1. Administrator's Guide
  2. Managing Object Access Groups

6 Managing Object Access Groups

Object access groups in Oracle Data Relationship Management determine which metadata objects users have access to, including exports, books, imports, blenders, compares, queries, version variables, and external connections.

Table 6-1 Types of Object Access Groups

Object Access Group Type Description Permissions

User

Each user has a core object access group for their personal metadata objects.

A user has Run and Manage permissions to their own object access group.

Standard

A core object access group named Standard is available for all public objects.

All users have implicit Run permission to objects in the Standard object access group.

Only users with Manage Standard [Object] role permissions have Manage permission for the Standard object access group.

System

A core object access group named System is available for all system operation/integration objects.

Only users with Data Manager or Application Administrator roles have Manage permission for the System object access group.

Custom

Custom object access groups

Only users with Access Manager role can create, edit, or delete custom object access groups. Users with Run permission may execute objects in the group.

Custom object access groups provide a specific group of users access to a subset of user metadata objects – queries, compares, imports, blenders, exports, and books. Object access groups define a list of users and node access groups and set the permission level (Run or Manage) for each user and node access group. Metadata objects are assigned to object access groups at the time they are created, and they may subsequently be copied or moved to a different group.

  • Run––Users can run objects in the group but cannot edit and save changes to the objects

  • Manage––Users can create, edit, or delete objects in the group and run them

Guidelines for using object access groups are:

  • An object access group enables users to be members of the group either directly or through their node access group assignments. Both are not required.

  • Users and node access groups may be assigned to more than one object access group.

  • Each user in the object access group is assigned either Manage or Run permission.

  • A user's permission assignment in the object access group may override the user's role security. For example, an Interactive User role with Manage permission in an object access group may create or modify objects within the object access group.

  • Core object access groups such as User, Standard, and System are managed implicitly based on user existence and their role assignments.

  • When saving or copying a user metadata object, the user must assign the object to an object access group for which that user has Manage permission.

  • A user metadata object may be assigned to only one object access group.

  • Data Manager role users have implicit Manage permission to the core Standard object access group and may be explicitly assigned to a custom object access group.

  • Application Administrator role users have implicit Manage permission for all standard, system, and custom object access groups. These users require the ability to migrate metadata objects for any object access group.