References → Security Roles

About Security Roles

A user belongs to zero or more Groups, and a Group is assigned to zero or more Roles. Roles are immutable. You cannot create, edit, or delete a Role. Groups, Security Roles, and Users are managed in the Security Manager.

Security Model

Incorta's security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to user. Instead, you can assign one or more Roles to a Group. A Group is a collection of zero or more users. You assign a user to one or more groups.

Role Based Access Control

Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Services. The Incorta Loader Services is not accessible. The Incorta Cluster Management console is a separate web interface, and is enabled for a single administrator user.

There is no direct way to assign a Role to a user, with two exceptions:

  • All users inherit the User role

  • A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant

Role Descriptions

RoleRole TypeDescription
UserUser RoleCan view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders.
Analyze UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules.
Advanced Analyzer UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules. Can use Augmented Analytics and Business Notebook. Can install SDK Components from marketplace.

Note: This role is available starting 2024.7.x. After upgrading to 2024.7.x, users who created business Notebooks in a previous release must be assigned this role to continue to have access to their business Notebooks.
Copilot UserUser RoleCan use Copilot and view shared dashboards and business schemas
This role is available starting 2024.7.2 and is required for any user who intends to interact with the Copilot capabilities in the different contexts. For example, a schema manager should be assigned this role as well to leverage Copilot's natural language to SQL capabilities when building materialized views while an Individual Analyzer requires it to leverage natural language to Insight capabilities.
Schema ManagerAdmin RoleCan create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify groups and users. Can add roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.
Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to.
Important

You can limit users with "User" or "Individual User" roles to not to download insights. You can do that by disabling the Download insights option found under Default Tenant Configurations > Security in the Cluster Management Console (CMC).

Role Permissions

There are four levels of permissions a Role might have for different content uses of Incorta. In descending order a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permission of the lower levels.

RoleCatalog (Content)SchemaSecurityData ConnectionData DestinationData CatalogData Flows
UserView
Privileged UserShare
Dashboard AnalyzerShareView
Individual AnalyzerManage*ViewViewViewView
Analyze UserManageViewViewViewView
Advanced Analyzer UserManageViewViewViewManage
Copilot UserViewView (Business Schema)
Schema ManagerManageManageManageEditManage
User ManagerManage
SuperRoleManageManageManageManageManageManageManage
Notes
  • Catalog refers to the Content tab in the Navigation bar.
  • The Individual Analyzer can manage the Catalog (Content), but cannot share.
  • Users with only the Advanced Analyzer User, Analyze User, or Individual Analyzer roles have limited access to the Business Schema Manager where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.
  • There are additional areas that Advanced Analyzer User and SuperRole roles can manage. These areas include SDK Components, Business Notebooks, and Advanced Augmented Analytics.
  • Before 2024.7.x, the Analyze User role could manage Business Notebooks. However, starting 2024.7.x, this role is not sufficient to manage or access Business Notebooks.
Important: User Permissions

Permissions in Incorta are determined by a combination of assigned roles and access rights granted when sharing objects. Together, these factors define the functionalities and features available to users.

For example:

  • If a user, Joe, belongs only to a group with the User role, which only permits viewing access to the Catalog (Content Manager), and another user, Tom, grants Joe edit rights to a dashboard, Joe can only view the dashboard.
  • Similarly, if Joe belongs to a group with the Analyze User role, which allows users to manage the Catalog, and Tom grants Joe view access to a dashboard, Joe will be restricted to viewing the dashboard.

Role Content Access

RoleDashboard Create / ModifyPersonalize DashboardsManage FoldersShare / PublishAnalyzerSchedulerSchema / Bus SchemaDataSecurity
UserNoNoNoNoNoYes**NoNoNo
Privileged UserNoNoNoYesNoYes**NoNoNo
Dashboard AnalyzerNoYesNoYesNoYes**NoNoNo
Individual AnalyzerYesYesYesNoYesYes**NoNoNo
Analyze UserYesYesYesYesYesYes**NoNoNo
Advanced Analyzer UserYesYesYesYesYesYes**NoNoNo
Copilot UserNoNoNoNoNoYes**Yes (Business Schema only)NoNo
Schema ManagerNoNoNoNoNoYes**YesYesNo
User ManagerNoNoNoNoNoYes**NoNoYes
SuperRoleAllYesYesYesYesYesYesYesYes
Note on Scheduler access

** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.

Role Exceptions

Several Roles have exceptions or variations of content access. Following are exceptions certain Roles may have.

RoleExceptions
Individual AnalyzerDashboard sharing control shown in listing view, but operation is denied. The Individual User can not delete dashboards or folders they do not own.
Analyze UserDashboards shared with the Analyze User have editing and advanced menu settings disabled. Note: The Analyze User can share with user groups without restriction.
Schema ManagerCan only see shared data sources, files, and destinations. Can load data into shared schemas only with edit permission. Can delete non-owned schema objects.