A team concept is missing in CDF
We are working with data in our organization aligned with the data mesh principles:
- Data as a product
- Domain-oriented ownership of data
- Self-service data platform
- Decentralized data governance
Currently the setup for access management in CDF does not support this functionality. A team should be able to create, edit and delete datasets, and data associated with their datasets (e.g., assets, events, sequences).
With the current solution an admin with group:write and dataset:write access needs to create a dataset and create new groups for service accounts/user accounts and add capabilities to read/write resource types within the dataset.
We are thus not able to provide a solution which is self-serviced to teams within our organization where they freely control their data and access to it.
I agree with this need, and the clumsiness of the current dataset:read&write access scope. As you say, a team should be able to create their own data set without having privileges that would give them write access to all other datasets. A fix for this is to introduce a dataset:create scope, and which would allow users to create new datasets where they become the owner and gain read&write access to that particular dataset automatically. However, it does not solve the team challenge, where you would need to be able to add team members to a group with the same rights. Having group:write essentially gives full access to everything, so we cannot rely on that. I will loop in the appropriate product managers so they are aware of the problem.