverer role:

Datasource derived permissions

• View permissions
• Type-specific edit permissions
  • Permissions for editing object types and their properties
  • Permissions for shared properties
  • Permissions for editing link types
  • Permissions for editing action types
• Read-only views

View permissions

Having Viewer permissions on the datasource backing an object type or link type allows users to see the object type or link type associated with that specific datasource.

By default, action types are visible to all the users who have access to the Ontology. All users will be able to see the title, description, and rules of all action types with the datasource-derived permissions model.

Type-specific edit permissions

To make any changes in the Ontology Manager, a user must be a member of the Ontology Administrators user group. Read more about groups and platform security.

A user may need additional type-specific permissions to successfully make changes in the Foundry Ontology when datasource-derived permissions are used.

Permissions for editing object types and their properties

In order to make any changes to an object type and its properties, a user must have Editor permissions to the datasources backing the object type.

Permissions for shared properties

To create or edit a shared property or add a shared property to an object type, a user must be a member of the Ontology Administrators group.

Permissions for editing link types

In order to make any changes to a link type, a user must have Editor permissions to the datasources backing the link type and Viewer permissions on the datasources backing both object types referenced in the link type.

Permissions for editing action types

• All users with access to an Ontology can view the complete action type definitions (editable properties, name, or user permissions, for example).
• To make changes to an action type in an Ontology (create, delete, update, and so on), a user must be a member of the Ontology Administrators group.
• To run the action, the user must be a Viewer on all the edited object types.
• If a user creates an action that modifies or adds to an object type, the Edits option must be enabled for that object type.

For more information on action types permissions, review the documentation.

Read-only views

When a user does not have access to edit an object type, link type, or action type, the edit views will be disabled and a banner will explain to the user what permissions they do and do not have.

Deleting the backing dataset

If the backing dataset of an object type with datasource-derived permissions has been permanently deleted from the trash, the object type is considered orphaned. Since permissions are derived from the backing dataset, which can no longer be accessed, users can no longer modify the object type as all editor permissions have been lost. The ontology automatically deletes orphaned object types.