Informatica Intelligent Cloud Services provides system-defined roles that you can assign to users or user groups. You cannot change or delete the system-defined roles.
The system-defined roles that you can assign to users and groups vary based on your organization's licenses. For example, if your organization has no access to Application Integration or API Manager, you cannot assign the Deployer, Application Integration Business Manager, Application Integration Data Viewer, or Operator role to any user or group in your organization.
Assign system-defined roles to users and groups based on the tasks that they need to perform.
There are two types of system-defined roles:
•Cross-service roles define access privileges across multiple services.
•Service-specific roles define access privileges for one service or for a group of closely related services.
Cross-service roles
Cross-service roles are system-defined roles that define access privileges across multiple services.
For example, users with the Designer role can create assets and tasks in Data Integration, create assets in Cloud Integration Hub, create processes in Application Integration, and can also access the Application Integration Console. Users with the Monitor role can monitor Data Integration jobs, Cloud Integration Hub assets, and Application Integration process instances.
The following roles are cross-service roles:
•Admin
•Data Integration Data Previewer
•Deployer
•Designer
•Monitor
•Operator
•Service Consumer
The following table shows the services that each cross-service role can access:
Admin role
Data Integration Data Previewer role*
Deployer role
Designer role
Monitor role
Operator role
Service Consumer role
Administrator
X
-
-
X
X
-
X
API Manager
X
-
X
-
-
-
X
API Portal
X
-
-
-
-
-
X
Application Integration
X
-
X
X
X
X
X
Application Integration Console
X
-
X
X
X
X
X
B2B Gateway
X
-
-
X
X
-
-
B2B Partners Portal
X
-
-
-
-
-
-
Data Integration
X
-
-
X
X
-
X
Data Quality
X
-
X
X
X
X
X
Data Profiling
X
-
-
X
X
X
-
Integration Hub
X
-
-
X
X
-
-
Monitor
X
-
-
X
X
-
-
Operational Insights
X
-
-
-
-
X
-
* The Data Integration Data Previewer role is a supplemental role that allows users to preview data in Data Integration and Data Profiling. It provides no access to services. Assign this role with another role that allows users to access Data Integration or Data Profiling.
In the preceding table, an "X" means that users with the role have access to the service. For example, users with the Admin role have access to all services.
Access privileges for cross-service roles
Assign cross-service roles to users who need access privileges for different services across Informatica Intelligent Cloud Services. Each cross-service role provides different access privileges.
Cross-service roles have the following access privileges:
Admin
Users with the Admin role have full access to all licensed services. They can perform all tasks in the organization when assigned both the Admin and Service Consumer roles.
The best practice is to assign the Admin role to one or two trusted users and assign the users to an administrative user group that has full permissions on all asset types. These users can act as alternative organization administrators and can help troubleshoot access control and other organization security issues.
Note: To provide full access to the API Manager service, including full privileges for OAuth 2.0 client management, assign the user both the Admin and Service Consumer roles.
Data Integration Data Previewer
Users with the Data Integration Data Previewer role can preview data when they select a source, target, or lookup object for use in a mapping or task in Data Integration. They can also view source object data when creating a profile or viewing profile results in Data Profiling.
The Data Integration Data Previewer role is a supplemental role. Assign this role with another role, such as the Designer role, to ensure that users can access Data Integration and Data Profiling.
Deployer
Users with the Deployer role can deploy Application Integration assets and manage APIs through API Manager. Assign this role in a production environment where deployment access is typically restricted.
Users with the Deployer privilege can view assets in Data Quality.
Note: To provide full access to the API Manager service, including full privileges for OAuth 2.0 client management, assign the user both the Deployer and Service Consumer roles.
The following table lists the services that users with the Deployer role can access and the access privileges associated with each service:
Service
Access Privileges
API Manager
Has full access to this service, including OAuth 2.0 client management privileges, when the Service Consumer role is also assigned.
Application Integration
Can view asset details.
Application Integration Console
Can deploy assets and view settings on the Processes, Logs, Server Configuration, Deployed Assets, and Resources pages. Can upload and deploy Process Developer-generated orchestration artifacts (BPRs).
Data Quality
Can view asset details.
