Define a scenario with personas across products

[fhennig]

We need a realistic foundation to write rules for. This means multiple users, data and groups.

What the scenario should cover

• [x] 2 departments
  • some resources shared, some not (i.e. shared Spark cluster but different data sources for each department)
• [x] products: dev and prod instances with some permission shared and some not
• [x] "management group" with different permissions
• [x] "robot user/automation user"
• [x] impersonation (Superset -> Trino / Hive -> HDFS)
• [x] some "one-off" permissions for individual users
• [ ] Describe some tasks (in text) that the people/robots will perform.

Acceptance criteria

• [x] A free text with specific department names, cluster setups and user names etc.
• [x] A diagram that shows the organizational structure and cluster setup

[NickLarsenNZ]

[!IMPORTANT] Scenario has moved from this issue into the opa-operator repo: stackabletech/opa-operator#522

Here's a starter for ten, feel free to amend if it doesn't sit right with you...

Knab

Knab is a bank with a number of data science teams covering various aspects of the banks operation and compliance obligations.

Usernames are $firstname.$lastname.

Teams

Two of the data science teams are outlined below:

Compliance and Regulation Analytics

This team sits under the wider Compliance and Regulation team,and is tasked with making use of the banks customer, credit, securities data and produce internal and regulatory reports to aid in regulatory compliance.

Members of the team:

• William A. Lewis (Team Lead)
• Sophia B. Clarke
• Daniel C. King

Customer Analytics

This team falls under the Customer Service division and is tasked with making use of the banks data for things like:

• Understanding customer call frequency and wait times
• Trends with the usage of physical branches, internet banking and the banking app

They produce monthly and quarterly reports, but also build dashboards to show live data (eg: call queue, and wait time statistics).

Members of the team:

• Pamela D. Scott (Team Lead)
• Justin E. Martin
• Isla F. Williams (contractor with specific user based permissions)

[fhennig]

I'd also add a manager that wants access to superset dashboards and migh be part of a manager group. And another idea is an external contractor that only has access to trino as a one-off or something.

For multi-tenancy maybe for trino/HDFS there could be dev and prod deployments?

[NickLarsenNZ]

I'd also add a manager that wants access to superset dashboards and migh be part of a manager group.

IMO "managers having extra access" is an old tale used in examples. Managers typically wouldn't have extra access, and in fact would probably have no access.

Team Lead(s) could be in the managers/admins group, if that is satisfactory?

And another idea is an external contractor that only has access to trino as a one-off or something.

Cool, will add an extra persona for that.

For multi-tenancy maybe for trino/HDFS there could be dev and prod deployments?

Do you mean Trino with HDFS, or one-or-the-other? I'm not so familiar, so maybe my question is stupid. I do see Trino + Hive as a thing though.

[fhennig]

IMO "managers having extra access" is an old tale used in examples. Managers typically wouldn't have extra access, and in fact would probably have no access.

That's fine for me!

Do you mean Trino with HDFS, or one-or-the-other? I'm not so familiar, so maybe my question is stupid. I do see Trino + Hive as a thing though.

I mean that there are two instances of something (maybe Trino, maybe HDFS or maybe something else). Maybe this makes more sense for something like Spark? A dev cluster and a prod cluster. I'm also not super familiar with where something like this is done realisitcally. But maybe Knab has a transaction processing pipeline in Spark and when they make a change to it they first deploy it in a dev cluster before rolling it out to prod. So there would be some shared permissions for dev and prod, but also prod would be more locked down probably.

[NickLarsenNZ]

Scenario has moved from this issue into the opa-operator repo: stackabletech/opa-operator#522

[NickLarsenNZ]

[!NOTE] I moved this comment out of stackabletech/opa-operator#522 so it could be closed without waiting on the following:

I spoke with @fhennig yesterday and he suggested not delving into groups yet (at least not for this ticket), but I still need to come up with various tasks that the personas would perform.

So freestyling here:

Compliance and Regulation Analytics

todo

Customer Analytics

• Isla: Some of the telephony data is not available through APIs until an upgrade is complete. In the meantime, Isla has been brought in as a contractor to help bridge the gap between the data in the aging telephone system and the analytics processes.
  1. Isla manually exports production telephony data from the telephone system web UI.
  2. Isla runs the data through scripts (dropping PII data) which produce Parquet formatted file (call duration, time between call center staff calls, direct calls vs hunt-group calls).
  3. Isla then loads the files into the Nonprod HDFS under a specific path (hdfs://customer-analytics/telephony/contact-center/*) that she has access to. This process will later be automated in production once the telephone system is upgraded.

Marketing

todo

[NickLarsenNZ]

@fhennig what shall we do here (considering the discussion about changing the scenario to align to Trino TPCDS data)?

[fhennig]

Alright, we have the files here: https://github.com/stackabletech/opa-operator/tree/main/hack

and the additional text in this ticket. I think for me that's enough for this ticket, I'm closing it.