Oracle Integration Roles and Privileges

Roles define the privileges available to users and the tasks that they can perform. You can assign predefined roles to users to allow them to work with feature sets of Oracle Integration.

Oracle Integration Roles

Oracle Integration predefined roles govern access to various Oracle Integration features.

You can assign one or more of these predefined roles to Oracle Integration users and groups: ServiceAdministrator, ServiceDeveloper, ServiceMonitor, ServiceDeployer, ServiceUser, ServiceInvoker, and ServiceViewer. The following table lists the predefined roles available in Oracle Integration, and the general tasks that users assigned the roles can perform.

Oracle Integration Description

ServiceAdministrator

A user with the ServiceAdministrator role is a super user who can manage and administer the features provisioned in an Oracle Integration instance.

ServiceDeveloper

A user with the ServiceDeveloper role can develop the artifacts specific to the features provisioned in an Oracle Integration instance. For example, in Integrations the user can create integrations, and in Processes the user can create process applications and decision models.

ServiceMonitor

A user with the ServiceMonitor role can monitor the features provisioned in an Oracle Integration instance. For example, the user can view instances and metrics, find out response times, and track whether instance creation completed successfully or failed.

This role provides privileges for users with limited knowledge of Oracle Integration, but with high-level knowledge of monitoring it. This user role does not grant permissions to change anything.

ServiceDeployer

A user with the ServiceDeployer role can publish the artifacts developed in a feature. In Stream Analytics the user can publish draft pipelines (applies only to Oracle Integration Classic (user-managed).

This role is not applicable for the Integrations feature.

ServiceUser

A user with the ServiceUser role has privileges to utilize only the basic functionality of a feature such as access to the staged and published applications.

For example, in Integrations the user can navigate to resource pages (such as integrations and connections) and view details, but can’t edit or modify anything. The user can also run integrations and start process applications.

ServiceInvoker

A user with the ServiceInvoker role can invoke any integration flow in an Oracle Integration instance that is exposed through SOAP/REST APIs or a scheduled integration. See Run an Integration Flow. A user with ServiceInvoker role cannot:
  • Navigate to the Oracle Integration user interface or perform any administrative actions in the user interface.
  • Invoke any of the documented Oracle Integration REST APIs. See About the REST APIs.

ServiceViewer

A user with the ServiceViewer role can navigate to all Integration resource pages (for example, integrations, connections, lookups, libraries, and so on) and view details. The user cannot edit any resources or navigate to the administrative setting pages.

In Oracle Integration, when you assign a role to a user, the user is granted that role for all Oracle Integration features provisioned on an instance. For example, when you assign the ServiceDeveloper role to a user for an instance provisioned with the Integrations, Processes, and Visual Builder feature set, the user gets developer permissions on each of these features. Further, each role grants different privileges for different features to the same user. Depending on the feature the user is accessing, the user can perform different tasks. For example, a user assigned the ServiceDeveloper role can develop process applications in Processes, whereas the same user can design integrations in Integrations. Note that not all Oracle Integration predefined roles are available in all features. For example, the ServiceMonitor role is not available in Visual Builder.

Note:

Integration Classic only Applies only to Oracle Integration Classic (user-managed).

If a user is granted access to multiple service instances provisioned in the Oracle Integration environment, it is a best practice to grant the same role to the user in all the instances. For example, suppose you have provisioned Integrations and Integration Insight as two separate instances in your Oracle Integration environment. If you assign the ServiceAdministrator role to a user in the Integrations instance, then assign the same role to the user in the Integration Insight instance too.

WebLogic Server Roles for Oracle Integration

Oracle Integration is a PaaS-layered service. There are predefined roles for the PaaS layer that govern access to WebLogic Server.

Integration Classic only Applies only to Oracle Integration Classic (user-managed).

The following table lists the predefined WebLogic Server roles available for Oracle Integration.

Oracle Integration Description

Administrators

A user with the Administrators role can:

  • View the server configuration, including the encrypted value of some encrypted attributes

  • Modify the entire server configuration

  • Deploy Enterprise Applications and Web application, EJB, Java EE Connector, and Web Service modules

  • Start, resume, and stop servers

Deployers

A user with the Deployers role can:

  • View the server configuration, including some encrypted attributes related to deployment activities

  • Change startup and shutdown classes, Web applications, JDBC data pool connections, EJB, Java EE Connector, Web Service, and WebLogic Tuxedo Connector components. If applicable, edit deployment descriptors.

  • Access deployment operations in the Java EE Deployment Implementation (JSR-88)

Monitors

A user with the Monitors role can:

  • View the server configuration, except for encrypted attributes

  • Get read-only access to WebLogic Server Administration Console, WLST, and MBean APIs

Operators

A user with the Operators role can:

  • View the server configuration, except for encrypted attributes

  • Start, resume, and stop servers

What Users Can Do in the Navigation Pane by Role

The following table lists the options in the Integration navigation pane and indicates which options you can access based on your assigned role.

Option Service Administrator Service Developer Service Deployer Service Monitor Service User Service Invoker Service Viewer

Welcome

Yes

Yes

Yes

Yes

Yes

No Yes

Home

Yes

Yes

Yes

Yes

Yes

No Yes

My Tasks

Yes

Yes

Yes

Yes

Yes

No No

Processes

Yes

Yes

Yes

No

No

No No

Integrations

Yes

Yes

No

Can’t use any Monitoring, Designer, or Settings options. Note: User can click Integrations, but receives a “not authorized” message.

Yes

Can use all Monitoring options. Can’t use any Designer or Settings options.

Yes

Can use all Monitoring and Designer options. Can’t use any Settings options.

No Yes

Visual Builder

Yes

Yes

Yes

No

No

No No

Insight*

Yes

Yes

Yes

No

Can’t access any Insight features. Note: User can click Insight, but receives a “not authorized” message.

Yes

No No

Streams*

Yes

Yes

Yes

Yes

Yes

No No

Registration*

Yes

No

No

No

No

No No

Settings

Yes

No

No

No

No

No No

* (applies only to Oracle Integration Classic (user-managed)

What Users Can Do on the Home Page by Role

The following table lists the tiles, sections, and buttons on the Oracle Integration Home page and indicates what you can access based on your assigned role.

Home Page Element Service Administrator Service Developer Service Deployer Service Monitor Service User

My Tasks

Yes

Yes

Yes

Yes

Yes

Integrations

Yes

Yes

No

Yes

No

Connections

Yes

Yes

No

Yes

No

Visual Applications

Yes

Yes

Yes

No

No

Insight*

Yes

Yes

Yes

No

Yes

Recents

Yes

Yes

Yes

No

No

Actions

Yes

Yes

Yes

Yes

Yes

Processes: Create Applications

Yes

Yes

Yes

No

No

Processes: Use Quickstart

Yes

Yes

Yes

No

No

Integrations: Create Connections

Yes

Yes

No

No

No

Integrations: Create Integrations

Yes

Yes

No

No

No

Insight: View Dashboards*

Yes

Yes

No

Note: User can click View Dashboards, but receives a “not authorized” error message.

No

Yes

Insight: Create a Model*

Yes

Yes

Yes

No

No

Streams: Go to Catalog*

Yes

Yes

Yes

Yes

Yes

Insight Models*

Yes

Yes

Yes

No

Yes

Monitor Current Tasks

Yes

Yes

Yes

No

No

Monitor Process Health: Tracking

Yes

Yes

Yes

No

No

Monitor Process Health: Dashboard

Yes

No

No

No

No

Monitor Integrations Health

Yes

Yes

No

Yes

No

* (applies only to Oracle Integration Classic (user-managed)

What Users Can Do in Integrations by Role

The following tables list Oracle Integration predefined roles available in the Integrations feature, and the tasks users granted those roles can perform.

Note:

The ServiceDeployer role is not applicable in Integrations.

Administration

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Send service failure alerts, system status reports, and integration error reports

