Managing Roles
A role is a collection of privileges that you can assign to users and groups. You can assign the following types of roles:
- •System-defined. Roles that you cannot edit or delete.
- •Custom. Roles that you can create, edit, and delete.
A role includes privileges for the domain or an application service type. You assign roles to users or groups for the domain or for each application service in the domain. For example, you can create a Developer role that includes privileges for the PowerCenter Repository Service. A domain can contain multiple PowerCenter Repository Services. You can assign the Developer role to a user for the Development PowerCenter Repository Service. You can assign a different role to that user for the Production PowerCenter Repository Service.
When you select a role in the Roles section of the Navigator, you can view all users and groups that have been directly assigned the role for the domain and application services. You can view the role assignments by users and groups or by services. To navigate to a user or group listed in the Assignments section, right-click the user or group and select Navigate to Item.
You can search for system-defined and custom roles.
System-Defined Roles
A system-defined role is a role that you cannot edit or delete. The Administrator role is a system-defined role.
When you assign the Administrator role to a user or group for the domain, Analyst Service, Data Integration Service, Metadata Manager Service, Model Repository Service, PowerCenter Repository Service, or Reporting Service, the user or group is granted all privileges for the service. The Administrator role bypasses permission checking. Users with the Administrator role can access all objects managed by the service.
Administrator Role
When you assign the Administrator role to a user or group for the domain or the Data Integration Service, the user or group can complete some tasks that are determined by the Administrator role, not by privileges or permissions.
You can assign a user or group all privileges for the domain or the Data Integration Service and then grant the user or group full permissions on all domains. However, this user or group cannot complete the tasks determined by the Administrator role.
For example, a user assigned the Administrator role for the domain can configure domain properties in the Administrator tool. A user assigned all domain privileges and permission on the domain cannot configure domain properties.
The following table lists the tasks determined by the Administrator role for the domain or the Data Integration Service:
Service | Tasks |
|---|
Domain | - - Configure domain properties.
- - Create operating system profiles.
- - Delete operating system profiles.
- - Grant permission on the domain and operating system profiles.
- - Manage and purge log events.
- - Receive domain alerts.
- - Run the License Report.
- - View user activity log events.
- - Shut down the domain.
- - Access the service upgrade wizard.
|
Data Integration Service | - - Upgrade the Data Integration Service using the Actions menu.
|
Custom Roles
A custom role is a role that you can edit or delete.
By default, the Administrator tool includes the following custom roles:
- •Analyst Service custom role
- •Metadata Manager Service custom roles
- •Operator custom role
- •PowerCenter Repository Service custom roles
- •Reporting Service custom roles
- •Test Data Manager Service custom roles
You can edit the privileges for these roles, or delete the roles. You can also create your own custom roles.
Creating Custom Roles
When you create a custom role, you assign privileges to the role for the domain or for an application service type. A role can include privileges for one or more services.
1. In the Administrator tool, click the Security tab.
2. On the Security Actions menu, click Create Role.
The Create Role dialog box appears.
3. Enter the following properties for the role:
Property | Description |
|---|
Name | Name of the role. The role name is case insensitive and cannot exceed 128 characters. It cannot include a tab, newline character, or the following special characters: , + " \ < > ; / * % ? The name can include an ASCII space character except for the first and last character. All other space characters are not allowed. |
Description | Description of the role. The description cannot exceed 765 characters or include a tab, newline character, or the following special characters: < > " |
4. Click the Privileges tab.
5. Expand the domain or an application service type.
6. Select the privileges to assign to the role for the domain or application service type.
7. Click OK.
Editing Properties for Custom Roles
When you edit a custom role, you can change the description of the role. You cannot change the name of the role.
1. In the Administrator tool, click the Security tab.
2. In the Roles section of the Navigator, select a role.
3. Click Edit.
4. Change the description of the role and click OK.
Editing Privileges Assigned to Custom Roles
You can change the privileges assigned to a custom role for the domain and for each application service type.
1. In the Administrator tool, click the Security tab.
2. In the Roles section of the Navigator, select a role.
3. Click the Privileges tab.
4. Click Edit.
The Edit Roles and Privileges dialog box appears.
5. Expand the domain or an application service type.
6. To assign privileges to the role, select the privileges for the domain or application service type.
7. To remove privileges from the role, clear the privileges for the domain or application service type.
8. Repeat the steps to change the privileges for each service type.
9. Click OK.
Deleting Custom Roles
When you delete a custom role, the custom role and all privileges that it included are removed from any user or group assigned the role.
To delete a custom role, right-click the role in the Roles section of the Navigator and select Delete Role. Confirm that you want to delete the role.