1. On-premises 5.1
  2. Guides
    1. Start
    2. Administer
    3. Analyze
    4. Configure
    5. Deploy
    6. Install
    7. Migrate
    8. Secure
      1. Incorta Security Guide
      2. Secure Communication and Data
      3. Secure Access
      4. Secure Objects and Business Data
        1. Security Roles
        2. Reset Superuser Password
        3. Set Read-only Schema Access
        4. Runtime Security Filter
        5. Session Variables
        6. SOX Compliance
    9. Upgrade
    10. Content Manager
  3. Tours
  4. Concepts
  5. Tools
  6. References
    1. Apache Spark
    2. Connectors
    3. Built-in Functions
    4. Incorta Connector SDK
    5. Security
      1. Client credentials for a Google APIs project
      2. Enable Zookeeper SSL
      3. Enable MySQL SSL
      4. HTTPS for Apache Tomcat with OpenSSL
      5. OAuth for Box
      6. OAuth for Dropbox
      7. OAuth for Google API
      8. OAuth for Microsoft Azure Gen1
      9. OAuth for OneDrive
      10. OAuth for Sharepoint
      11. OAuth for Smartsheet
      12. Security Roles
    6. Visualizations
    7. Other
  7. Integrations
  8. Data applications
  9. Releases

References → Security Roles

About Security Roles

A user belongs to zero or more Groups, and a Group is assigned to zero or more Roles. Roles are immutable. You cannot create, edit, or delete a Role. Groups, Security Roles, and Users are managed in the Security Manager.

Security Model

Incorta's security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to user. Instead, you can assign one or more Roles to a Group. A Group is a collection of zero or more users. You assign a user to one or more groups.

Role Based Access Control

Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Services. The Incorta Loader Services is not accessible. The Incorta Cluster Management console is a separate web interface, and is enabled for a single administrator user.

There is no direct way to assign a Role to a user, with two exceptions:

  • All users inherit the User role

  • A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant

Role Descriptions

RoleRole TypeDescription
UserUser RoleCan view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders.
Analyze UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules.
Schema ManagerAdmin RoleCan create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify groups and users. Can add roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.
Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to.

Role Permissions

There are four levels of permissions a Role might have for different content uses of Incorta. In descending order a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permission of the lower levels.

RoleCatalog (Content)SchemaSecurityData ConnectionData Destination
UserView
Privileged UserShare
Dashboard AnalyzerShare
Individual AnalyzerManage*ViewView
Analyze UserManageViewView
Schema ManagerManageManageManage
User ManagerManage
SuperRoleManageManageManageManageManage
Note

Note that Catalog refers to the Content tab in the Navigation bar.

Note

* The Individual Analyzer can manage the Catalog (Content), but can not share.

Role Content Access

RoleDashboard Create / ModifyPersonalize DashboardsManage FoldersShare / PublishAnalyzerSchedulerSchema / Bus SchemaDataSecurity
UserNoNoNoNoNoYes**NoNoNo
Privileged UserNoNoNoYesNoYes**NoNoNo
Dashboard AnalyzerNoYesNoYesNoYes**NoNoNo
Individual AnalyzerYesYesYesNoYesYes**NoNoNo
Analyze UserYesYesYesYesYesYes**NoNoNo
Schema ManagerNoNoNoNoNoYes**YesYesNo
User ManagerNoNoNoNoNoYes**NoNoYes
SuperRoleAllYesYesYesYesYesYesYesYes
Note on Scheduler access

** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.

Role Exceptions

Several Roles have exceptions or variations of content access. Following are excpetions certain Roles may have.

RoleExceptions
Individual AnalyzerDashboard sharing control shown in listing view, but operation is denied. The Individual User can not delete dashboards or folders they do not own.
Analyze UserDashboards shared with the Analyze User have editing and advanced menu settings disabled. Note: The Analyze User can share with user groups without restriction.
Schema ManagerCan only see shared data sources, files, and destinations. Can load data into shared schemas only with edit permission. Can delete non-owned schema objects.