Administrators configure roles and permissions across the Elementrix platform using Role-Based Access Control (RBAC).
System Roles Overview:
System Roles:
Built-in Roles (Cannot Delete):
- ROOT_ADMIN (1 user)
- SUPER_ADMIN (12 users)
- REGULAR_DEFAULT_USER (1,189 users)
- DATA_GOVERNANCE (8 users)
Custom Roles:
- Finance Data Steward (15 users)
- Marketing Data Owner (8 users)
- Analytics Team Member (42 users)
- External Auditor (3 users)
[Create New Role]
Built-in Roles:
ROOT_ADMIN:
SUPER_ADMIN:
REGULAR_DEFAULT_USER:
DATA_GOVERNANCE:
Create Custom Role:
Create New Role:
Basic Information:
Role Name: [Finance Data Steward]
Role Code: [FINANCE_DATA_STEWARD]
Description: [
Steward for finance domain data products with elevated
permissions for financial data management.
]
Role Type:
☑ Custom Role
☐ Domain-Specific Role
☐ Temporary Role
Domain Restrictions (Optional):
☑ Restrict to specific domains
Selected Domains:
☑ Finance
☑ Accounting
☐ Marketing
☐ Sales
[Next: Configure Permissions]
Configure Permissions:
Role: Finance Data Steward
Description:
Steward for finance domain data products with elevated
permissions for financial data management.
Permissions (23 of 50 selected):
User Management:
☐ VIEW_ALL_USERS
☐ CREATE_USERS
☐ EDIT_USERS
☐ DELETE_USERS
☐ ASSIGN_ROLES
Data Product Management:
☑ VIEW_ALL_DATA_PRODUCTS
☑ CREATE_DATA_PRODUCTS (Finance domain only)
☑ EDIT_OWN_DATA_PRODUCTS
☑ EDIT_STEWARDED_PRODUCTS
☐ EDIT_ALL_DATA_PRODUCTS
☐ DELETE_DATA_PRODUCTS
☑ PUBLISH_DATA_PRODUCTS (after approval)
☑ DEPRECATE_OWN_PRODUCTS
☐ DEPRECATE_ALL_PRODUCTS
Access Management:
☑ VIEW_ACCESS_REQUESTS
☑ APPROVE_ACCESS_REQUESTS (own products)
☐ APPROVE_ALL_ACCESS_REQUESTS
☐ BULK_APPROVE_REQUESTS
☑ REVOKE_ACCESS (own products)
☐ REVOKE_ALL_ACCESS
Semantics Registry:
☑ VIEW_SEMANTIC_TERMS
☑ CREATE_SEMANTIC_TERMS (Finance domain)
☑ EDIT_SEMANTIC_TERMS (Finance domain)
☐ DELETE_SEMANTIC_TERMS
☑ LINK_SEMANTICS_TO_PRODUCTS
Data Models:
☑ VIEW_DATA_MODELS
☑ CREATE_DATA_MODELS (Finance domain)
☑ EDIT_DATA_MODELS (Finance domain)
☐ DELETE_DATA_MODELS
Administration:
☐ ACCESS_ADMINISTRATION_SECTION
☐ MANAGE_APPLICATIONS
☐ MANAGE_BRANDING
☐ MANAGE_STAGING
☐ MANAGE_SSO
☐ VIEW_AUDIT_LOGS (all users)
☑ VIEW_OWN_AUDIT_LOG
[Assign Users] [Save Changes] [Delete Role]
Assign Users to Role:
Assign Users to: Finance Data Steward
Search and Select Users:
[Search by name or email...]
Selected Users (15):
☑ john.doe@company.com (Finance Analyst)
☑ jane.smith@company.com (Finance Manager)
☑ bob.johnson@company.com (Accountant)
...
