Privileges
Privileges determine the tasks that users can perform in the Test Data Manager. Users require domain privileges and Test Data Manager privileges.
The Informatica administrator assigns domain privileges, and you assign Test Data Manager Service privileges. Domain privileges work in conjunction with Test Data Manager Service privileges. For example, a developer that creates data masking or data generation plans needs Test Data Manager Service privileges to create the plans in the Test Data Manager. The developer also needs domain privileges to generate and run the data masking or data generation operations.
Note: Administrators can create custom roles that contain privileges and assign roles to users from the Informatica Administrator.
Informatica Privileges
The Informatica administrator assigns PowerCenter Repository Service privileges to users that need to perform subset, masking, and generation operations. All users need the domain privilege to change passwords. Users do not need domain privileges to perform profiling operations.
PowerCenter Repository Service Privileges to Perform Subset, Masking, and Generation Operations
The following table lists the PowerCenter Repository Service privileges that users need to perform data subset, data masking, and data generation operations:
Privilege Group | Privileges |
|---|
Runtime Objects | Create, Edit, and Delete Monitor Execute |
Tools | Access Designer Access Repository Manager Access Workflow Manager Access Workflow Monitor |
Design Objects | Create, Edit, and Delete |
Sources and Targets | Create, Edit, and Delete |
Folders | Create, Copy, and Manage Versions |
Global Objects | Create Connections Manage Deployment Groups Execute Deployment groups Create Labels Create Queries |
PowerCenter Repository Service Administrator Role to Generate and Run Workflows
To generate and run workflows, users must have the system-defined role Administrator on the PowerCenter Repository Service in addition to the required TDM privileges.
Privilege to Change Passwords
Test Data Manager users need the domain privilege, Access Informatica Administrator, to change their passwords in the Administrator tool.
Test Data Manager Service Privileges
Test Data Manager Service privileges determine the actions that users can perform using the Test Data Manager. A user with the privilege to perform certain actions requires permissions to perform the action on a particular object. Configure permissions on the Security tab of the Administrator tool.
The following table describes each Test Data Manager privilege group.
Privilege Group | Description |
|---|
Administration | Includes privileges to create and manage connections, roles and assign privileges to users and user groups from the Informatica Administrator, manage repositories, add licenses, and set up workflow and project attributes. Note: Before you can create users and groups, the default Informatica administrator user must assign Security Administration privileges to the Test Data Administrator user. |
Data Domains | Includes privileges to view and manage data domains in the Test Data Manager. |
Data Masking | Includes privileges to view and manage masking rules and policy assignments in the Test Data Manager. |
Data Subset | Includes privileges to view and manage subset objects including entities, groups and templates in the Test Data Manager. |
Policies | Includes privileges to view and manage policies in the Test Data Manager. |
Projects | Includes privileges to view and manage projects, audit and import metadata, and execute plans and workflows in the Test Data Manager. |
Rules | Includes privileges to view and manage masking and generation rules in the Test Data Manager. |
Data Generation | Includes privileges to view and manage test data generation in the Test Data Manager. |
Administration Privilege Group
The privileges in the Administration privilege group determine the administration tasks that Test Data Administrators can perform.
The following table lists the privileges in the Administration privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
Manage Preferences | - | Write | User can perform the following actions on the Informatica Administrator and Test Data Manager: - - Create roles.
- - Edit roles.
- - Delete roles.
- - View roles.
- - Associate roles to users.
- - Associate privileges to users.
- - Associate roles to user groups.
- - Associate privileges to user groups.
- - Add licenses.
- - Set up the TDM repository.
- - Set up the PowerCenter repository.
- - Set up data domain sensitivity levels.
- - Configure a test data repository.
- - Configure a test data mart.
- - Set up project custom attributes.
- - Set up workflow generation attributes.
- - Enable data discovery.
- - Set up profiling services.
- - View administration objects.
- - Configure keyword search indexing options.
|
View Connections | - | Read | User can perform the following actions on the Connections page in the Test Data Manager: - - View connections.
- - Test connections.
|
Manage Connections | View Connections | Write | User can perform the following actions on the Connections page in the Test Data Manager: - - Create connections.
- - Edit connections.
- - Delete connections.
- - View connections.
- - Test connections.
- - Configure a test data repository.
- - Configure a test data mart.
|
Data Domains Privilege Group
The privileges in the Data Domains privilege group determine the tasks that users can perform on data domains on the Policies page of the Test Data Manager.
The following table lists the privileges in the Data Domains privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Data Domains | - | Read | User can view data domains in the Test Data Manager. |
Manage Data Domains | View Data Domains | Write | User can perform the following actions on data domains in the Test Data Manager: - - Create data domains.
- - Edit data domains.
- - Delete data domains.
- - View data domains.
|
Data Masking Privilege Group
The privileges in the Data Masking privilege group determine the tasks that users can perform on the Project | Define | Data Masking view of the Test Data Manager. You can assign rules and polices to table columns from this view.
The following table lists the privileges in the Data Masking privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Data Masking | - | Read | User can view data masking assignments in the Test Data Manager. |
Manage Data Masking | View Data Masking | Write | User can perform the following data masking assignment actions in the Test Data Manager: - - Add rule and policy assignments.
- - Delete rule and policy assignments.
- - Override rule properties.
- - View data masking assignments.
|
Data Subset Privilege Group
The privileges in the Data Subset privilege group determine the tasks that users can perform on data subset objects in the Test Data Manager.
The following table lists the privileges in the Data Subset privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Data Subset | - | Read | User can perform the following data subset actions in the Test Data Manager: - - View groups.
- - View templates
- - View entities.
- - View recent project objects.
|
Manage Data Subset | View Data Subset | Write | User can perform the following data subset actions in the Test Data Manager: - - Create groups.
- - Edit groups.
- - Delete groups.
- - Add group parameters.
- - Create templates.
- - Edit templates.
- - Delete templates.
- - Add template parameters.
- - Create entity.
- - Edit entity.
- - Delete entity.
- - Add entity criteria.
- - Enable relationships.
- - Disable relationships.
- - Edit relationships
- - Review and act on changes.
- - Mark change review as complete.
|
Policies Privilege Group
The privileges in the Policies privilege group determine the tasks that users can perform on Policies in the Test Data Manager.
The following table lists the privileges in the Policies privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Policies | - | Read | User can view policies in the Test Data Manager. |
Manage Policies | View Policies | Write | User can perform the following policy actions policies in the Test Data Manager: - - Create policies.
- - Edit policies.
- - Delete policies.
- - View policies.
|
Projects Privilege Group
The privileges in the Projects privilege group determine the tasks that users can perform on Projects in the Test Data Manager.
The following table lists the privileges in the Projects privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Project | - | Read | User can perform the following actions on projects in the Test Data Manager: - - View projects.
- - View plans.
- - View plan detail reports.
- - View plan audit reports.
- - View recent projects.
- - View data set versions.
|
Manage Project | View Project | Write | User can perform the following actions on projects in the Test Data Manager: - - Create projects
- - Edit projects.
- - Delete projects
- - View projects.
- - Associate users to projects.
- - Associate user groups to projects.
- - Associate or remove rules to projects.
- - Associate or remove policies to projects
- - Create plans.
- - Edit plans.
- - Delete plans.
- - Generate plans.
- - Edit a data set version.
- - Delete a data set version.
|
Discover Project | - | Write | User can perform the following discover actions on projects in the Test Data Manager: - - Classify tables.
- - Mark discovery as complete.
- - Associate data domains to columns.
- - Mark columns as restricted.
- - Mark columns as sensitive
- - Set similar value column
- - Remove similar value columns
- - Add primary keys
- - Remove primary Keys
- - Create logical constraints
- - View logical constraints
- - Edit logical Constraints
- - Delete Logical Constraints
- - View projects.
- - View profiled data domains.
- - Approve or reject profile data domains.
- - Mark data domain classification as complete.
- - View profiled primary keys.
- - Approve or reject profiled primary keys.
- - Mark primary key discovery as complete.
- - View profiled entities.
- - Approve or reject profiled entities.
- - Mark entity discovery as complete.
- - View project risk analysis.
- - View recent project sensitive data distribution.
|
Generate Project | - | Write | User can generate workflows in the Test Data Manager. |
Execute Project | - | Write | User can perform the following execute actions on projects in the Test Data Manager: - - Execute plans.
- - Execute workflows.
- - Stop workflows.
- - Abort workflows.
- - Recover workflows.
- - View plan execution.
- - Create a data set version.
- - Reset a data set version.
|
Monitor Project | - | Read | User can perform the following monitor actions on projects in the Test Data Manager: - - Monitor project jobs.
- - View project job logs.
- - Monitor jobs across projects.
- - View job logs across projects.
|
Audit Project | - | Read | User can view recent activity on projects and plans in the Test Data Manager. |
Import Metadata | - | Write | User can perform the following actions on projects in the Test Data Manager: - - Import sources
- - Delete sources.
|
Note: A user with Manage Project privilege must have at least the following levels of privileges to be able to create a plan with each component.
- •View connection from the Administration privilege group. To create a plan.
- •View data subset from the Data Subset privilege group. To create a plan with subset components.
- •View masking rules from the Rules privilege group. To create a plan with masking components.
- •View generation rules from the Rules privilege group. To create a plan with generation components.
Rules Privilege Group
The privileges in the Rules privilege group determine the tasks that users can perform on data masking and data generation rules in the Test Data Manager.
The following table lists the privileges in the Data Masking privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Masking Rules | - | Read | User can view masking rules in the Test Data Manager. |
Manage Masking Rules | View Masking Rules | Write | User can perform the following actions on data masking rules in the Test Data Manager: - - Create masking rules.
- - Edit masking rules.
- - Delete masking rules.
- - View masking rules.
|
View Generation Rules | - | Read | User can view generation rules in the Test Data Manager. |
Manage Generation Rules | View Generation Rules | Write | User can perform the following actions on data generation rules in the Test Data Manager: - - Create generation rules.
- - Edit generation rules.
- - Delete generation rules.
- - View generation rules.
|
Data Generation Privilege Group
The privileges in the Data Generation privilege group determine the test data generation tasks that users can perform in the Test Data Manager.
The following table lists the privileges in the Data Generation privilege group and the permissions required to perform a task on an object:
Privilege | Includes Privileges | Permission | Description |
|---|
View Data Generation | - | Read | User can view data generation rule assignments in the Test Data Manager. |
Manage Data Generation | View Data Generation | Write | User can perform the following actions on data generation in the Test Data Manager: - - View data generation rule assignments
- - Add data generation rule assignments.
- - Delete data generation rule assignments.
- - Override data generation rule assignments.
|
Optional Privileges
Based on the tasks performed, you might need to assign additional privileges to some users.
Users can link TDM global objects with business terms from a business glossary. To create, edit, and delete links to business terms, users need Model Repository Service and Analyst Services privileges. Users must have at least read permission on the glossary or the specific business term that they access. You can configure permission from the Analyst Tool.
Users can view terms linked to any object they have view privileges on. To create, edit, or delete a link to an object, users must have Manage privilege on the object.
The following table lists the minimum Model Repository Service privileges that users need to perform asset linking tasks:
Privilege Group | Privileges |
|---|
Model Repository Service Administration | Access Analyst Access the Analyst Tool. |
The following table lists the minimum Analyst Service privileges that users need to perform asset linking tasks:
Privilege Group | Privileges |
|---|
Workspace Access | Glossary Workspace Access the glossary workspace within the Analyst Tool. |
Users must have access permission to the Analyst Service to view or edit linked business terms. Assign a user access permission from the Security view in Informatica Administrator. To assign multiple users or user groups access permission, select the service in the Domain Navigator of the Informatica Administrator. Select the Permissions view and edit direct permissions.
For information on assigning permission from Informatica Administrator, see the Informatica Administrator Guide.
