References → Security Roles

About Security Roles

A user belongs to zero or more Groups, and a Group is assigned to zero or more Roles. Roles are immutable. You cannot create, edit, or delete a Role. Groups, Security Roles, and Users are managed in the Security Manager.

Security Model

Incorta's security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to user. Instead, you can assign one or more Roles to a Group. A Group is a collection of zero or more users. You assign a user to one or more groups.

Role Based Access Control

Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Services. The Incorta Loader Services is not accessible. The Incorta Cluster Management console is a separate web interface, and is enabled for a single administrator user.

There is no direct way to assign a Role to a user, with two exceptions:

  • All users inherit the User role

  • A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant

Role Descriptions

RoleRole TypeDescription
UserUser RoleCan view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders.
Analyze UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules.
Schema ManagerAdmin RoleCan create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify groups and users. Can add roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.
Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to.
Important

You can limit users with "User" or "Individual User" roles to not to download insights. You can do that by disabling the Download insights option found under Default Tenant Configurations > Security in the Cluster Management Console (CMC).

Role Permissions

There are four levels of permissions a Role might have for different content uses of Incorta. In descending order a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permission of the lower levels.

RoleCatalog (Content)SchemaSecurityData ConnectionData Destination
UserView
Privileged UserShare
Dashboard AnalyzerShare
Individual AnalyzerManage*ViewView
Analyze UserManageViewView
Schema ManagerManageManageManage
User ManagerManage
SuperRoleManageManageManageManageManage
Note

Note that Catalog refers to the Content tab in the Navigation bar.

Note
  • The Individual Analyzer can manage the Catalog (Content), but can not share.
Important

Starting with the 2021.4.3 release, users with only the Analyze User or Individual Analyzer roles will have limited access to the Business Schema Manager where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.

Important: User Permissions

Permissions in Incorta are determined by a combination of assigned roles and access rights granted when sharing objects. Together, these factors define the functionalities and features available to users.

For example:

  • If a user, Joe, belongs only to a group with the User role, which only permits viewing access to the Catalog (Content Manager), and another user, Tom, grants Joe edit rights to a dashboard, Joe can only view the dashboard.
  • Similarly, if Joe belongs to a group with the Analyze User role, which allows users to manage the Catalog, and Tom grants Joe view access to a dashboard, Joe will be restricted to viewing the dashboard.

Role Content Access

RoleDashboard Create / ModifyPersonalize DashboardsManage FoldersShare / PublishAnalyzerSchedulerSchema / Bus SchemaDataSecurity
UserNoNoNoNoNoYes**NoNoNo
Privileged UserNoNoNoYesNoYes**NoNoNo
Dashboard AnalyzerNoYesNoYesNoYes**NoNoNo
Individual AnalyzerYesYesYesNoYesYes**NoNoNo
Analyze UserYesYesYesYesYesYes**NoNoNo
Schema ManagerNoNoNoNoNoYes**YesYesNo
User ManagerNoNoNoNoNoYes**NoNoYes
SuperRoleAllYesYesYesYesYesYesYesYes
Note on Scheduler access

** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.

Role Exceptions

Several Roles have exceptions or variations of content access. Following are exceptions certain Roles may have.

RoleExceptions
Individual AnalyzerDashboard sharing control shown in listing view, but operation is denied. The Individual User can not delete dashboards or folders they do not own.
Analyze UserDashboards shared with the Analyze User have editing and advanced menu settings disabled. Note: The Analyze User can share with user groups without restriction.
Schema ManagerCan only see shared data sources, files, and destinations. Can load data into shared schemas only with edit permission. Can delete non-owned schema objects.