Delegate administration

Atlan allows you to define granular access controls and delegate administrative functions with admin subroles. Atlan currently supports the following built-in admin subroles:

• Workflow admin  - the workflow admin subrole allows Atlan admins to:
  • Grant administrative access to users to manage connectors and connection workflows only.
  • Restrict access to admin capabilities in the admin center and governance capabilities in the governance center.
• Governance admin - the governance admin subrole allows Atlan admins to:
  • Grant administrative access to users to manage governance capabilities only.
  • Restrict access to admin capabilities in the admin center and connectors and connection workflows in the workflow center.

Assign a subrole

Who can do this?

You will need to be an admin user in Atlan to assign an admin subrole.

To assign an admin subrole:

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu of any screen, click Admin.

2. Click Users.

3. To assign an admin subrole, you can either:

   • To assign the subrole to an existing user, navigate to any user and click the Role dropdown. In the Select Role dialog, click Workflow Admin or Governance Admin and then click Update.
   • To assign the subrole to a new user, follow the steps in How to invite new users without SSO. Change the role of the user to Workflow Admin or Governance Admin and then click the Send Invite button.

Workflow admin

The workflow admin role is a subcategory of the admin role in Atlan. This admin subrole grants specific permissions for creating and managing connection workflows.

Permissions

A workflow admin has the following permissions and capabilities:

• Connections:
  • Create a new connection for supported sources
  • View all connections
  • Manage all connections from the Connections tab in the Governance center
  • Edit an existing connection - the user must also be a connection admin for that specific connection or have a policy granting them access to the connection.
• Workflows:
  • Create and manage workflows from the Workflow center
  • View all workflows and workflow runs
  • Edit or delete any workflow credentials - connection admin access not required
  • Run any workflow
  • Add, remove, or edit schedules for any workflow
• The following capabilities work exactly as that of a member user:
  • Asset search and discovery - can update metadata for assets in a connection that the workflow admin either created or was added to as a connection admin.
  • Business Graph - can view all glossaries but requires edit access through glossary policies. If glossary restrictions are in place, then the workflow admin can only view the glossaries as per their glossary policies.
  • Data Exploration - requires data policies to query data and preview sample data.
  • Reporting center - if enabled by admins, can view the assets, glossary, Data Exploration, and usage and cost dashboards.
  • Data products - requires domain policies to access domains and products.

Restrictions

A workflow admin has the following explicit restrictions:

• Can only access the Connections tab in the Governance center.
• Cannot delete any existing connections using the Connection Delete workflow.
• Cannot access or perform any actions in the Admin center.
• Is excluded from the default All Admins group in any workflow configuration.
• Cannot access the Reporting Center by default. The Reporting Center is only accessible to users with the full Admin role. To grant access, an admin can enable Allow member users to access Reporting Center in Labs. Note that this setting applies organization-wide to all member users and cannot be scoped to Workflow Admins only.

(Optional) Restrict workflow visibility

By default, all workflow admins can see the existence of all workflows. However, you may want to limit specific teams from being able to see all workflows in Atlan. You can optionally turn off the default behavior to restrict workflow visibility.

Once you have turned off the default behavior, in the Workflow center:

• The Monitor tab will no longer be visible to workflow admins.
• The Manage tab will display only the workflows created by workflow admins themselves.
• If there are no existing workflows, a workflow admin will only have access to the Marketplace tab to create a new one.

To restrict workflow visibility:

1. In your Atlan workspace, click Settings from the left menu.

   If you are using the Old UI (Classic), from the left menu in Atlan, click Admin.

2. Click Labs.

3. Under the Access Control heading of the Labs page, turn off Allow workflow admins to access all workflows.

Your workflow admins will now only have access to the workflows they created by default.

If you'd like to restore the default behavior, follow the steps above and then turn it on.

Governance admin

The governance admin role is a subcategory of the admin role in Atlan. This admin subrole grants specific permissions for managing the governance center.

Permissions

A governance admin has the following permissions and capabilities:

• Personas:
  • Create and manage personas from the Governance center
  • View all personas
  • Edit users and policies for existing personas - the user must either also be a connection admin or have a policy granting them access to the persona.
• Purposes:
  • Create and manage purposes from the Governance center
  • View all purposes
  • Edit users and policies for existing purposes - the user must either also be a connection admin or have a policy granting them access to the purpose.
• Governance workflows - create and manage governance workflows
• Playbooks - create and run playbooks
• Policy center - create and manage data governance policies
• README templates - create and manage README templates
• Tags - create and manage tags
• Domains - only manage domains, cannot create them
• Custom metadata, badges, and options - create and manage custom metadata and associated properties
• The following capabilities work exactly as that of a member user:
  • Asset search and discovery - can update metadata for assets in a connection that the governance admin was added to as a connection admin.
  • Business Graph - can view all glossaries but requires edit access through glossary policies. If glossary restrictions are in place, then the governance admin can only view the glossaries as per their glossary policies.
  • Data Exploration - requires data policies to query data and preview sample data.
  • Reporting center - if enabled by admins, can view the assets, glossary, Data Exploration, and usage and cost dashboards.
  • Data products - requires domain policies to access domains and products.

Restrictions

A governance admin has the following explicit restrictions:

• Cannot access or perform any actions in the Admin center or Workflow center.
• Cannot access metadata and data policies if the user is neither a connection admin nor has a policy granting them access to a persona or purpose.
• Cannot access the Connections tab in the Governance center.
• Is excluded from the default All Admins group in any workflow configuration.
• Cannot access the Reporting Center by default. The Reporting Center is only accessible to users with the full Admin role. To grant access, an admin can enable Allow member users to access Reporting Center in Labs. Note that this setting applies organization-wide to all member users and cannot be scoped to Governance Admins only.