1. Administering and Working with Oracle Enterprise Data Management Cloud
  2. Administration
  3. Working with Roles and Permissions
  4. Understanding Application Roles and Permissions
  5. Inclusive and Additive Permissions

Inclusive and Additive Permissions

Permission levels are either inclusive (higher level permissions include all of the permissions of the lower levels), or additive (the permission grants additional access without being included in other permission levels).

Inclusive Permissions

There are three inclusive permission levels that you can assign to data objects:

  • Owner (includes all Inclusive and Additive permissions)
  • Data Manager
  • Participant

    Note:

    The Participant permission automatically grants Read data access to a data chain object. You can modify the permission to grant Write data access to data chain objects by selecting the allowed actions and property access for that object. See Configuring Data Access.

When you assign a higher level permission (such as Owner) to a user or group, that grant includes all of the lower level permissions (Data Manager, Participant (Write), and Participant (Read)). You do not need to assign a user or group multiple permissions on the same data object.

Applications and dimensions support all inclusive permission levels, while hierarchy sets and node types support the Participant permissions only. You can assign multiple permission levels (such as Participant and Metadata Manager) to applications and dimensions. See Combining Permissions.

You can further refine the Participant permission by specifying data access to a hierarchy set or node type. See Configuring Data Access.

Additive Permissions

Additive permissions provide more granular access to applications and data chain objects. They can be assigned by themselves or on top of an inclusive permission.

The additive permission that you can assign is Metadata Manager. This permission can be assigned at the application or dimension level, and it allows users to create, edit, and delete all metadata objects in an application or dimension including node types, hierarchy sets, converters, custom validations, permissions, and policies.

Note:

Metadata Manager permission does not give a user access to create or delete applications.

Metadata Manager permission does not give access to data. Users with this permission must be assigned one of the inclusive permission levels (such as Participant (Read)) in order to view data.

The following graphic illustrates how the inclusive and additive permission levels work. The three inclusive permissions build on each other, with Participant (Write) including the access of Participant (Read), and Data Manager including the access of Participant (Write). Metadata Manager is additive, so it does not include any of the lower level permissions. Owner includes all of the access in both types of permission levels, plus the ability to delete applications.


Graphic lists permission levels described above

The following table displays some commonly performed tasks and the permission level needed to perform them:


This image displays permissions that are also listed in the security example topics.

Combining Permissions

You can combine inclusive and additive permissions to provide a finer level of control over a user's access. Some of the combinations include:

  • Data Manager plus Metadata Manager: This combination provides a user access to perform most tasks around both data and metadata (such as creating, updating, and deleting data chain objects, creating and running public extracs, and running imports and exports) but does not allow a user to delete an application.
  • Participant (Read) plus Metadata Manager: This combination grants data access to a metadata manager so that they can browse and validate data in viewpoints. This lets them, for example, ensure that the expressions that they create are working as intended.