Test Data Manager Service Custom Roles
The Test Data Manager Service custom roles include the Test Data Administrator, Test Data Developer, Test Data Project DBA, Test Data Project Developer, Test Data Project Owner, Test Data Risk Manager, and Test Data Specialist.
Test Data Administrator
The following table lists the default privileges assigned to the Test Data Administrator custom role:
Privilege Group | Privilege Name |
|---|
Projects | Audit Project |
Administration | - - View Connections
- - Manage Connections
|
Test Data Developer
The following table lists the default privileges assigned to the Test Data Developer custom role:
Privilege Group | Privilege Name |
|---|
Policies | - - View Policies
- - Manage Policies
|
Rules | - - View Masking Rules
- - Manage Masking Rules
- - View Generation Rules
|
Data Domains | - - View Data Domains
- - Manage Data Domains
|
Projects | Audit project |
Test Data Project DBA
The following table lists the default privileges assigned to the Test Data Project DBA custom role:
Privilege Group | Privilege Name |
|---|
Projects | - - View Project
- - Execute Project
- - Monitor Project
- - Audit Project
|
Administration | - - View Connections
- - Manage Connections
|
Test Data Project Developer
The following table lists the default privileges assigned to the Test Data Project Developer custom role:
Privilege Group | Privilege Name |
|---|
Policies | View Policies |
Rules | - - View Masking Rules
- - View Generation Rules
|
Data Domains | View Data Domains |
Projects | - - View Project
- - Discover Project
- - Execute Project
- - Monitor Project
- - Audit Project
- - Import Metadata
|
Data Masking | - - View Data Masking
- - Manage Data Masking
|
Data Subset | - - View Data Subset
- - Manage Data Subset
|
Data Generation | - - View Data Generation
- - Manage Data Generation
|
Administration | - - View Connections
- - Manage Connections
|
Test Data Project Owner
The following table lists the default privileges assigned to the Test Data Project Owner custom role:
Privilege Group | Privilege Name |
|---|
Policies | View Policies |
Rules | - - View Masking Rules
- - View Generation Rules
|
Data Domains | View Data Domains |
Projects | - - View Project
- - Manage Project
- - Discover Project
- - Execute Project
- - Monitor Project
- - Audit Project
- - Import Metadata
|
Data Masking | - - View Data Masking
- - Manage Data Masking
|
Data Subset | - - View Data Subset
- - Manage Data Subset
|
Data Generation | - - View Data Generation
- - Manage Data Generation
|
Administration | - - View Connections
- - Manage Connections
|
Test Data Risk Manager
The following table lists the default privileges assigned to the Test Data Risk Manager custom role:
Privilege Group | Privilege Name |
|---|
Policies | View Policies |
Rules | - - View Masking Rules
- - View Generation Rules
|
Data Domains | View Data Domains |
Projects | Audit project |
Test Data Specialist
The following table lists the default privileges assigned to the Test Data Specialist custom role:
Privilege Group | Privilege Name |
|---|
Policies | View Policies |
Rules | - - View Masking Rules
- - Manage Masking Rules
- - View Generation Rules
- - Manage Generation Rules
|
Data Domains | - - View Data Domains
- - Manage Data Domains
|
Projects | - - Manage Project
- - View Project
- - Discover Project
- - Execute Project
- - Monitor Project
- - Audit Project
- - Import Metadata
|
Data Masking | - - View Data Masking
- - Manage Data Masking
|
Data Subset | - - View Data Subset
- - Manage Data Subset
|
Data Generation | - - View Data Generation
- - Manage Data Generation
|
Administration | - - View Connections
- - Manage Connections
|
Note: If you have upgraded to Informatica service 9.6.1 HotFix 2 from Informatica service 9.6.1, a user with the Test Data Specialist role cannot create or delete data generation rules. The role does not include the Manage Data Generation privilege.
To enable users with this role to create and delete data generation rules, you must manually edit the role. Log in to the Administrator tool and edit the Test Data Manager service custom role to include the Manage Generation Rules privilege from the Rules privilege group.