Domain Privileges
Domain privileges determine the actions that users can perform using the Administrator tool and the infacmd and pmrep command line programs.
The following table describes each domain privilege group:
Privilege Group | Description |
|---|
Security Administration | Includes privileges to manage users, groups, roles, and privileges. |
Domain Administration | Includes privileges to manage the domain, folders, nodes, grids, licenses, application services, connections, and cluster configurations. |
Monitoring | Includes privileges to configure monitoring statistics and reports, view monitoring for integration objects, and access monitoring. |
Tools | Includes privileges to log in to the Administrator tool. |
Cloud Administration | Includes privileges to add Informatica Cloud organizations in the Administrator tool and view them. |
Security Administration Privilege Group
Privileges in the Security Administration privilege group and domain object permissions determine the security management actions users can perform.
Some security management tasks are determined by the Administrator role, not by privileges or permissions. A user assigned the Administrator role for the domain can complete the following tasks:
- •Create, edit, and delete operating system profiles.
- •Grant permission on operating system profiles.
Note: To complete security management tasks in the Administrator tool, users must also have the Access Informatica Administrator privilege.
Grant Privileges and Roles Privilege
Users assigned the Grant Privileges and Roles privilege can assign privileges and roles to users and groups.
The following table lists the required permissions and the actions that users can perform with the Grant Privileges and Roles privilege:
Permission On | Description |
|---|
Domain or application service | User is able to perform the following actions: - - Assign privileges and roles to users and groups for the domain or application service.
- - Edit and remove the privileges and roles assigned to users and groups.
|
Manage Users, Groups, and Roles Privilege
Users assigned the Manage Users, Groups, and Roles privilege can configure LDAP authentication and manage users, groups, and roles.
The Manage Users, Groups, and Roles privilege includes the Grant Privileges and Roles privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Users, Groups, and Roles privilege:
Permission On | Description |
|---|
- | User is able to perform the following actions: - - Configure LDAP authentication for the domain.
- - Create, edit, and delete users, groups, and roles.
- - Import LDAP users and groups.
|
Operating system profile | User is able to edit operating system profile properties. |
Domain Administration Privilege Group
Domain management actions that users can perform depend on privileges in the Domain Administration group and permissions on domain objects.
Some domain management tasks are determined by the Administrator role, not by privileges or permissions. A user assigned the Administrator role for the domain can complete the following tasks:
- •Configure domain properties.
- •Configure cluster configurations.
- •Grant permission on the domain.
- •Manage and purge log events.
- •Receive domain alerts.
- •Run the License Report.
- •View user activity log events.
- •Shut down the domain.
- •Access the service upgrade wizard.
Users who are assigned domain object permissions but not privileges can complete some domain management tasks. The following table lists the actions that users can perform when they are assigned domain object permissions only:
Permission On | Description |
|---|
Domain | User can perform the following actions: - - View domain properties and log events.
- - Configure monitoring settings.
|
Folder | User can view folder properties. |
Application service | User can view application service properties and log events. |
License object | User can view license object properties. |
Grid | User can view grid properties. |
Node | User can view node properties. |
Web Services Hub | User can run the Web Services Report. |
Note: To complete domain management tasks in the Administrator tool, users must also have the Access Informatica Administrator privilege.
Manage Service Execution Privilege
Users assigned the Manage Service Execution privilege can enable and disable application services and receive application service alerts.
The following table lists the required permissions and the actions that users can perform with the Manage Service Execution privilege:
Permission On | Description |
|---|
Application service | User is able to perform the following actions: - - Enable and disable application services and service processes. To enable and disable a Metadata Manager Service, users must also have permission on the associated PowerCenter Integration Service and PowerCenter Repository Service.
- - Receive application service alerts.
|
Manage Services Privilege
Users assigned the Manage Services privilege can create, configure, move, remove, and grant permission on application services and license objects.
The Manage Services privilege includes the Manage Service Execution privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Services privilege:
Permission On | Description |
|---|
Domain or parent folder | User is able to create license objects. |
Domain or parent folder, node or grid where application service runs, license object, and any associated application service | User is able to create application services. |
Application service | User is able to perform the following actions: - - Configure application services.
- - Grant permission on application services.
|
Original and destination folders | User is able to move application services or license objects from one folder to another. |
Domain or parent folder and application service | User is able to remove application services. |
Analyst Service | User is able to create and delete audit trail tables. |
Metadata Manager Service | User is able to perform the following actions: - - Back up Metadata Manager repository content.
- - Delete Metadata Manager repository content.
- - Upgrade the content of the Metadata Manager Service.
Note: To create or restore Metadata Manager repository content, the user must belong to the default Administrator group. |
Metadata Manager Service PowerCenter Repository Service | User is able to restore the PowerCenter repository for Metadata Manager. |
Model Repository Service | User is able to perform the following actions: - - Create and delete Model repository content.
- - Create, delete, and re-index the search index.
- - Upgrade the content of the Model Repository Service from the Actions menu or from the command line. The user must also have the Create, Edit and Delete Projects privilege on the Model Repository Service and write permission on the projects.
|
PowerCenter Integration Service | User is able to run the PowerCenter Integration Service in safe mode. |
PowerCenter Repository Service | User is able to perform the following actions: - - Back up, restore, and upgrade the PowerCenter repository.
- - Configure data lineage for the PowerCenter repository.
- - Copy content from another PowerCenter repository.
- - Close user connections and release PowerCenter repository locks.
- - Create and delete PowerCenter repository content.
- - Create, edit, and delete reusable metadata extensions in the PowerCenter Repository Manager.
- - Enable version control for the PowerCenter repository.
- - Manage a PowerCenter repository domain.
