Data management systems and methods

What is claimed is: 1. A method for managing access to a governed object performed by a data management system comprising at least one processor and at least one non-transitory computer-readable medium storing instructions that, when executed by the at least one processor, cause the data management system to perform the method, the method comprising: receiving, by a data service of the data management system, an access token and a data access request from a client system, the data access request comprising an indication of a specified data set and an indication of an operation associated with at least one requested access privilege; validating the data access request by authenticating the access token; issuing, by the data service, an access control request to a security service of the data management system, the access control request comprising an indication of a subject associated with the access token, an indication of an object associated with the specified data set, and an indication of the at least one requested access privilege; identifying, by the security service, at least a first governed object in a directory database, the at least a first governed object corresponding with the indication of the object associated with the specified data set of the access control request; identifying, by the security service, at least a first rule set in the directory database, the at least a first rule set being associated with the at least a first governed object in the directory database, the at least a first rule set comprising at least a first rule specifying a depth associated with the at least a first rule, the at least a first rule set being attached to at least a second governed object located above the at least a first governed object in a root path of a directory tree in the directory database, the at least a second governed object being located above the at least a first governed object within the depth specified in the at least a first rule; identifying, by the security service, at least a first role in the directory database, the at least a first role being associated with the indication of the subject associated with the access token; determining, by the security service, based on the at least a first rule, the at least a first role, and the access control request, that the access control request should be granted, wherein determining that the access control request should be granted comprises: comparing the indication of the subject associated with the access token, the at least a first role, the indication of the object associated with the specified data set, and the indication of the at least one requested access privilege with the at least a first rule, and determining, based on the comparison, that the subject associated with the access token is permitted the at least one requested access privilege to the object associated with the specified data set; issuing, by the security service to the data service, an access control response granting access to the specified data set based on the determination; and permitting, by the data service, access to the specified data set by the client system in accordance with the access control response. 2. The method of claim 1 , wherein authenticating the access token comprises invoking an authentication service of the data management system to validate the access token. 3. The method of claim 1 , wherein authenticating the access token comprises invoking a remote authentication service to validate the access token. 4. The method of claim 1 , wherein authenticating the access token comprises determining that the access token is not expired. 5. The method of claim 1 , wherein the method further comprises: receiving, by an authentication service of the data management system from the client system, authentication credentials; determining, by the authentication service, that the authentication credentials are associated with a valid account; and in response to determining that the authentication credentials are associated with a valid account, generating and transmitting the access token to the client system. 6. The method of claim 1 , wherein the directory database is managed by a directory service of the data management system. 7. The method of claim 1 , wherein the permitting access to the specified data set by the client system in accordance with the access control response comprises: retrieving, by the data service, the specified data set from a data store; and transmitting, by the data service, a data access response to the client system based on the retrieved specified data set. 8. The method of claim 7 , wherein the data store comprises a local data store of the data management system. 9. The method of claim 7 , wherein the data store comprises a remote data store. 10. The method of claim 7 , wherein the access control response comprises at least one restriction, and wherein retrieving the specified data set from the data store comprises retrieving the specified data set in accordance with the at least one restriction. 11. The method of claim 10 , wherein retrieving the specified data set in accordance with the at least one restriction comprises transmitting at least one data retrieval request issued to the data store in accordance with the at least one restriction. 12. The method of claim 1 , wherein identifying the at least a first rule set comprises determining that the at least a first rule set is attached to the at least a second governed object within the depth specified in at least the first rule in the root path of the directory tree in the directory database. 13. The method of claim 12 , wherein the at least a second governed object comprises an object associated with an organization. 14. The method of claim 1 , wherein the method further comprises: identifying, by the security service, at least a second rule set in the directory database, the at least a second rule set being associated with the at least a first governed object in the directory database, the at least a second rule set comprising at least a second rule; and determining, by the security service, that the first rule set has a higher indicated priority than the second rule set. 15. The method of claim 1 , wherein the subject associated with the access token comprises an account associated with the access token. 16. The method of claim 1 , wherein permitting access to the specified data set by the client system further comprises: locating the specified data set using a catalog service of the data management system. 17. The method of claim 1 , wherein the method further comprises: mapping the indication of the operation to the associated at least one requested access privilege.