Designer
Users with the Designer role can create assets, tasks, and processes. They can configure connections, schedules, and runtime environments. They can also monitor jobs and elastic clusters for the organization.
The following table lists the services that users with the Designer role can access and the access privileges associated with each service:
Service
Access Privileges
Administrator
Can configure connections, runtime environments, schedules, swagger files, and elastic configurations. Can install add-on connectors and install and uninstall add-on bundles. Can view upgrade settings for Secure Agent services. Can start and stop file servers, configure proxy servers, and view other file server settings.
Application Integration
Has full access to this service.
Application Integration Console
Can view and edit all settings except for server configuration properties.
B2B Gateway
Has full access to this service.
Data Integration
Has full access to this service.
Data Quality
Has full access to this service.
Data Profiling
Has full access to this service.
Integration Hub
Has full access to this service.
Monitor
Has full access to this service.
Monitor
Users with the Monitor role can monitor Data Integration jobs, Cloud Integration Hub assets, Data Quality assets, and Application Integration process instances for the organization.
The following table lists the services that users with the Monitor role can access and the access privileges associated with each service:
Service
Access Privileges
Administrator
Can view schedules and upgrade settings for Secure Agent services. Can start and stop file servers, configure proxy servers, and view other file server settings.
Application Integration
Can view asset details.
Application Integration Console
Can view settings.
B2B Gateway
Can view asset details.
Data Integration
Can view asset details.
Data Quality
Can view asset details.
Data Profiling
Can view asset details.
Integration Hub
Can view asset details.
Monitor
Can view data integration jobs and job details. Cannot view export or import jobs.
Operator
An Operator is responsible for process execution management and Process Server configuration updates. Users with the Operator role can view asset details but cannot modify them. They can manage process instances and modify some operational server parameters.
The following table lists the services that users with the Operator role can access and the access privileges associated with each service:
Service
Access Privileges
Application Integration
Can view asset details.
Application Integration Console
Can view and edit Process Server settings and some Cloud Server settings. For example, a user with the Operator role can create an alert service, but cannot view tenant details.
Data Quality
Can view asset details.
Data Profiling
Can view asset details.
Operational Insights
Can view cloud and domain infrastructure. Can edit domain and infrastructure Secure Agent alert settings. Can edit domain infrastructure, including registering domains.
Service Consumer
Users with the Service Consumer role can run tasks, taskflows, and processes but they cannot create or edit assets. Assign this role to users who need to execute Data Integration jobs and Application Integration processes through APIs.
Note: To provide full access to the API Manager service, assign the user both the Service Consumer and Deployer roles, or assign the user both the Service Consumer and Admin roles.
The following table lists the services that users with the Service Consumer role can access and the access privileges associated with each service:
Service
Access Privileges
Administrator
Can view schedules, swagger files, and upgrade settings for Secure Agent services. Can start and stop file servers, configure proxy servers, and view other file server settings.
API Manager
Has full access to this service when the Deployer or the Admin role is also assigned.
API Portal
Has full access to this service.
Application Integration
Can invoke Application Integration processes.
Data Integration
Can view tasks, run tasks, test-run mappings, run taskflows, and download workflow XML.
Data Quality
Can view asset details.
Service-specific roles
Service-specific roles are system-defined roles that define access privileges for one service or for a group of closely related services. For example, the service-specific roles for Application Integration provide access to both Application Integration and Application Integration Console.
Assign service-specific roles to users who do not need access across multiple services. Service-specific roles have different access privileges based on the services to which they apply.
The following table lists the service-specific roles for each service that uses them:
Service
Service-Specific Roles
Application Integration
Application Integration Business Manager
Application Integration Data Viewer
Data Integration
Data Integration Task Executor
Reference 360
Reference 360 Administrator
Reference 360 Business Analyst
Reference 360 Business Steward
Reference 360 Planner
Reference 360 Primary Owner
Reference 360 Stakeholder
Customer 360
Customer 360 Analyst
Customer 360 Manager
Customer 360 Data Steward
MDM Business User
Business 360 Console
MDM Designer
Access privileges for Application Integration roles
Assign Application Integration roles to users who need access privileges for Application Integration and Application Integration Console. Each role provides different access privileges.
