Skip to main content

Access Governance Overview

Access governance ensures the right people have access to the right data, balancing security requirements with business productivity.

Why Access Governance?

Organizations need to protect sensitive data from unauthorized access while simultaneously enabling productivity by streamlining access for authorized users. A robust governance model helps maintain compliance with regulatory requirements and provides audit trails for all access decisions.

Access Model

Role-Based Access

Qarion uses a tiered role system to manage permissions. Space Roles control permissions within a specific space, Product Roles determine permissions for specific data products, and Source System Roles manage permissions for external platform access.

Space Roles

Space roles define what a user can do within a workspace. Space Admins have full control over settings and members. Editors can create and modify content. Viewers can browse and view content, while Members have basic access to space resources.

Product Governance Roles

Product governance roles assign specific responsibilities. The Owner provides strategic oversight and approves major changes. The Steward handles day-to-day curation and approves access requests. The Custodian is responsible for technical maintenance and quality.

Source System Roles

For external platforms like Snowflake or BigQuery, roles are synced directly from the source system. Users can request access to these specific roles, and approvals flow through the workflow system to provision actual access.

Request Workflow

Lifecycle

The request lifecycle moves from Requested (waiting for approval) to either Approved (request granted) or Rejected (request denied). Once approved, access is Granted (active). Access can also be Revoked at a later time.

States

A request starts as Requested. Upon approval, it transitions to Approved, which may involve a pending provisioning step. If denied, it becomes Rejected. Active access is marked as Granted, and removed access is labeled Revoked.

Access Types

Direct Product Access

You can request access to a specific data product. This grants a direct right to your user account, tied specifically to that product. Depending on the configuration, this may or may not include provisioning access in the underlying source system.

Role-Based Access

Alternatively, you can request access via role assignment. This grants you a specific role in a source system, which in turn provides access to all data products associated with that role.

Key Features

Self-Service Requests

Users can request access themselves without needing IT tickets. The system provides a clear approval workflow and full visibility into the status of each request.

Approval Workflows

Requests are automatically routed to the appropriate approvers. Product Stewards handle product access, Source System Admins manage role access, and Space Admins act as an escalation point.

Justification Tracking

All requests require a business justification, explaining why access is needed, the expected duration, and the project or use case context.

Audit Trail

Every access decision is logged in the audit trail, recording who requested access, who approved or rejected it, when it was granted, and results of historical access reviews.

Viewing Your Access

My Access Dashboard

The My Access Dashboard allows you to see everything you have access to. It lists accessible products, shows whether access was granted directly or via a role, and displays the specific roles you hold.

Product Access Tab

On any product detail page, the Access Tab shows your current access level, the status of any pending requests, and allows you to request additional access if needed.

Integration Points

With Source Systems

Qarion connects to source platforms for technical access provisioning. Approved requests can trigger automatic provisioning, ensuring that access changes in Qarion are reflected in the actual systems.

With Products

Products define which roles provide access, who has the authority to approve requests, and what justification is required.

With Governance

Access requests often intersect with broader governance processes, involving discussions in governance meetings, approvals from stewards, and checks for policy compliance. For AI Systems, access governance takes on additional importance — training data access must be justified and documented, model endpoints require controlled permissions, and any access to high-risk AI systems may trigger additional review steps aligned with EU AI Act human oversight requirements.

Learn More