Administrator Reference for Live Data Map > Privileges and Roles Overview > Managing Roles

Managing Roles

A role is a collection of privileges that you can assign to users and groups. You can assign the following types of roles:

•System-defined. Roles that you cannot edit or delete.
•Custom. Roles that you can create, edit, and delete.

A role includes privileges for the domain or an application service type. You assign roles to users or groups for the domain or for each application service in the domain.

UMSM has the following types of roles:

•Administrator. This is a system-defined role that has privileges to administer the Administrator tool. With this role, you can create and manage user accounts, create the Ultra Messaging Service and configure it, configure UMSM components, and UM deployments.
•Operator. This is a custom role that has privileges to monitor UM deployments.

When you select a role in the Roles section of the Navigator, you can view all users and groups that have been directly assigned the role for the domain and application services. You can view the role assignments by users and groups or by services. To navigate to a user or group listed in the Assignments section, right-click the user or group and select Navigate to Item.

You can search for system-defined and custom roles.

System-Defined Roles

A system-defined role is a role that you cannot edit or delete. The Administrator role is a system-defined role.

When you assign the Administrator role to a user or group for the domain, Analyst Service, Data Integration Service, or Model Repository Service, the user or group is granted all privileges for the service. The Administrator role bypasses permission checking. Users with the Administrator role can access all objects managed by the service.

Administrator Role

When you assign the Administrator role to a user or group for the domain or the Data Integration Service, the user or group can complete some tasks that are determined by the Administrator role, not by privileges or permissions.

You can assign a user or group all privileges for the domain or the Data Integration Service and then grant the user or group full permissions on all domains. However, this user or group cannot complete the tasks determined by the Administrator role.

For example, a user assigned the Administrator role for the domain can configure domain properties in the Administrator tool. A user assigned all domain privileges and permission on the domain cannot configure domain properties.

The following table lists the tasks determined by the Administrator role for the domain or the Data Integration Service:

Service	Tasks
Domain	- Configure domain properties. - Create operating system profiles. - Delete operating system profiles. - Grant permission on the domain and operating system profiles. - Manage and purge log events. - Receive domain alerts. - Run the License Report. - View user activity log events. - Shut down the domain. - Access the service upgrade wizard.
Data Integration Service	- Upgrade the Data Integration Service using the Actions menu.

Custom Roles

A custom role is a role that you can edit or delete.

By default, the Administrator tool includes the following custom roles:

•Analyst Service custom role
•Operator custom role

You can edit the privileges for these roles, or delete the roles. You can also create your own custom roles.

Assigning Privileges and Roles to Users and Groups

You determine the actions that users can perform by assigning the following items to users and groups:

•Privileges. A privilege determines the actions that users can perform in application clients.
•Roles. A role is a collection of privileges. When you assign a role to a user or group, you assign the collection of privileges belonging to the role.

Use the following rules and guidelines when you assign privileges and roles to users and groups:

•You assign privileges and roles to users and groups for the domain and for each application service that is running in the domain.
•You can assign different privileges and roles to a user or group for each application service of the same service type.
•A role can include privileges for the domain and multiple application service types. When you assign the role to a user or group for one application service, privileges for that application service type are assigned to the user or group.

If you change the privileges or roles assigned to a user, the changed privileges or roles take effect the next time that the user logs in.

Note: You cannot edit the privileges or roles assigned to the default Administrator user account.

Inherited Privileges

A user or group can inherit privileges from the following objects:

•Group. When you assign privileges to a group, all subgroups and users belonging to the group inherit the privileges.
•Role. When you assign a role to a user, the user inherits the privileges belonging to the role. When you assign a role to a group, the group and all subgroups and users belonging to the group inherit the privileges belonging to the role. The subgroups and users do not inherit the role.

You cannot revoke privileges inherited from a group or role. You can assign additional privileges to a user or group that are not inherited from a group or role.

The Privileges tab for a user or group displays all the roles and privileges assigned to the user or group for the domain and for each application service. Expand the domain or application service to view the roles and privileges assigned for the domain or service. Click the following items to display additional information about the assigned roles and privileges:

•Name of an assigned role. Displays the role details on the details panel.
•Information icon for an assigned role. Highlights all privileges inherited with that role.

Privileges that are inherited from a role or group display an inheritance icon. The tooltip for an inherited privilege displays which role or group the user inherited the privilege from.