RFC - Workgroup-Assigned User Access Controls

1

We are putting out a request for comments from users around introducing more granular access to items in workgroups.

We have had feedback from some users about the lack of granular controls within workgroups. At the moment, a member of a workgroup depending on their role can either edit or view everything - there is no in-between. For example:

  • A workgroup steward can edit all registered content
  • A workgroup editor can edit all unregistered content

Administrators are also unable to specify important stakeholders of data, such as owners or approvers of data.

This prevents the following scenarios:

  • a user who needs to see things in a workgroup, but is only responsible for maintaining one item.
  • A person who has steward access to update one record after its registered, but not all of them.
  • A user who needs to see things in a workgroup, but is only responsible for maintaining one item - such as a data asset or classification.
  • A user who has delegate authority to give access to a data asset cannot be flagged against an metadata record in the metadata registry
  • A user who should be given

All of this could be achieved by having more workgroups, with one item per group. But if there are many items that require restricted access, this would mean there could be many workgroups with only one item. Or broader permissions would need to be provided.

To resolve this, we are seeking feedback on new “access controls” or “assignment types” where workgroup managers could add people on an item by item basis with restricted controls.

Workgroup-Assigned User Access Controls

  • Stewardship Organisation Admins would be able to define “assignment types” for Workgroup managers to use within the Stewardship Organisation.

    • These would have:
      • title - the name of the assignment type (see examples below)
      • description - a brief description of the assignment type
      • item permission, ie. what can the user do to the item (submitter/steward/viewer - default:viewer)
      • transferable, ie. they can a user give this assignment to another user, default to ‘no’
      • who the assignment is visible to (public, authenticated, SO, WG, default: WG) - we don’t need to include this, maybe this is a stretch goal
    • Stewardship Organisations would also be able to delete “assignment types”

  • Item Assignment

    • A manager in a workgroup could assign (or bulk assign) items to any user in the stewardship organisation
    • An assigned user may not need to be a member of the workgroup - so the permission to maintain an item can be kept separate from the “owning” workgroup.
    • However, an assigned user must be a member of the Stewardship Organisation. This restriction will ensure that a Workgroup Manager does not override Stewardship Organisation Administrator controls around inviting non-members.

  • Assigned Items

    • Users who have been assigned to an item are given a new page in their dashboard metadata listing page of all the items they have been explicitly assigned to.
    • Users would gain the appropriate permissions to that item.
    • They will see a list of these items, with the workgroup its in. Because they can see the item, they can also open issues or reviews against the item.

  • A user can remove their own assignment - with a notification sent to workgroup managers

Examples of roles could be:

  • Data Asset Owner: Someone who has view only access, and is responsible for and holds the actual data asset (the person who controls the database)
  • Reviewer: Someone who has view only access to a metadata item
  • Access Approver: Someone who has view access to a metadata item, but is the person who can approve access to the data asset
  • Data Steward: The person who has write access to a metadata record

Out of scope:

This proposal only covers individual users and items only. We aren’t including the idea of “teams” within a Workgroup, where a team of users could be assigned access to a subset of items in a workgroup, but may consider adding this at a later stage.

We ae not calling these “roles” as we see an additional separate feature for bulk assigning permissions - eg. membership to multiple workgroups as a “role” we are scoping for late in the 2025 roadmap.

1 Like
2

@skew @SarahS @RobynKE - Your thoughts on this would be welcome?

3

Hey Sam, this isn’t something that has come up as an issue for us. We are currently running at about 165 workgroups, set up at team level, each containing metadata that a particular data steward is responsible for maintaining. We haven’t had a need yet to establish access controls at a more granular level than at workgroup level.

My initial thoughts are that introducing another layer of access controls at item level may be administratively more difficult to manage than having a higher number of workgroups? I’m cautious about how item assignment controls would work with (or override?) metadata registration processes etc., and any additional complexity with troubleshooting access issues?

In terms of data owner and approver roles, we currently use the Contact Point field and custom fields for Data Steward and Access Instructions to record this information. We prefer to use team-level contact information against individual data asset records, to minimise the number of bulk updates we need to make (to keep up with constant staffing moves).

