# Managing Data Metadata You may have read the [Automate data access control decisions](/2024.2/secure-your-data/getting-started-with-secure/automate-data-access-control-decisions/managing-user-metadata.md) use case already. If so you are aware of the [two paths](/2024.2/secure-your-data/getting-started-with-secure/automate-data-access-control-decisions/the-two-paths.md) you must choose between: orchestrated-RBAC vs ABAC. To manage data metadata with this particular use case, you should use ABAC. This is because you want your data product owners to tag data with facts - what they have intimate knowledge of because they built the data product - and not have to be knowledgeable about all policies across your organization. With orchestrated RBAC, you tag your columns with access logic baked in. ABAC means you tag your columns with facts, what is in the column, which is why ABAC makes much more sense. Understanding that, read the automate data access control decisions use case's [Managing data metadata](/2024.2/secure-your-data/getting-started-with-secure/automate-data-access-control-decisions/managing-data-metadata.md) guide. ## Tags in a federated governance world It is important to distinguish between tag definition and tag application. While tag definition (e.g., a tag called “Business Unit” with the values “Finance”, “Marketing”, “Sales”) should be strongly governed to guarantee consistency and coherence, tag application can be fully decentralized, meaning every domain or data owner can apply tag values (from the centrally governed list) to their data. There needs to be a process in place for data owners to request the definition of a new tag in case they identify any gaps. ## Monitoring data products It is important to leverage Immuta Discover's sensitive data discovery (SDD) to monitor your data products. This allows you to uncover if and when sensitive data may be leaked unknowingly by a data product and mitigate that leak quickly. The [Monitor and secure sensitive data platform query activity](/2024.2/detect-your-activity/getting-started/overview/registering-metadata-for-detect.md) use case covers this in great detail and is highly recommended for a data mesh environment. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/2024.2/secure-your-data/getting-started-with-secure/overview-2/managing-data-metadata.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.