The following service-specific roles define access privileges for Application Integration and Application Integration Console:
Application Integration Business Manager
An Application Integration Business Manager monitors business activity. Users with the Application Integration Business Manager role can view information about assets and process instances, but they cannot change them.
The following table lists the services that users with the Application Integration Business Manager role can access and the access privileges associated with each service:
Service
Access Privileges
Application Integration
Can view folder and asset lists and asset details.
Application Integration Console
Can access the Processes page.
Application Integration Data Viewer
Users with the Application Integration Data Viewer role can view detailed logs in the Application Integration Console service.
Note: The logging level of an artifact must be set to verbose for a user to view detailed logs.
The Application Integration Data Viewer role is a supplemental role. Assign this role along with at least one other role. For example, if you want a user with the Designer role to view detailed Process Server logs, assign the user the Application Integration Data Viewer and the Designer roles, and set the Process Server logging level to verbose.
Access privileges for Data Integration roles
The Data Integration Task Executor role defines access privileges for Data Integration. Users with the Data Integration Task Executor role can run tasks and taskflows and test-run mappings in Data Integration. They can also monitor data integration jobs.
The following table lists the services that users with the Data Integration Task Executor role can access and the access privileges associated with each service:
Service
Access Privileges
Administrator
Can view schedules and upgrade settings for Secure Agent services. Can start and stop file servers, configure proxy servers, and view other file server settings.
Data Integration
Can view assets and asset details, run tasks and taskflows, and test-run mappings. Can view user's own data integration jobs and job details, start and stop user's own jobs, and download session logs. Cannot view export or import jobs.
Monitor
Can view data integration jobs and job details, start and stop data integration jobs, and download session logs. Cannot view export or import jobs.
Access privileges for Reference 360 roles
Assign Reference 360 roles to users who need access privileges for Reference 360. Each role provides different access privileges.
The following service-specific roles define access privileges for Reference 360:
Reference 360 Administrator
Users with the Reference 360 Administrator role configure the Reference 360 environment.
Reference 360 Business Analyst
Users with the Reference 360 Business Analyst role view and analyze Reference 360 assets. They cannot propose changes to assets.
Reference 360 Business Steward
Users with the Reference 360 Business Steward role are subject matter experts for reference data. They create and manage code values in code lists and value mappings in crosswalks. They are responsible for approving changes proposed by other users. They can send their own changes for approval or directly publish their changes without approval. They can assign users access to crosswalks.
Reference 360 Planner
Users with the Reference 360 Planner role create and manage hierarchies. They assign users access to hierarchies.
Reference 360 Primary Owner
Users with the Reference 360 Primary Owner role create and define reference data structures, such as reference data sets and code lists. They can delete code lists and propose changes to code values in code lists. The user with the Business Steward role must approve the proposed changes. Primary owners can also assign users access to code lists and reference data sets.
Reference 360 Stakeholder
Users with the Reference 360 Stakeholder role propose changes to code values. The user with the Business Steward role must approve the proposed changes.
For more information about these roles, see the Reference 360 help.
Access privileges for Customer 360 roles
Assign Customer 360 roles to the users who need access privileges for Customer 360. Each role provides different access privileges.
The following service-specific roles define access privileges for Customer 360:
Customer 360 Analyst
Users with the Customer 360 Analyst role can create and edit records in Customer 360. When a Customer 360 Analyst creates or edits a record, the changes trigger a review process that requires approval from a Customer 360 Manager.
Customer 360 Manager
Users with the Customer 360 Manager role can review and approve customer records or update customer records. They can also create or edit records without approval.
Customer 360 Data Steward
Users with the Customer 360 Data Steward role can perform any task in Customer 360. They can create and edit records without approval, run jobs, and review and approve customer records.
MDM Business User
Users with the MDM Business User role can view records in Customer 360. They cannot create or edit records in Customer 360.
Access privileges for Business 360 Console roles
Assign Business 360 Console roles to the users who need access privileges for Business 360 Console.
The following service-specific role defines access privileges for Business 360 Console:
MDM Designer
Users with the MDM Designer role can define reference data in Business 360 Console.