Bulk Assignment:
☑ Notify users via email
☑ Send role documentation
☑ Log in audit trail
[Assign Users] [Cancel]
Complete Permission Matrix:
View Complete Permission Matrix:
Permission | ROOT | SUPER | USER | GOV | CUSTOM
----------------------------------|------|-------|------|------|--------
VIEW_ALL_USERS | ✓ | ✓ | ✗ | ✓ | Config
CREATE_INVITE_USERS | ✓ | ✓ | ✗ | ✗ | Config
EDIT_USERS | ✓ | ✓ | ✗ | ✗ | Config
DELETE_USERS | ✓ | ✓ | ✗ | ✗ | Config
ASSIGN_ROLES | ✓ | ✓ | ✗ | ✗ | Config
----------------------------------|------|-------|------|------|--------
VIEW_ALL_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✓ | Config
CREATE_DATA_PRODUCTS | ✓ | ✓ | ✓ | ✗ | Config
EDIT_OWN_DATA_PRODUCTS | ✓ | ✓ | ✓ | ✗ | Config
EDIT_STEWARDED_PRODUCTS | ✓ | ✓ | ✓ | ✗ | Config
EDIT_ALL_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✗ | Config
DELETE_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✗ | Config
PUBLISH_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✗ | Config
SUBMIT_FOR_REVIEW | ✓ | ✓ | ✓ | ✗ | Config
APPROVE_FOR_PUBLISHING | ✓ | ✓ | ✗ | ✓ | Config
DEPRECATE_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✗ | Config
RETIRE_DATA_PRODUCTS | ✓ | ✓ | ✗ | ✗ | Config
----------------------------------|------|-------|------|------|--------
VIEW_ACCESS_REQUESTS | ✓ | ✓ | ✓ | ✓ | Config
APPROVE_ACCESS_REQUESTS | ✓ | ✓ | ✓ | ✗ | Config
APPROVE_ALL_ACCESS_REQUESTS | ✓ | ✓ | ✗ | ✗ | Config
REVOKE_ACCESS | ✓ | ✓ | ✓ | ✗ | Config
BULK_ACCESS_OPERATIONS | ✓ | ✓ | ✗ | ✗ | Config
----------------------------------|------|-------|------|------|--------
VIEW_SEMANTIC_TERMS | ✓ | ✓ | ✓ | ✓ | Config
CREATE_SEMANTIC_TERMS | ✓ | ✓ | ✓ | ✗ | Config
EDIT_SEMANTIC_TERMS | ✓ | ✓ | ✓ | ✗ | Config
DELETE_SEMANTIC_TERMS | ✓ | ✓ | ✗ | ✗ | Config
LINK_SEMANTICS | ✓ | ✓ | ✓ | ✗ | Config
----------------------------------|------|-------|------|------|--------
VIEW_DATA_MODELS | ✓ | ✓ | ✓ | ✓ | Config
CREATE_DATA_MODELS | ✓ | ✓ | ✓ | ✗ | Config
EDIT_DATA_MODELS | ✓ | ✓ | ✓ | ✗ | Config
DELETE_DATA_MODELS | ✓ | ✓ | ✗ | ✗ | Config
----------------------------------|------|-------|------|------|--------
ACCESS_ADMINISTRATION_SECTION | ✓ | ✓ | ✗ | ✓ | Config
MANAGE_APPLICATIONS | ✓ | ✓ | ✗ | ✗ | Config
MANAGE_USERS | ✓ | ✓ | ✗ | ✗ | Config
MANAGE_ROLES | ✓ | ✓ | ✗ | ✗ | Config
MANAGE_BRANDING | ✓ | ✓ | ✗ | ✗ | Config
MANAGE_STAGING | ✓ | ✓ | ✗ | ✗ | Config
MANAGE_SSO | ✓ | ✓ | ✗ | ✗ | Config
VIEW_AUDIT_LOGS | ✓ | ✓ | ✗ | ✓ | Config
EXPORT_DATA | ✓ | ✓ | ✗ | ✓ | Config
----------------------------------|------|-------|------|------|--------
[Export Matrix] [Configure Custom Role] [Print]
Permission Categories:
User Management (10 permissions):
Data Product Management (15 permissions):
Access Management (8 permissions):
Semantics Registry (5 permissions):
Data Models (4 permissions):
Administration (8 permissions):
Permission Inheritance Model:
ROOT_ADMIN
│
├─ ALL PERMISSIONS (unrestricted)
│
└─ SUPER_ADMIN
│
├─ Most permissions (except ROOT modification)
│
└─ DATA_GOVERNANCE
│
├─ Product review and approval
├─ Compliance monitoring
└─ Audit access
└─ REGULAR_DEFAULT_USER
│
├─ Create/own products
├─ Request access
└─ Basic operations
└─ Custom Roles (additional permissions)
│
├─ Finance Data Steward
├─ Marketing Data Owner
└─ External Auditor
Domain-Specific Role Configuration:
Role: Finance Data Steward
Domain Restrictions:
Allowed Domains: Finance, Accounting
Restricted Domains: Marketing, Sales, Operations
Permissions Applied:
Within Allowed Domains (Finance, Accounting):
✓ CREATE_DATA_PRODUCTS
✓ EDIT_DATA_PRODUCTS
✓ CREATE_SEMANTIC_TERMS
✓ EDIT_SEMANTIC_TERMS
Within Restricted Domains (All Others):
✓ VIEW_DATA_PRODUCTS (read-only)
✗ CREATE_DATA_PRODUCTS
✗ EDIT_DATA_PRODUCTS
Global Permissions (No Domain Restriction):
✓ VIEW_ALL_DATA_PRODUCTS
✓ REQUEST_ACCESS
✓ VIEW_SEMANTIC_TERMS
Guidelines:
Example Scenario:
Scenario: New Finance Analyst
❌ Bad Approach:
- Assign SUPER_ADMIN role
- Full access to everything
- Security risk
✓ Good Approach:
- Assign REGULAR_DEFAULT_USER (default)
- Assign Finance Data Steward (domain-specific)
- Grant access to specific finance products
- Review permissions after 90 days
Best Practices:
Examples:
✓ Good Names:
- Finance_Data_Steward
- Marketing_Data_Owner
- Compliance_Auditor
- Analytics_Team_Member
❌ Bad Names:
- User1
- Team_Role
- Special_Access
- Admin2
Quarterly Role Audit:
Role Audit Checklist:
For Each Role:
1. Review assigned users
- Are all assignments still valid?