Yes

No

No

No

No

No

Set logging levels

Yes

No

No

No

No

No

Upload certificates

Yes

No

No

No

No

No

Manage database space

Yes

No

No

No

No

No

Manage database purge

Yes

No

No

No

No

No

Recommend fields to map when designing an integration

Yes

No

No

No

No

No

Enable tracing on all or individual integrations

Yes

No

No

No

No

No

Connections

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Create

Yes

Yes

No

No

No

No

Edit

Yes

Yes

No

No

No

No

Delete

Yes

Yes

No

No

No

No

View

Yes

Yes

No

Yes

No

Yes

Test

Yes

Yes

No

No

No

No

Clone

Yes

Yes

No

No

No

No

Configure adapter properties

Yes

Yes

No

No

No

No

Create agents

Yes

Yes

No

No

No

No

Download agent Yes Yes No Yes

No

Integrations

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Create

Yes

Yes

No

No

No

No

Create new version

Yes

Yes

No

No

No

No

View

Yes

Yes

No

Yes

No

Yes

Edit

Yes

Yes

No

No

No

No

Delete

Yes

Yes

No

No

No

No

Activate

Yes

Yes

No

No

No

No

Deactivate

Yes

Yes

No

No

No

No

Clone

Yes

Yes

No

No

No

No

Download Artifacts

Yes

Yes

No

Yes

No

No

Manage Tracing

Yes

No

No

No

No

No

Run

Yes

Yes

No

Yes

Yes

No

Monitor

Yes

Yes

Yes

No

No

Yes

View Metrics

Yes

Yes

Yes

No

No

Yes

Import

Yes

Yes

No

No

No

No

Export

Yes

Yes

No

Yes

No

No

Regenerate endpoints

Yes

Yes

No

No

No

No

Publish to API Platform Cloud Service

Yes

No

No

No

No

No

Register libraries

Yes

Yes

No

No

No

No

Lookups

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Create

Yes

Yes

No

No

No

No

View

Yes

Yes

No

Yes

No

Yes

Edit

Yes

Yes

No

No

No

No

Clone

Yes

Yes

No

No

No

No

Delete

Yes

Yes

No

No

No

No

Export

Yes

Yes

No

No

No

No

Import

Yes

Yes

No

No

No

No

View Metrics

Yes

Yes

Yes

No

No

Yes

Mappings

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Create

Yes

Yes

No

No

No

No

View

Yes

Yes

No

Yes

No

Yes

Edit

Yes

Yes

No

No

No

No

Delete

Yes

Yes

No

No

No

No

Import

Yes

Yes

No

No

No

No

Packages

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

View

Yes

Yes

No

Yes

No

Yes

Import

Yes

Yes

No

No

No

No

Export

Yes

Yes

No

No

No

No

Update

Yes

Yes

No

No

No

No

Delete

Yes

Yes

No

No

No

No

Monitoring

Action ServiceAdministrator ServiceDeveloper ServiceMonitor ServiceUser ServiceInvoker ServiceViewer

Download diagnostic logs

Yes

Yes

No

No

No

No

View specific error details

Yes

Yes

Yes

No

No

Yes

Resubmit failed messages

Yes

Yes

Yes

No

No

No

Discard errors

Yes

Yes

Yes

No

No

No

View message recovery status

Yes

No

Yes

No

No

Yes

View integration instance audit trails

Yes

No

Yes

No

No

Yes

View integration instance business identifiers

Yes

Yes

Yes

No

No

Yes

View integration instance message payloads

Yes

Yes

Yes

No

No

Yes

View scheduled integration runs

Yes

No

Yes

No

No

Yes

View integration health (successful, total, failed messages)

Yes

Yes

Yes

No

No

Yes

View the activity stream

Yes

Yes

Yes

No

No

Yes

Download the activity stream

Yes

Yes

Yes

No

No

No

Download incident reports

Yes

Yes

Yes

No

No

No

View overall system health status

Yes

Yes

Yes

No

No

Yes

Download database purge log

Yes

Yes

Yes

No

No

No

View file system capacity

Yes

Yes

Yes

No

No

Yes

View purge status

Yes

Yes

Yes

No

No

Yes

View database space usage

Yes

Yes

Yes

No

No

Yes

View design-time metrics (total integrations, connections, lookups, etc.)

Yes

Yes

Yes

No

No

Yes

Monitor integration status

Yes

Yes

Yes

No

No

Yes

Monitor agent status

Yes

Yes

Yes

No

No

Yes

What Users Can Do in Processes by Role

The following table lists the Oracle Integration predefined roles available in Processes, and the tasks users granted those roles can perform. Note that in Processes, the ServiceMonitor role and the ServiceUser role have the same privileges. In addition to these predefined roles, there is a set of roles defined for each process application. Service administrators are responsible for assigning process-specific roles to users.

Option Actions Service Administrator Service Developer Service Deployer ServiceMonitor and ServiceUser

My Tasks

Access Workspace (runtime), initiate requests (start applications), work on your assigned tasks, and track the status of processes

Yes

Yes

Yes

Yes

My Tasks

Monitor dashboards

Yes

Yes

Yes

Yes

Applications

Perform all actions to develop and manage process applications and their components, except restrictions on activating

Yes

Yes

Yes

No

Applications

Activate process applications to a test partition

Yes

Yes

Yes

No

Applications

Activate process applications to a production partition

Yes

No

No

No

Spaces

View your spaces and the spaces shared with you, and create, edit, share, and delete your spaces

Yes

Yes

Yes

No

Spaces

Administer any space (check status, control permissions, and delete)

Yes

No

No

No

Management

Manage process applications (activate to production partition, retire, deactivate, shut down, and manage web services)

Yes

No

No

No

Administration (runtime)

Configure connections to other services, configure process runtime and logger settings, schedule archive and purge, configure UI custom settings, assign and manage roles specific to process applications, manage credentials and certificates, and view notification logs

Yes

No

No

No

Settings (design-time)

Administer any space (check status, control permissions, delete), administer any process application (delete, unlock), delete QuickStart Apps from the gallery, enable the application player, and use the Import utility

Yes

No

No

No

What Users Can Do in Visual Builder by Role

The following table lists Oracle Integration predefined roles available in Visual Builder, and the tasks that users granted those roles can perform.

Oracle Integration Role Tasks Users Can Perform in Visual Builder

ServiceAdministrator

A user with the ServiceAdministrator role can:

  • Use the visual design tool

  • Create, manage, and change the owners of applications

  • Create associations with other services

  • Configure security options for applications in an instance

  • Specify error messages for Access Denied pages

ServiceDeveloper

A user with the ServiceDeveloper role can:

  • Use the visual design tool

  • Create, manage, secure, and publish web and mobile applications

  • Design pages, work with business objects, build and test applications

ServiceMonitor The ServiceMonitor role is not applicable in Visual Builder.
ServiceDeployer The ServiceDeployer role is not applicable in Visual Builder.

ServiceUser

A user with the role of ServiceUser can only access staged and published applications. The default permission is enforced only when the service administrator adjusts security settings for the entire service instance to restrict all access to runtime applications to the users granted the ServiceUser role.

What Users Can Do in Integration Insight and Stream Analytics by Role

Integration Classic only Applies only to Oracle Integration Classic (user-managed).

The following table lists the privileges provided by Oracle Integration predefined roles in Integration Insight and Stream Analytics.

Oracle Integration Predefined Role Tasks Users Can Perform in Integration Insight Tasks Users Can Perform in Stream Analytics

ServiceAdministrator

A user with the ServiceAdministrator role can:

  • Create models, and has access to all other models

  • Create connections to other Oracle Integration features

  • Import and export models

Additionally, the user can perform all the tasks that users with the ServiceDeveloper, ServiceDeployer, and ServiceUser roles can perform.

A user with the ServiceAdministrator role can:

  • Configure Spark and Kafka for Stream Analytics

  • Create Kafka and database connections

ServiceMonitor

The ServiceMonitor role is not applicable in Integration Insight.

The ServiceMonitor role is not applicable in Stream Analytics.

ServiceDeveloper

A user with the ServiceDeveloper role can:

  • Create, import, and export models

  • Create milestones and indicators using business language

  • Define mapping of milestones to the appropriate location in implementation and extraction of indicators
  • Use the Events REST API

A user with the ServiceDeveloper role can:

  • Create streams using Kafka connections

  • Create references using database connections

  • Create manual GeoFences or database-based GeoFences

  • Create draft pipelines

ServiceDeployer

A user with the ServiceDeployer role can:

  • Export models

  • Create milestones and indicators using business language

  • Define mapping of the milestones to the appropriate location in implementation and extraction of indicators
  • Use the Events REST API

A user with ServiceDeployer role can:

  • Publish draft pipelines to the Spark cluster

ServiceUser

A user with the ServiceUser role has access to dashboards, and has permissions to create, view, and edit dashboards. The user can also use the Events REST API.

A user with the ServiceUser role can view connections, streams, applications, targets, references, GeoFences, patterns, and all other resources.

These users can’t create, edit, or delete resources.