My organization maintains a dataset outside of Foundry of all users and their accessible data sources. This dataset has already been brought into Foundry via a data connection. What are the best practices for using this external resource to automatically manage data source access controls?
1 thing that comes to mind is to manage access through Multipass Groups, not directly on datasets → keeps it clean and auditable
Hi Joel,
Agree with the response above, and wanted to add a bit of implementation experience from workflows I’ve built:
- AD group management on projects
This works well when you have a relatively clean data access profile, and you store the data connector and everything else in there. The most straight forward solution. - A central data ingestion project, managed by admins, which feed into other projects
This works well when your data access profile is messy, e.g. when certain rows need to be visible to certain people only.
To solve for some of the complexity of this approach (or at least not complect it further), I built a management application in Workshop, which outputs a rules object type that are ingested by the transforms. This allows the data owners to map access rights on a group/user level.
While Foundry UUIDs don’t translate back to your AD, you should be able to map these in Foundry. This allows you to easily map row-level access controls automatically or manually, depending on your use case.
We also built a user-facing side of this, allowing users to request access, which streamlines the process and opens up the data landscape to the users on the platform, without revealing sensitive information.
Hope this helps!