Guardian is universal data access management tool with automated access workflows and security controls across data stores, analytical systems, and cloud products.
Grant can represent access for non-individual users like service accounts and groups for GCP providers. Ideally, those grants should be owned by a group of people for visibility and access maintainability so that when the main owner is no longer available, anyone else still can maintain the access.
This multiple ownership mostly will be used for channel of notifications purpose when the access is going to expire
Can have a concept of main owner and additional ones
This approach is simpler in implementation since it is a new column/field addition to the Grant entity
Cons:
When it comes to expiring access notifications, need to make sure that the notification is sent for both owner and co-owners. Same for other similar use cases (if any)
2. (Option 2) Replace owner: string (singular) field with owners: []string (multiple)
Pros:
Simpler domain knowledge as there is no confusion between the "main" owner and other owners.
Cons:
Need to migrate existing owner to the new owners field (breaking changes)
Additional
Assigning grant ownership to a "team" like a_google_group@example.com or any other kind of team/group can't be that straightforward since there is no team/group management in Guardian (and let's keep it so). To enable this, guardian needs to connect with third-party team management service like shield or google workspace for getting the information of team/group membership
Summary
Grant can represent access for non-individual users like service accounts and groups for GCP providers. Ideally, those grants should be owned by a group of people for visibility and access maintainability so that when the main owner is no longer available, anyone else still can maintain the access. This multiple ownership mostly will be used for channel of notifications purpose when the access is going to expire
Proposed solution
1. (Option 1) Add
co_ownersfield in Grantco_ownersis a list of individual emailsPros:
Cons:
2. (Option 2) Replace
owner: string(singular) field withowners: []string(multiple)Pros:
Cons:
ownersfield (breaking changes)Additional
Assigning grant ownership to a "team" like
a_google_group@example.comor any other kind of team/group can't be that straightforward since there is no team/group management in Guardian (and let's keep it so). To enable this, guardian needs to connect with third-party team management service like shield or google workspace for getting the information of team/group membership