- - Perform an advanced purge of object versions at the repository level in the PowerCenter Repository Manager.
- - Register and unregister PowerCenter repository plug-ins.
- - Run the PowerCenter repository in exclusive mode.
- - Send PowerCenter repository notifications to users.
- - Update PowerCenter repository statistics.
- - Upgrade the content of the PowerCenter Repository Service.
|
Test Data Manager Service | User is able to perform the following actions: - - Create and delete the Test Data Manager repository content.
- - Upgrade the content of the Test Data Manager Service.
|
License object | User is able to perform the following actions: - - Edit license objects.
- - Grant permission on license objects.
|
License object and application service | User is able to assign a license to an application service. |
Domain or parent folder and license object | User is able to remove license objects. |
Manage Nodes and Grids Privilege
Users assigned the Manage Nodes and Grids privilege can create, configure, move, remove, shut down, and grant permission on nodes and grids.
The following table lists the required permissions and the actions that users can perform with the Manage Nodes and Grids privilege:
Permission On | Description |
|---|
Domain or parent folder | User is able to create nodes. |
Domain or parent folder and nodes assigned to the grid | User is able to create grids. |
Node or grid | User is able to perform the following actions: - - Configure and shut down nodes and grids.
- - Grant permission on nodes and grids.
|
Original and destination folders | User is able to move nodes and grids from one folder to another. |
Domain or parent folder and node or grid | User is able to remove nodes and grids. |
Manage Domain Folders Privilege
Users assigned the Manage Domain Folders privilege can create, edit, move, remove, and grant permission on domain folders.
The following table lists the required permissions and the actions that users can perform with the Manage Domain Folders privilege:
Permission On | Description |
|---|
Domain or parent folder | User is able to create folders. |
Folder | User is able to perform the following actions: - - Edit folders.
- - Grant permission on folders.
|
Original and destination folders | User is able to move folders from one parent folder to another. |
Domain or parent folder and folder being removed | User is able to remove folders. |
Manage Connections Privilege
Users assigned the Manage Connections privilege can create, edit, and delete connections in the Administrator tool, Analyst tool, Developer tool, and infacmd command line program. Users can also copy connections in the Developer tool and can grant permissions on connections in the Administrator tool and infacmd command line program.
Users assigned the Manage Connections privilege can also create, refresh, and delete cluster configurations and set and clear configuration properties in the Administrator tool and the infacmd command line program.
Users assigned connection permissions but not the Manage Connections privilege can perform the following connection management actions:
- •View all connection metadata, except passwords. Requires read permission on connection.
- •Preview data or run a mapping, scorecard, or profile. Requires execute permission on connection.
The following table lists the required permissions and the actions that users can perform with the Manage Connections privilege:
Permission | Description |
|---|
- | User is able to create connections and cluster configurations. |
Write on connection | User is able to copy, edit, and delete connections. |
Grant on connection | User is able to grant and revoke permissions on connections. |
Write on cluster configuration | User is able to create, refresh, and delete cluster configurations. User is able to set and clear cluster configuration properties. |
Monitoring Privilege Group
The privileges in the Monitoring privilege group determine which users can view and configure monitoring.
The following table lists the required permissions and the actions that users can perform with the privileges in the Manage Monitoring group:
Parent Privilege | Privilege | Permission On | Description |
|---|
Manage Monitoring | Monitoring Configuration | Domain | User can configure monitoring settings. |
Manage Monitoring | Report and Statistic Settings | Domain | User can configure monitoring statistics and reports. |
View | View Jobs of All the Users in the Groups the User Belongs To | Domain | A user in a group can monitor the jobs run by other users in the group. If the user belongs to multiple groups, the user can see the jobs from all the groups. |
View Jobs of All the Users in the Groups the User Belongs To | View Jobs of Other Users | Domain | User can view jobs of other users. |
View | View Statistics | Domain | User can view the Summary Statistics view and statistics for domain objects. Note: In a domain that uses Kerberos authentication, users must also have the Administrator role for the monitoring Model Repository Service to view Summary Statistics view and statistics for the domain objects. |
View | View Reports | Domain | User can view reports for domain objects. |
Access Monitoring | Access from Analyst Tool | Domain | User can access the Job Status workspace in the Analyst tool. |
Access Monitoring | Access from Developer Tool | Domain | User can access the Monitoring tool from the Developer tool. |
Access Monitoring | Access from Administrator Tool | Domain | User can access the Monitor tab in the Administrator tool. |
N/A | Perform Actions on Jobs | Domain | User can perform the following actions: - - Abort jobs.
- - Reissue mapping jobs.
- - View job logs.
|
Users do not need the Access Informatica Administrator privilege to access the Monitoring tool.
Tools Privilege Group
The privilege in the domain Tools group determines which users can access the Administrator tool.
The following table lists the required permissions and the actions that users can perform with the privilege in the Tools group:
Privilege | Description |
|---|
Access Informatica Administrator | User is able to perform the following actions: - - Log in to the Administrator tool.
- - Manage their own user account in the Administrator tool.
- - Export log events.
|
Users must have the Access Informatica Administrator privilege in order to complete tasks in the Administrator tool. Users do not need the Access Informatica Administrator privilege to run infacmd commands or access the Monitoring tool.
Cloud Administration Privilege Group
The privileges in the Cloud Administration group determine which users can view and configure Informatica Cloud organizations.
The following table lists the required permissions and the actions that users can perform with the privileges in the Cloud Administration group:
Privilege | Permission On | Description |
|---|
View Organization | Domain | User can view the Informatica Cloud organizations and the associated Secure Agents and cloud connections. |
Manage Organization | Domain | User can add Informatica Cloud organizations in the Administrator tool. |