Skip to main content

Automate data governance

Who can do this?

You must be an admin user in Atlan to enable, create, and manage governance workflows. Anyone with access to Atlan - admin, member, or guest user - can use the inbox.

You can streamline your data governance requirements in Atlan with governance workflows and manage alerts, approvals, and tasks using the inbox. Governance workflows enable you to set up robust controls on data access management, metadata enrichment, new entity creation, and more, with out-of-the-box workflow templates and automated execution.

For example, instead of letting your users directly query data or update the certification status of an asset, you can specify assets that require advanced controls and create governance workflows to govern them. These workflows run in the background, make sure that all required approvals are in place, and only then approve users with appropriate permissions to perform any action.

You can use governance workflows to:

  • Risk mitigation - determine how data is used and shared in your organization with automated access policies.
  • Data security - manage requests for data access and processing to grant access only to authorized individuals or teams.
  • Metadata change management - monitor and audit metadata changes to align with established organizational standards.
  • New entity creation - manage and audit documentation of business context such as glossaries and tags to align with established organizational standards.
  • Policy compliance - set up repeatable processes and approval flows for your data assets in Atlan to adhere to regulatory requirements - currently only applicable if you have also enabled the policy center module.

Workflow properties

A common set of properties are applicable to all governance workflows in Atlan:

  • Only an admin user can create, update, or delete governance workflows.
  • Out-of-the-box workflow templates.
  • Predefined steps based on workflow selection.
  • Must be associated with an asset type or action.
  • Set up autoapproval rules for users, groups, or owners based on metadata attributes and policies.
  • Activity logs for all workflows available by default.
  • Visibility into the transition states of a workflow.
  • Overlapping workflows - governance workflows provide you with the flexibility of creating workflows per team or business domain on the same set of assets instead of creating one complex workflow to cover all your use cases. Atlan handles all the complexities, only letting approvals go through once all approval conditions have been met.

Workflow templates

You can choose from the following workflow templates to govern your assets and manage access:

Change management

This template lets you control changes to metadata within your organization's data management and governance framework. Use cases include requests to:

Change management workflows override any permissions assigned through user roles or access policies. For example, even for users with edit access, metadata update requests go through change management workflows.

If there are no change management workflows in place, then users with edit access can update metadata while users without edit access can only suggest changes to metadata.

New entity creation

This template lets you control the creation and publication of new entities in Atlan. The new entity creation workflow overrides existing glossary policies and user role permissions to create new entities.

Creation of the following entities is currently supported for the new entity creation workflow:

Whether you are an admin or a member user in Atlan, the existence of a new entity creation workflow means you need to submit a request for creating new entities. Guest users can neither directly create nor suggest the creation of glossaries, categories, terms, tags, AI models, and AI applications.

Access management

This template lets you automate the process of requesting, approving, and revoking access to data assets in Atlan. It includes the combination of a self-service approach and mandating human intervention for approval.

You can also revoke data access in Atlan or other data sources. For data sources other than Atlan, you can configure additional actions to revoke data access in the data source.

Use cases include requests to query data or view sample data for the following supported asset types - tables, views, and materialized views.

  • Grant access in Atlan - let requesters request data access for querying data in Insights and previewing sample data within Atlan only.
  • Raise Jira ticket to grant or revoke data access on source - let requesters request or revoke data access for any tool. Atlan creates a support ticket in Jira Cloud for your team to grant or revoke data access and displays the status of your request in Atlan. You need to:
    1. Integrate Jira Cloud and Atlan.
    2. Link your individual Jira Cloud account to Atlan.
    3. Install or register a webhook.
    4. Create an access management workflow to enable or revoke access everywhere using Jira.
      1. Add a Jira project and issue type and specify an issue status while creating the data access workflow.
      2. Your users are granted access or their access is revoked once the request is approved in Jira.
  • Raise ServiceNow request to grant or revoke data access on source - let requesters request or revoke data access for any tool. Atlan creates a request in the Atlan Data Access catalog for your team in ServiceNow to grant or revoke data access and displays the status of your request in Atlan. You need to:
    1. Integrate ServiceNow and Atlan.
    2. Link your individual ServiceNow account to Atlan.
    3. Create a data access approval workflow to enable or revoke access everywhere using ServiceNow.
      1. Specify the request states for approval while creating the data access workflow.
      2. Your users are granted access or their access is revoked once the request is approved in ServiceNow.
  • Trigger a webhook - let requesters request or revoke data access for any tool. Atlan triggers a webhook to a URL of your choice for your team to grant or revoke data access.

    1. For URL, enter the URL for where you want to receive events, including details on requester, approver, and asset, and then validate the URL.

      warning

      Atlan sends a sample payload to test if the webhook URL is correct. You must respond with a 2xx status for the validation to succeed. Atlan also runs this validation before you save your webhook as a precautionary measure.

    2. Copy the Secret Key and store it in a secure location to verify data access approval or revocation requests from Atlan.

Policy approval

You must enable the policy center module to use the policy approval workflow template.

This template lets you automate approvals for your data governance policies in Atlan. Automated policy approval workflows can help you streamline the approval process, facilitate compliance with regulatory standards, and simplify data governance for your organization.

Use cases include requests to:

  • Create new policies
  • Revise existing policies

Enable governance workflows and inbox

Who can do this?

You must be an admin user in Atlan to enable the governance workflows and inbox module for your organization.

To enable governance workflows and inbox for your Atlan users:

  1. From the left menu of any screen in Atlan, click Admin.
  2. Under the Workspace heading, click Labs.
  3. On the Labs page, under Governance center, turn on Governance Workflows and Inbox to govern your assets and manage alerts, approvals, and tasks in Atlan more effectively.

If you'd like to disable the Governance Workflows and Inbox module from your organization's Atlan workspace, follow the earlier steps to turn it off.

Once enabled, you can also temporarily disable the module and turn it on again as needed. For any governance workflows you may have created or existing requests, this won't result in any data loss.

Interactions with existing access control mechanisms

Once you have turned on governance workflows and inbox, the module interacts with existing access control mechanisms in Atlan as follows:

  • Requests: Atlan channels requests and approvals through governance workflows and lands them in the inbox.
  • Personas and purposes:
    • Metadata policies - your users must have read access to an asset for triggering governance workflows. If an asset is governed by a governance workflow, your users can raise a request on that asset regardless of all grant/deny permissions in metadata policies.
    • Data policies:
      • No data policy exists - if the workflow connection lets you query and preview sample data but a data policy hasn't been configured, your users can raise a data access request on governed assets in the connection.
      • Data policy with explicit restrictions - if an existing data policy denies querying and previewing sample data and assets are governed by a governance workflow, your users won't be able to raise a data access request on governed assets in the connection.
      • Data policy with explicit grants - if an existing data policy lets you query and preview sample data and assets are governed by a governance workflow, your users can raise a data access request on governed assets in the connection.
    • Glossary policies - if an asset (glossaries, categories, and terms) is governed by a governance workflow, your users can raise a request on that asset regardless of all grant/deny permissions in glossary policies.
    • Domain policies - governance workflows are currently not applicable to domain policies.
  • User roles - if an asset is governed by a governance workflow, your users can raise a request on that asset regardless of their role or permissions. For any asset not governed by a governance workflow, default role permissions apply.
  • Connection admins - if an asset is governed by a governance workflow, connection admins have to go through the approval process for governed assets in the connection.
  • Governance workflows are currently not triggered for the following actions: