Is Access Management part of Data Governance?

Is Access Management part of Data Governance?

I was emailed the question recently and, in my haste, to provide an answer, I simply replied ‘no, it is not – Access Management is part of Data Security, so it’s not a Data Governance activity, and the asker very rightly came back to me and challenged me on this.

They said, “Oh, well, that’s really odd because I thought that Data Owners were responsible for Access Management” and I realised that I should have perhaps given a more full answer to the person who’d asked the question – so let’s do this now, first by looking at what Access Management really is.

What is Access Management?

Access management is primarily an information security, IT and data governance process used to grant access to valid users and prohibit invalid users.

Typically, AM is used in conjunction with identity access management (IAM). Identity management creates, provisions and controls different users, roles, groups and policies, whereas AM ensures that these roles and policies are followed.

An AM-based application/system stores the different user roles and their profiles, and processes user access requests based on the data/profile/roles.

A common misunderstanding

Access Management, deciding who should or shouldn’t have access to our data, is definitely part of a Data Security activity, along with agreeing perhaps the levels of encryption and security classifications. But the worlds of Data Governance and Data Security do overlap.

Now, if you read the blog I posted a few months ago about the difference between Data Governance and Data Management you will remember that I talked about the DAMA DMBOK wheel.

Data Governance is in the middle of that wheel which lists all the other data management disciplines in it because Data Governance provides a foundation for many other data management disciplines and, in the case of Data Security, it is around the roles and responsibilities because we will have worked hard to find the right people to be Data Owners for the data.

Now, we might want to only talk to these people in terms of whether the data is of good enough quality, whether we have definitions for it, and how we resolve issues with that data but if we’ve found the right people, then they’re also the right people to make other decisions about that data.

It is quite often the case that I will work with the Data Security team at my clients to make sure that their approach is aligned with the Data Governance framework and that it is the Data Owner that is asked to approve access requests to their data so, you can see how this confusion arises because it would become the responsibility of the Data Owner to approve access requests. However, if we’re being purist about it, it’s not a Data Governance activity.

Don’t forget if you have any questions you’d like covered in future videos or blogs please email me –

Published on

Have Your Say: