Skip to content
Platform & Configuration
Authentication & Access
Monitor Stewardship

Monitor stewardship

Monitor stewardship extends Fides' role-based access control to per-monitor ownership: an eligible user can be assigned to one or more discovery monitors as a steward, which grants them write access to that monitor's results — staged resources, classifications, and review actions — without changing their overall role and without giving them control over the monitor's configuration.

Monitor stewardship is the discovery-side counterpart to system stewardship.

What monitor stewardship grants

A user assigned as a steward of a monitor can act on that monitor's results:

  • Promote staged resources to datasets
  • Approve, edit, or mute classifications
  • Review and resolve discovered changes in the Action Center

A monitor steward cannot modify the monitor's configuration. Creating, editing, or deleting the monitor itself, its schedule, its classification parameters, or its connection still requires a user with broader permissions (Owner or Contributor).

The grant is scoped to the assigned monitors only.

Sources of stewardship: explicit and inherited

A user can become a steward of a monitor in one of two ways:

  • Explicit — A user with broader permissions assigns the user directly to the monitor from the monitor configuration form. Explicit stewards are managed by hand and are never modified by inheritance.
  • Inherited — The monitor's Inherit system stewards toggle is enabled, and the user is currently a data steward of the System linked to the monitor's integration. Inherited stewards are derived state: Fides keeps them in sync automatically.

The same user can hold both an explicit and an inherited assignment on the same monitor at the same time. Removing the inherited source (by changing the System's stewards or disabling inheritance) does not affect their explicit assignment, and vice versa.

How inheritance works

Inheritance is enabled per-monitor with the Inherit system stewards toggle on the monitor configuration form. The toggle is on by default for new monitors.

When inheritance is enabled, the inherited steward set is computed from the data stewards of the System that the monitor's integration is linked to (via the System-integration link). Fides automatically reconciles the inherited set when any of the following change:

  • The linked System's data stewards (a steward is added, removed, or replaced on the System)
  • The Inherit system stewards toggle on the monitor
  • The integration the monitor is configured against
  • The System-integration link itself (the integration is linked to a different System, or the link is removed)

When inheritance is disabled on a monitor, all of its inherited stewards are removed. Its explicit stewards remain untouched.

Who can be assigned

The same roles that are eligible to be assigned as system stewards are eligible to be assigned as monitor stewards: Owner, Contributor, Data Steward, Viewer, and Viewer + Approver.

Because inherited stewards come from the linked System's data stewards, anyone who is eligible to be a System data steward is also eligible to be inherited as a monitor steward — no extra configuration is required.

How to assign monitor stewards

Stewards are managed on the monitor configuration form, alongside the Inherit system stewards toggle and the explicit Monitor Stewards picker. For the step-by-step walkthrough, see Assigning monitor stewards.

Related

System StewardshipSSO Authentication