Metadata Form Enforcement #1668
Assignees
Comments
|
|
|
I think, we don't really need Item level. So, I'll remove it |
|
@SofiaSazonova , how will this look if as a data.all admin, I want to enforce a Metadata Form for all datasets in data.all? Using Table E.1 as an example: Metdata Form: the identifier of the metadata form to enforce Is this correct? In this case, the Form will be required for all Datasets in data.all? Is it then also required for all Buckets/Folders/Tables/Shares for all Datasets? Or would that only happen if "Entity Types" was "Dataset, Bucket, Folders, Tables, Shares"? |
SofiaSazonova
added a commit
that referenced
this issue
Feb 12, 2025
### Feature or Bugfix <!-- please choose --> - Feature ### Detail **MF view** 1. Enforcement rule tab is added 2. MF owner can add Enforcement rules, others can view 3. For each Enforcement rule user can see entities affected by it and if the form is attached or not 4. Rule is automatically updated for latest MF versions when version is created/deleted **Entity view** 1. If any enforced forms are missing from entity 'Metadata' tab on it's page has "alarm" icon 2. Missing MFs are highlighted in the list of attached entities **Backend** 1. New core component MetadataFormEntityManager. 2. All eligible entities register in this manager, when their module is enabled 3. This manager is unused if metadata form module is not created 4. Metadata form module depends on DatasetBase module, because we have 'Dataset' enforcement level and logic binded to it. **IMPORTANT** Before this PR is merged, I will deregister modules, which don't have frontend for MF yet. ### Relates - #1668 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Sofia Sazonova <sazonova@amazon.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enforcement
Metadata forms can be obligatory to fill in on different levels. User can select the metadata form and entity types, that should have this form attached. Enforcement affects selected entity types on all lower levels hierarchically.
Table E.1. Metadata form enforcement rule
Table E.2. Metadata form levels’ hierarchy
Who can enforce:
So in summary, enforcement capabilities cascade along with administrative privileges in the hierarchy. Global admins have full control, org/env admins can enforce for their sphere and below, dataset admins for the datasets and items in it, and share requesters and approvers for a specific share.
How we enforce?
2.1. Orgs:
2.2. Envs
2.3. Datasets
The text was updated successfully, but these errors were encountered: