PowerCenter Repository Service Privileges
PowerCenter Repository Service privileges determine PowerCenter repository actions that users can perform using the PowerCenter Repository Manager, Designer, Workflow Manager, Workflow Monitor, and the pmrep and pmcmd command line programs.
The following table describes each privilege group for the PowerCenter Repository Service:
Privilege Group | Description |
|---|
Tools | Includes privileges to access PowerCenter Client tools and command line programs. |
Folders | Includes privileges to manage repository folders. |
Design Objects | Includes privileges to manage business components, mapping parameters and variables, mappings, mapplets, transformations, and user-defined functions. |
Sources and Targets | Includes privileges to manage cubes, dimensions, source definitions, and target definitions. |
Run-time Objects | Includes privileges to manage session configuration objects, tasks, workflows, and worklets. |
Global Objects | Includes privileges to manage connection objects, deployment groups, labels, and queries. |
Users must have the Manage Services domain privilege and permission on the PowerCenter Repository Service to perform the following actions in the Repository Manager:
- •Perform an advanced purge of object versions at the PowerCenter repository level.
- •Create, edit, and delete reusable metadata extensions.
Tools Privilege Group
The privileges in the PowerCenter Repository Service Tools privilege group determine the PowerCenter Client tools and command line programs that users can access.
The following table lists the actions that users can perform for the privileges in the Tools group:
Privilege | Permission | Description |
|---|
Access Designer | - | User is able to connect to the PowerCenter repository using the Designer. |
Access Repository Manager | - | User is able to perform the following actions: - - Connect to the PowerCenter repository using the Repository Manager.
- - Run pmrep commands.
|
Access Workflow Manager | - | User is able to perform the following actions: - - Connect to the PowerCenter repository using the Workflow Manager.
- - Remove a PowerCenter Integration Service from the Workflow Manager.
|
Access Workflow Monitor | - | User is able to perform the following actions: - - Connect to the PowerCenter repository using the Workflow Monitor.
- - Connect to the PowerCenter Integration Service in the Workflow Monitor.
|
Note: When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service.
The appropriate privilege in the Tools privilege group is required for all users completing tasks in PowerCenter Client tools and command line programs. For example, to create folders in the Repository Manager, a user must have the Create Folders and Access Repository Manager privileges.
If users have a privilege in the Tools privilege group and permission on a PowerCenter repository object but not the privilege to modify the object type, they can still perform some actions on the object. For example, a user has the Access Repository Manager privilege and read permission on some folders. The user does not have any of the privileges in the Folders privilege group. The user can view objects in the folders and compare the folders.
Folders Privilege Group
Folder management actions are determined by privileges in the Folders privilege group, PowerCenter repository object permissions, and domain object permissions. Users perform folder management actions in the Repository Manager and with the pmrep command line program.
Some folder management tasks are determined by folder ownership and the Administrator role, not by privileges or permissions. The folder owner or a user assigned the Administrator role for the PowerCenter Repository Service can complete the following folder management tasks:
- •Assign operating system profiles to folders if the PowerCenter Integration Service uses operating system profiles. Requires permission on the operating system profile.
- •Change the folder owner.
- •Configure folder permissions.
- •Delete the folder.
- •Designate the folder to be shared.
- •Edit the folder name and description.
Users assigned folder permissions but no privileges can perform some folder management actions. The following table lists the actions that users can perform when they are assigned folder permissions only:
Permission | Description |
|---|
Read on folder | User is able to perform the following actions: - - Compare folders.
- - View objects in folders.
|
Note: To perform actions on folders, users must also have the Access Repository Manager privilege.
Create Folders Privilege
Users assigned the Create Folders privilege can create PowerCenter repository folders.
The following table lists the required permissions and the actions that users can perform with the Create Folders privilege:
Permission | Description |
|---|
- | User is able to create folders. |
Copy Folders Privilege
Users assigned the Copy Folders privilege can copy folders within a PowerCenter repository or to another PowerCenter repository.
The following table lists the required permissions and the actions that users can perform with the Copy Folders privilege:
Permission | Description |
|---|
Read on folder | User is able to copy folders within the same PowerCenter repository or to another PowerCenter repository. Users must also have the Create Folders privilege in the destination repository. |
Manage Folder Versions
If you have a team-based development option, assign users the Manage Folder Versions privilege in a versioned PowerCenter repository. Users can change the status of folders and perform an advanced purge of object versions at the folder level.
The following table lists the required permissions and the actions that users can perform with the Manage Folder Versions privilege:
Permission | Description |
|---|
Read and Write on folder | User is able to perform the following actions: - - Change the status of folders.
- - Perform an advanced purge of object versions at the folder level.
|
Design Objects Privilege Group
Privileges in the Design Objects privilege group and PowerCenter repository object permissions determine actions users can perform on the following design objects:
- •Business components
- •Mapping parameters and variables
- •Mappings
- •Mapplets
- •Transformations
- •User-defined functions
Users assigned permissions but no privileges can perform some actions for design objects. The following table lists the actions that users can perform when they are assigned permissions only:
Permission | Description |
|---|
Read on folder | User is able to perform the following actions: - - Compare design objects.
- - Copy design objects as an image.
- - Export design objects.
- - Generate code for Custom transformation and external procedures.
- - Receive PowerCenter repository notification messages.
- - Run data lineage on design objects. Users must also have the View Lineage privilege for the Metadata Manager Service and read permission on the metadata objects in the Metadata Manager catalog.
- - Search for design objects.
- - View design objects, design object dependencies, and design object history.
|
Read on shared folder Read and Write on destination folder | User is able to create shortcuts. |
Note: To perform actions on design objects, users must also have the appropriate privilege in the Tools privilege group.
Create, Edit, and Delete Design Objects Privilege
Users assigned the Create, Edit, and Delete Design Objects privilege can create, edit, and delete business components, mapping parameters, mapping variables, mappings, mapplets, transformations, and user-defined functions.
The following table lists the required permissions and the actions that users can perform with the Create, Edit, and Delete Design Objects privilege:
Permission | Description |
|---|
Read on original folder Read and Write on destination folder | User is able to perform the following actions: - - Copy design objects from one folder to another.
- - Copy design objects to another PowerCenter repository. Users must also have the Create, Edit, and Delete Design Objects privilege in the destination repository.
|
Read and Write on folder | User is able to perform the following actions: - - Change comments for a versioned design object.
- - Check in and undo a checkout of design objects checked out by their own user account.
- - Check out design objects.
- - Copy and paste design objects in the same folder.
- - Create, edit, and delete data profiles and launch the Profile Manager. Users must also have the Create, Edit, and Delete Run-time Objects privilege.
- - Create, edit, and delete design objects.
- - Generate and clean SAP ABAP programs.
- - Generate business content integration mappings. Users must also have the Create, Edit, and Delete Sources and Targets privilege.
- - Import design objects using the Designer. Users must also have the Create, Edit, and Delete Sources and Targets privilege.
- - Import design objects using the Repository Manager. Users must also have the Create, Edit, and Delete Run-time Objects and Create, Edit, and Delete Sources and Targets privileges.
- - Revert to a previous design object version.
- - Validate mappings, mapplets, and user-defined functions.
|
Manage Design Object Versions
If you have a team-based development option, assign users the Manage Design Object Versions privilege in a versioned PowerCenter repository. Users can change the status, recover, and purge design object versions. Users can also check in and undo checkouts made by other users.
The Manage Design Object Versions privilege includes the Create, Edit, and Delete Design Objects privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Design Object Versions privilege:
Permission | Description |
|---|
Read and Write on folder | User is able to perform the following actions: - - Change the status of design objects.
- - Check in and undo checkouts of design objects checked out by other users.
- - Purge versions of design objects.
- - Recover deleted design objects.
|
Sources and Targets Privilege Group
Privileges in the Sources and Targets privilege group and PowerCenter repository object permissions determine actions users can perform on the following source and target objects:
- •Cubes
- •Dimensions
- •Source definitions
- •Target definitions
Users assigned permissions but no privileges can perform some actions for source and target objects. The following table lists the actions that users can perform when they are assigned permissions only:
Permission | Description |
|---|
Read on folder | User is able to perform the following actions: - - Compare source and target objects.
- - Export source and target objects.
- - Preview source and target data.
- - Receive PowerCenter repository notification messages.
- - Run data lineage on source and target objects. Users must also have the View Lineage privilege for the Metadata Manager Service and read permission on the metadata objects in the Metadata Manager catalog.
- - Search for source and target objects.
- - View source and target objects, source and target object dependencies, and source and target object history.
|
Read on shared folder Read and Write on destination folder | Create shortcuts. |
Note: To perform actions on source and target objects, users must also have the appropriate privilege in the Tools privilege group.
Create, Edit, and Delete Sources and Targets Privilege
Users assigned the Create, Edit, and Delete Sources and Targets privilege can create, edit, and delete cubes, dimensions, source definitions, and target definitions.
The following table lists the required permissions and the actions that users can perform with the Create, Edit, and Delete Sources and Targets privilege:
Permission | Description |
|---|
Read on original folder Read and Write on destination folder | User is able to perform the following actions: - - Copy source and target objects to another folder.
- - Copy source and target objects to another PowerCenter repository. Users must also have the Create, Edit, and Delete Sources and Targets privilege in the destination repository.
|
Read and Write on folder | User is able to perform the following actions: - - Change comments for a versioned source or target object.
- - Check in and undo a checkout of source and target objects checked out by their own user account.
- - Check out source and target objects.
- - Copy and paste source and target objects in the same folder.
- - Create, edit, and delete source and target objects.
- - Import SAP functions.
- - Import source and target objects using the Designer. Users must also have the Create, Edit, and Delete Design Objects privilege.
- - Import source and target objects using the Repository Manager. Users must also have the Create, Edit, and Delete Design Objects and Create, Edit, and Delete Run-time Objects privileges.
- - Generate and execute SQL to create targets in a relational database.
- - Revert to a previous source or target object version.
|
Manage Source and Target Versions Privilege
If you have a team-based development option, assign users the Manage Source and Target Versions privilege in a versioned PowerCenter repository. Users can change the status, recover, and purge versions of source and target objects. Users can also check in and undo checkouts made by other users.
The Manage Source and Target Versions privilege includes the Create, Edit, and Delete Sources and Targets privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Source and Target Versions privilege:
Permission | Description |
|---|
Read and Write on folder | User is able to perform the following actions: - - Change the status of source and target objects.
- - Check in and undo checkouts of source and target objects checked out by other users.
- - Purge versions of source and target objects.
- - Recover deleted source and target objects.
|
Run-time Objects Privilege Group
Privileges in the Run-time Objects privilege group, PowerCenter repository object permissions, and domain object permissions determine actions users can perform on the following run-time objects:
- •Session configuration objects
- •Tasks
- •Workflows
- •Worklets
Some run-time object tasks are determined by the Administrator role, not by privileges or permissions. A user assigned the Administrator role for the PowerCenter Repository Service can delete a PowerCenter Integration Service from the Navigator of the Workflow Manager.
Users assigned permissions but no privileges can perform some actions for run-time objects. The following table lists the actions that users can perform when they are assigned permissions only:
Permission | Description |
|---|
Read on folder | User is able to perform the following actions: - - Compare run-time objects.
- - Export run-time objects.
- - Receive PowerCenter repository notification messages.
- - Search for run-time objects.
- - Use mapping parameters and variables in a session.
- - View run-time objects, run-time object dependencies, and run-time object history.
|
Read and Execute on folder | Stop and abort tasks and workflows started by their own user account. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Note: To perform actions on run-time objects, users must also have the appropriate privilege in the Tools privilege group.
Create, Edit, and Delete Run-time Objects Privilege
Users assigned the Create, Edit, and Delete Run-time Objects privilege can create, edit, and delete session configuration objects, tasks, workflows, and worklets.
The following table lists the required permissions and the actions that users can perform with the Create, Edit, and Delete Run-time Objects privilege:
Permission | Description |
|---|
Read on original folder Read and Write on destination folder | User is able to perform the following actions: - - Copy tasks, workflows, or worklets from one folder to another.
- - Copy tasks, workflows, or worklets to another PowerCenter repository. Users must also have the Create, Edit, and Delete Run-time Objects privilege in the destination repository.
|
Read and Write on folder | User is able to perform the following actions: - - Assign a PowerCenter Integration Service to a workflow in the workflow properties.
- - Assign a service level to a workflow.
- - Change comments for a versioned run-time object.
- - Check in and undo a checkout of run-time objects checked out by their own user account.
- - Check out run-time objects.
- - Copy and paste tasks, workflows, and worklets in the same folder.
- - Create, edit, and delete data profiles and launch the Profile Manager. Users must also have the Create, Edit, and Delete Design Objects privilege.
- - Create, edit, and delete session configuration objects.
- - Delete and validate tasks, workflows, and worklets.
- - Import run-time objects using the Repository Manager. Users must also have the Create, Edit, and Delete Design Objects and Create, Edit, and Delete Sources and Targets privileges.
- - Import run-time objects using the Workflow Manager.
- - Revert to a previous object version.
|
Read and Write on folder Read on connection object | User is able to perform the following actions: - - Create and edit tasks, workflows, and worklets.
- - Replace a relational database connection for all sessions that use the connection.
|
Manage Run-time Object Versions Privilege
If you have a team-based development option, assign users the Manage Run-time Object Versions privilege in a versioned PowerCenter repository. Users can change the status, recover, and purge run-time object versions. Users can also check in and undo checkouts made by other users.
The Manage Run-time Object Versions privilege includes the Create, Edit, and Delete Run-time Objects privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Run-time Object Versions privilege:
Permission | Description |
|---|
Read and Write on folder | User is able to perform the following actions: - - Change the status of run-time objects.
- - Check in and undo checkouts of run-time objects checked out by other users.
- - Purge versions of run-time objects.
- - Recover deleted run-time objects.
|
Monitor Run-time Objects Privilege
Users assigned the Monitor Run-time Objects privilege can Monitor workflows and tasks in the Workflow Monitor.
The following table lists the required permissions and the actions that users can perform with the Monitor Run-time Objects privilege:
Permission | Grants Users the Ability To |
|---|
Read on folder | User is able to perform the following actions: - - View properties of run-time objects in the Workflow Monitor.
- - View session and workflow logs in the Workflow Monitor.
- - View run-time object and performance details in the Workflow Monitor.
When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Execute Run-time Objects Privilege
Users assigned the Execute Run-time Objects privilege can start, cold start, and recover tasks and workflows.
The Execute Run-time Objects privilege includes the Monitor Run-time Objects privilege.
The following table lists the required permissions and the actions that users can perform with the Execute Run-time Objects privilege:
Permission | Description |
|---|
Read and Execute on folder | User is able to assign a PowerCenter Integration Service to a workflow using the Service menu or the Navigator. |
Read, Write, and Execute on folder Read and Execute on connection object | User is able to debug a mapping by creating a debug session instance or by using an existing reusable session. Users must also have the Create, Edit, and Delete Run-time Objects privilege. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Read and Execute on folder Read and Execute on connection object | User is able to debug a mapping by using an existing non-reusable session. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Read and Execute on folder Read and Execute on connection object | User is able to perform the following actions: - - Start, cold start, and restart tasks and workflows.
- - Recover tasks and workflows started by their own user account.
If the PowerCenter Integration Service uses operating system profiles, users must also have permission on the operating system profile. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Manage Run-time Object Execution Privilege
Users assigned the Manage Run-time Object Execution privilege can schedule and unschedule workflows. Users can also stop, abort, and recover tasks and workflows started by other users.
The Manage Run-time Object Execution privilege includes the Execute Run-time Objects privilege and the Monitor Run-time Objects privilege.
The following table lists the required permissions and the actions that users can perform with the Manage Run-time Object Execution privilege:
Permission | Description |
|---|
Read and Execute on folder | User is able to truncate workflow and session log entries. |
Read and Execute on folder | User is able to perform the following actions: - - Stop and abort tasks and workflows started by other users.
- - Stop and abort tasks that were recovered automatically.
- - Unschedule workflows.
When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Read and Execute on folder Read and Execute on connection object | User is able to perform the following actions: - - Recover tasks and workflows started by other users.
- - Recover tasks that were recovered automatically.
If the PowerCenter Integration Service uses operating system profiles, users must also have permission on the operating system profile. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Read, Write, and Execute on folder Read and Execute on connection object | User is able to perform the following actions: - - Create and edit a reusable scheduler from the Workflows > Schedulers menu.
- - Edit a non-reusable scheduler from the workflow properties.
- - Edit a reusable scheduler from the workflow properties. Users must also have the Create, Edit, and Delete Run-time Objects privilege.
If the PowerCenter Integration Service uses operating system profiles, users must also have permission on the operating system profile. When the PowerCenter Integration Service runs in safe mode, users must have the Administrator role for the associated PowerCenter Repository Service. |
Global Objects Privilege Group
Privileges in the Global Objects privilege group and PowerCenter repository object permissions determine actions users can perform on the following global objects:
- •Connection objects
- •Deployment groups
- •Labels
- •Queries
Some global object tasks are determined by global object ownership and the Administrator role, not by privileges or permissions. The global object owner or a user assigned the Administrator role for the PowerCenter Repository Service can complete the following global object tasks:
- •Configure global object permissions.
- •Change the global object owner.
- •Delete the global object.
Users assigned permissions but no privileges can perform some actions for global objects. The following table lists the actions that users can perform when they are assigned permissions only:
Permission | Description |
|---|
Read on connection object | User is able to view connection objects. |
Read on deployment group | User is able to view deployment groups. |
Read on label | User is able to view labels. |
Read on query | User is able to view object queries. |
Read and Write on connection object | User is able to edit connection objects. |
Read and Write on label | User is able to edit and lock labels. |
Read and Write on query | User is able to edit and validate object queries. |
Read and Execute on query | User is able to run object queries. |
Read on folder Read and Execute on label | User is able to apply labels and remove label references. |
Note: To perform actions on global objects, users must also have the appropriate privilege in the Tools privilege group.
Create Connections Privilege
Users assigned the Create Connections privilege can create connection objects.
The following table lists the required permissions and the actions that users can perform with the Create Connections privilege:
Permission | Description |
|---|
- | User is able to create and copy connection objects. |
Manage Deployment Groups Privilege
If you have a team-based development option, users assigned the Manage Deployment Groups privilege in a versioned PowerCenter repository can create, edit, copy, and roll back deployment groups. In a non-versioned repository, users can create, edit, and copy deployment groups.
The following table lists the required permissions and the actions that users can perform with the Manage Deployment Groups privilege:
Permission | Description |
|---|
- | User is able to create deployment groups. |
Read and Write on deployment group | User is able to perform the following actions: - - Edit deployment groups.
- - Remove objects from a deployment group.
|
Read on original folder Read and Write on deployment group | User is able to add objects to a deployment group. |
Read on original folder Read and Write on destination folder Read and Execute on deployment group | User is able to copy deployment groups. |
Read and Write on destination folder | User is able to roll back deployment groups. |
Execute Deployment Groups Privilege
Users assigned the Execute Deployment Groups privilege can copy a deployment group without write permission on target folders.
The following table lists the required permissions and the actions that users can perform with the Execute Deployment Groups privilege:
Permission | Description |
|---|
Read on original folder Execute on deployment group | User is able to copy deployment groups. |
Create Labels Privilege
If you have a team-based development option, users assigned the Create Labels privilege in a versioned PowerCenter repository can create labels.
The following table lists the required permissions and the actions that users can perform with the Create Labels privilege:
Permission | Description |
|---|
- | User is able to create labels. |
Create Queries Privilege
Users assigned the Create Queries privilege can create object queries.
The following table lists the required permissions and the actions that users can perform with the Create Queries privilege:
Permission | Description |
|---|
- | User is able to create object queries. |