- Remove inactive users
- Verify continued business need
2. Review permissions
- Are permissions still appropriate?
- Remove unnecessary permissions
- Add new permissions if needed
3. Check usage
- Are permissions being used?
- Remove unused permissions
- Identify permission gaps
4. Update documentation
- Document changes
- Update role descriptions
- Notify affected users
[Generate Audit Report] [Schedule Next Review]
Create Role: External Auditor
Requirements:
- Read-only access to all data products
- Access to audit logs
- Cannot create or modify anything
- Limited to audit-related domains
Permissions:
☑ VIEW_ALL_DATA_PRODUCTS
☑ VIEW_SEMANTIC_TERMS
☑ VIEW_DATA_MODELS
☑ VIEW_AUDIT_LOGS
☑ EXPORT_DATA (for audit reports)
☐ CREATE_DATA_PRODUCTS
☐ EDIT_DATA_PRODUCTS
☐ DELETE_DATA_PRODUCTS
☐ APPROVE_ACCESS_REQUESTS
Domain Restrictions:
- Finance
- Accounting
- Compliance
Duration: Temporary (audit period only)
Auto-Expire: 2025-03-31
[Create Role] [Assign Users]
Role: Data Governance Team
Purpose:
Review and approve data products for publication while ensuring
compliance with organizational policies.
Permissions:
☑ VIEW_ALL_DATA_PRODUCTS (all states)
☑ APPROVE_FOR_PUBLISHING
☑ REQUEST_CHANGES
☑ REJECT_SUBMISSIONS
☑ VIEW_AUDIT_LOGS
☑ MONITOR_COMPLIANCE
☑ GENERATE_GOVERNANCE_REPORTS
☐ CREATE_DATA_PRODUCTS
☐ EDIT_DATA_PRODUCTS (cannot modify directly)
☐ DELETE_DATA_PRODUCTS
Workflow Permissions:
- Receive submissions for review
- Provide feedback to owners
- Approve or reject products
- Monitor published products
- Request deprecation if needed
[Configure Role] [View Workflow]
Role: Marketing Data Owner
Purpose:
Full control over marketing domain data products with ability
to create, manage, and publish marketing-related data.
Permissions:
☑ VIEW_ALL_DATA_PRODUCTS
☑ CREATE_DATA_PRODUCTS (Marketing only)
☑ EDIT_OWN_DATA_PRODUCTS
☑ DELETE_OWN_DATA_PRODUCTS
☑ PUBLISH_DATA_PRODUCTS (after approval)
☑ APPROVE_ACCESS_REQUESTS (own products)
☑ CREATE_SEMANTIC_TERMS (Marketing domain)
☑ ASSIGN_STEWARDS (to own products)
Domain Restrictions:
- Allowed: Marketing
- View-Only: Sales, Customer Service
- Restricted: Finance, HR
[Save Role Configuration]
Available Role Templates:
1. Data Steward Template
- Edit and maintain data products
- Support product owners
- Respond to user questions
2. Data Owner Template
- Full product lifecycle management
- Access request approval
- Team management
3. Domain Administrator Template
- Manage domain-specific resources
- User administration within domain
- Domain configuration
4. Read-Only Analyst Template
- View all products
- Request access
- Export capabilities
5. Compliance Officer Template
- Audit and review access
- Monitor compliance
- Generate reports
[Use Template] [Customize Template] [Create from Scratch]