References → Security Roles
About Security Roles
A user belongs to zero or more Groups, and a Group is assigned to zero or more Roles. Roles are immutable. You cannot create, edit, or delete a Role. Groups, Security Roles, and Users are managed in the Security Manager.
Security Model
Incorta's security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to user. Instead, you can assign one or more Roles to a Group. A Group is a collection of zero or more users. You assign a user to one or more groups.
Role Based Access Control
Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Services. The Incorta Loader Services is not accessible. The Incorta Cluster Management console is a separate web interface, and is enabled for a single administrator user.
There is no direct way to assign a Role to a user, with two exceptions:
All users inherit the User role
A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant
Role Descriptions
| Role | Role Type | Description |
|---|---|---|
| User | User Role | Can view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user. |
| Privileged User | User Role | Can share dashboards and folders, and publish dashboards via email and schedules. |
| Dashboard Analyzer | User Role | Can personalize, share, and publish dashboards via email and schedules. |
| Individual Analyzer | User Role | Can create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders. |
| Analyze User | User Role | Can create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules. |
| Schema Manager | Admin Role | Can create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups. |
| User Manager | Admin Role | Can create and modify groups and users. Can add roles and users to groups. |
| SuperRole | Super Role | Has full access to all permissions. Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to. |
You can limit users with "User" or "Individual User" roles to not to download insights. You can do that by disabling the Download insights option found under Default Tenant Configurations > Security in the Cluster Management Console (CMC).
Role Permissions
There are four levels of permissions a Role might have for different content uses of Incorta. In descending order a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permission of the lower levels.
| Role | Catalog (Content) | Schema | Security | Data Connection | Data Destination |
|---|---|---|---|---|---|
| User | View | ||||
| Privileged User | Share | ||||
| Dashboard Analyzer | Share | ||||
| Individual Analyzer | Manage* | View | View | ||
| Analyze User | Manage | View | View | ||
| Schema Manager | Manage | Manage | Manage | ||
| User Manager | Manage | ||||
| SuperRole | Manage | Manage | Manage | Manage | Manage |
Note that Catalog refers to the Content tab in the Navigation bar.
* The Individual Analyzer can manage the Catalog (Content), but can not share.
Starting with the 2021.4.3 release, users with only the Analyze User or Individual Analyzer roles will have limited access to the Business Schema Manager where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.
Role Content Access
| Role | Dashboard Create / Modify | Personalize Dashboards | Manage Folders | Share / Publish | Analyzer | Scheduler | Schema / Bus Schema | Data | Security |
|---|---|---|---|---|---|---|---|---|---|
| User | No | No | No | No | No | Yes** | No | No | No |
| Privileged User | No | No | No | Yes | No | Yes** | No | No | No |
| Dashboard Analyzer | No | Yes | No | Yes | No | Yes** | No | No | No |
| Individual Analyzer | Yes | Yes | Yes | No | Yes | Yes** | No | No | No |
| Analyze User | Yes | Yes | Yes | Yes | Yes | Yes** | No | No | No |
| Schema Manager | No | No | No | No | No | Yes** | Yes | Yes | No |
| User Manager | No | No | No | No | No | Yes** | No | No | Yes |
| SuperRole | All | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.
Role Exceptions
Several Roles have exceptions or variations of content access. Following are exceptions certain Roles may have.
| Role | Exceptions |
|---|---|
| Individual Analyzer | Dashboard sharing control shown in listing view, but operation is denied. The Individual User can not delete dashboards or folders they do not own. |
| Analyze User | Dashboards shared with the Analyze User have editing and advanced menu settings disabled. Note: The Analyze User can share with user groups without restriction. |
| Schema Manager | Can only see shared data sources, files, and destinations. Can load data into shared schemas only with edit permission. Can delete non-owned schema objects. |