Skip to main content

PrivaceraCloud Documentation

Concepts in Governed Data Sharing

:

The high-level relationship among applications with data and the people involved in PrivaceraCloud Governed Data Sharing is described in this section.

Data relationships

These diagrams present two different views of the relationships of data in Privacera Governed Data Sharing. The functions of some of the roles that work with the data are further described in Hierarchy of Roles.

Dotted lines in these diagrams indicate features that are optional.

The following diagram represents how the data in Governed Data Sharing is mechanically created by the various roles.

Image 220180

The following diagram represents how the data in Governed Data Sharing might be used by your organization day-to-day.

gds_data_venn.png

Application with data resources

An application defines a third-party system that contains the data analyzed by PrivaceraCloud. The account administrator connects applications to PrivaceraCloud to make their data accessible. Depending on the type of application, it can contain resources or databases or tables.

Resources is a generic term for the data made available to PrivaceraCloud by connecting an application. For example, files in an application, such as .csv or .json files in an S3 bucket, are resources.

A database is a single collection of data in an application, and a table is a subset of a database with a distinct schema.

Data domain and shared dataset

A data domain is a defined combination of applications with data that can be operated on as a whole for the purpose of access control or Privacera Discovery scans.

  • A data domain is a logical abstraction, whereas an application with data represents a physical third-party system that has been connected to PrivaceraCloud by the account administrator.

  • A data domain can include multiple applications with data of different types.

  • The account administrator constructs a data domain and assigns the data owner of the domain.

  • A shared dataset is composed of one or more data domains that the data owner or data steward shares with data users.

Project

With a specific goal defined by the data owner or data steward, a project can be created directly from a data domain or be composed of one or more shared datasets.

Hierarchy of roles

This diagram shows the logical hierarchy of relationships among the roles involved in Governed Data Sharing.

Dotted lines in this diagram indicate features that are optional.

gds_hierarchy_of_roles.png

Account administrator

The account administrator is the first person who created an account for your organization on PrivaceraCloud.

The account administrator:

  • Creates users and groups.

  • Connects applications with data.

  • Defines data domains based on applications.

  • Assigns data domains to data owners.

  • Can run Privacera Discovery scans on data domains.

Data owner and data steward

A data owner is a PrivaceraCloud user who has been assigned the data owner role by the account administrator for a particular data domain.

An optional data steward is a PrivaceraCloud user who has been assigned as a delegate by the data owner of a particular data domain.

There is no limit to the number of data owners or data stewards of a data domain.

A data owner or data steward:

  • Creates and shares datasets composed of data domains.

  • Can optionally delegate most of these functions to data stewards.

  • Gives access to datasets to users, groups, or roles.

  • Can make shared datasets or projects discoverable by data users.

  • Accepts or rejects requests from data users to access shared datasets.

  • Can optionally define projects.

  • Can optionally assign project leaders to projects.

  • Assigns users, groups, and roles to projects.

  • Grants read/write access permissions to users, groups, or roles in datasets, resources in those datasets, or projects.

  • A data owner can run Privacera Discovery scans on data domains, shared datasets, and projects.

    Note

    Except for running Privacera Discovery scans, a data steward has all the same functions of a data owner.

Project leader

An optional project leader is a PrivaceraCloud user assigned to projects defined by the data owner or data steward.

There is no limit to the number of project leaders of a project.

A project leader:

  • Can add resources that they own to defined datasets.

  • Can add users, groups, and roles to projects.

  • Can accept or reject requests from data users to access shared datasets.

Data governor

A data governor is a PrivaceraCloud user who has been assigned this role by the data owner. Data governors have the function of an auditor.

A data governor:

  • Can see all data in data domains, shared datasets, resources, projects, and discovery scan results to which they have been given access.

  • Cannot change the data in any of those data domains, shared datasets, resources, or projects.

  • Can initiate discovery scans.

  • Can cancel discovery scans started by other users for data to which the data governor has access.

Data user

A data user is a PrivaceraCloud user who has been assigned certain Privacera system roles by the account administrator. A data user is given access to data domains, shared datasets or projects with certain permissions by a data owner, data steward, or project leader.

Data user is a general term for many different work functions that your organization might have. For example, you might have data analysts, ETL programmers, data scientists, and auditors.

For simplicity, Governed Data Sharing abstracts these various functions into a single role: data user. Your organization's definition of these various possible functional roles is for you to decide.

A data user:

  • Can request access to shared datasets that have been made discoverable by data owners or stewards.

  • Can access shared datasets that they have been given permission to see.