What I’d be keen to see as an enhancement is the ability to make limited information about Workgroups visible to all stewardship organisation viewers, without needing to be a member of the Workgroups themselves. This would primarily include access to information on the Home tab and the Members tab. This way, someone looking at a metadata record can see what workgroup it is assigned to and navigate to that workgroup to see more information about the workgroup, how it is set up, who are the individuals who can be contacted and what their role is etc…

I like the idea of users having a new page in their dashboard that summarises the items they are specifically related to. This could work at Workgroup level as well – showing any items for which they are a workgroup manager, workgroup steward, workgroup submitter, or workgroup viewer?

Cheers,

1 Like
5

Hi Sam! Happy 2025!

We’d be excited to see this type of granularity, provided there is a way to easily manage and have visibility of non-member users who have been given additional access to items.

We have a lot of work that is cross-team or requires cross-team collaboration. Currently we’ve been creating multiple new workgroups for each group of collaborators, but this has made it difficult for us to manage the users across multiple items, adds administration for creating new workgroups, and adds to workgroup bloat.

What we want to avoid is creating one-off/single-purpose workgroups that don’t really get used again after the work is completed as this means we may end up with a lot of ‘dead-in-the-water’ workgroups and increases administrative workload to manage access (particularly if people in these groups leave the org or change roles).

With this granularity you’re proposing I think we might also be able to elevate workgroups as the governance mechanism rather than containing that information in a custom slot (E.g. 1 workgroup per data owner), and it will allow us to better filter and search for items.

A dashboard view listing all items that a user has been explicitly assigned to would be great! We want to create a ‘My assets’ type quick link to allow users to see the items that they have a specific role for.

In general, if we have this kind of granularity, we would need an easy way of managing it and having visibility of who has been granted these roles.
I’ve done some very rough mockups below of what I’m thinking could make this management simpler.

WORKGROUP DASHBOARD - METADATA TAB

Expand existing workgroup dashboard metadata tab. The purpose is to view a list of items which have users who have been given additional access

image
image1462×803 168 KB

  • A column is added to the workgroup ‘Metadata’ tab. This column displays the number of users who have been granted additional access to that particular item. When clicked, this displays a list of these users.
  • A new ‘Bulk Action’ is added called ‘Remove additional access’ which removes all users who have been granted additional access to the selected items
  • A new ‘Item Actions’ is added called ‘Remove additional access’ which removes all users who have been granted additional access to the specific item
WORKGROUP DASHBOARD - NEW 'ADDITIONAL ACCESS' TAB

Add an additional tab to the workgroup dashboard. The purpose is to view a list of users who have been given additional access to items in the workgroup

image
image1468×748 109 KB

  • This tab displays all users who have been granted additional access to items (both members and non-members)
  • The ‘Workgroup items with additional access’ column displays all items that the users has been granted additional access. When clicked, it goes to the person’s profile and shows all items that they have been given access to, and their roles for those items.
  • The ‘Last Login’ datetime is pulled from the users profile. This gives admins a good indication of how active the user is and whether they need to be removed from items due to inactivity.
  • Under ‘Manage’, an admin can select ‘Revoke access’ which revokes all additional granted permissions from the specific user
  • A ‘Bulk Action’ function is added for ‘Revoke access’ which revokes all additionally granted permissions from the selected users
USER PROFILE DASHBOARD - NEW 'ITEM ACCESS' SECTION

Expand existing user profile with a new section. The purpose is for users and administrators to view items where a specific user has been given additional access (includes items across all workgroups)

image
image1147×678 140 KB

  • This page displays all items that a user has been granted access to and their role for each item. These are items from all Workgroups. Users can apply filters to filter by specific workgroups and roles.
  • If viewing the profile as an administrator, the administrator can use a ‘Bulk Actions’ function to revoke user access to all selected items.
  • If viewing the profile as the user, the user can use a ‘Bulk Actions’ function to remove their roles access to selected items.
  • This would replace the current ‘User Roles’ section in a user profile. A ‘User Workgroups’ section can be added as well to display all workgroups that a user is assigned to (and allow admin to bulk remove that user from all selected workgroups).

By having these dashboards or something similar, it should theoretically be fairly easy for admins to manage the additional user permissions you’ve suggested. There might be some fiddly bits when adding people to a workgroup, but I don’t think it would be any more than what we currently do with creating new workgroups for groups.

Another possible idea to help reduce administration is to enable time-based access. E.g. when assigning additional access to user for an item, the admin can include an expiry date for the access. After the expiry date chosen, the system will automatically revoke the users additional access. Admins can choose to keep this field blank if they don’t want an expiry.