Assigning Privileges and Roles to Users and Groups
You determine the actions that users can perform by assigning the following items to users and groups:
- •Privileges. A privilege determines the actions that users can perform in application clients.
- •Roles. A role is a collection of privileges. When you assign a role to a user or group, you assign the collection of privileges belonging to the role.
Use the following rules and guidelines when you assign privileges and roles to users and groups:
- •You assign privileges and roles to users and groups for the domain and for each application service that is running in the domain.
You cannot assign privileges and roles to users and groups for a Metadata Manager Service or PowerCenter Repository Service in the following situations:
- - The application service is disabled.
- - The PowerCenter Repository Service is running in exclusive mode.
- •You can assign different privileges and roles to a user or group for each application service of the same service type.
- •A role can include privileges for the domain and multiple application service types. When you assign the role to a user or group for one application service, privileges for that application service type are assigned to the user or group.
If you change the privileges or roles assigned to a user, the changed privileges or roles take effect the next time that the user logs in.
Note: You cannot edit the privileges or roles assigned to the default Administrator user account.
Inherited Privileges
A user or group can inherit privileges from the following objects:
- •Group. When you assign privileges to a group, all subgroups and users belonging to the group inherit the privileges.
- •Role. When you assign a role to a user, the user inherits the privileges belonging to the role. When you assign a role to a group, the group and all subgroups and users belonging to the group inherit the privileges belonging to the role. The subgroups and users do not inherit the role.
You cannot revoke privileges inherited from a group or role. You can assign additional privileges to a user or group that are not inherited from a group or role.
The Privileges tab for a user or group displays all the roles and privileges assigned to the user or group for the domain and for each application service. Expand the domain or application service to view the roles and privileges assigned for the domain or service. Click the following items to display additional information about the assigned roles and privileges:
- •Name of an assigned role. Displays the role details on the details panel.
- •Information icon for an assigned role. Highlights all privileges inherited with that role.
Privileges that are inherited from a role or group display an inheritance icon. The tooltip for an inherited privilege displays which role or group the user inherited the privilege from.
Assigning Privileges and Roles to a User or Group by Navigation
1. In the Administrator tool, click the Security tab.
2. In the Navigator, select a user or group.
3. Click the Privileges tab.
4. Click Edit.
The Edit Roles and Privileges dialog box appears.
5. To assign roles, expand the domain or an application service on the Roles tab.
6. To grant roles, select the roles to assign to the user or group for the domain or application service.
You can select any role that includes privileges for the selected domain or application service type.
7. To revoke roles, clear the roles assigned to the user or group.
8. Repeat steps 5 through 7 to assign roles for another service. 9. To assign privileges, click the Privileges tab.
10. Expand the domain or an application service.
11. To grant privileges, select the privileges to assign to the user or group for the domain or application service.
12. To revoke privileges, clear the privileges assigned to the user or group.
You cannot revoke privileges inherited from a role or group.
13. Repeat steps 10 through 12 to assign privileges for another service. 14. Click OK.