Understanding Application Roles and Permissions

The second level of security is managed in Oracle Enterprise Data Management Cloud using a combination of application roles and permissions that are assigned to users. By default, Service Administrators can perform all functions and access data. They do not need application roles or permissions.

Videos

Your Goal Watch This Video

Learn about setting up users and groups.

video icon Setting Up Users and Groups

Application Roles

Application roles control the functions users can perform, such as creating views or registering applications and dimensions. Application roles are compatible and independent from permissions.

Note:

The Service Administrators are the only users authorized to assign application roles, see Access Control.

If a user is renamed in Access Control, then all references to that user (such as in approval policies) become invalid.

This diagram illustrates application roles and the functions they secure.

  • The View Creator application role enables you to create views. After you create a view you are assigned Owner permission to the view.
  • The Application Creator application role enables you to register an application in Oracle Enterprise Data Management Cloud. After you register an application, you are assigned Owner permission to the application.
  • The Auditor application role enables you to view changes made to data in all applications. It does not grant the ability to make any changes to data. If you want to make changes to data, you must be granted at least Participant (Write) permission on a data object. See Auditing Transaction History.

This diagram shows the View Creator, Application Creator, and auditor application roles with the functions listed above.

Permissions

Permissions secure access to applications, dimensions, data chain objects (node set, hierarchy set, and node type), and data. You can assign the following permission levels:

  • Owner
  • Data Manager
  • Participant

    Note:

    By default, the Participant permission grants Read access to data chain objects. You can grant Write access to those objects by configuring data access. See Configuring Data Access.

You assign these permissions on applications, dimensions, hierarchy sets, and node types. Applications and dimensions support all permission levels, while hierarchy sets and node types support the Participant permission only. See Working with Permissions.

Note:

You can also assign the Owner permission on a view. This permission enables you to configure the view and to assign the Owner permission to other users and groups for that view.

Data Access

For users with Participant permission, data access enables you to specify which actions they can take and which properties they can view or edit for specific data chain objects.

See Configuring Data Access.

Viewpoint Actions and Properties

In addition to assigning roles and permissions to users, you can specify the actions that users can perform and the properties that they can update in a viewpoint. For example, you can specify that users can add nodes, but not delete them, or that users can edit the description of a node, but not the name. These allowed actions and editable properties for a viewpoint are enforced for all users, regardless of their role or permission.

Note:

You must have Data Manager permission on a dimension in a viewpoint and Owner permission on the view that contains that viewpoint in order to specify the allowed actions and editable properties for a viewpoint.

See Changing Viewpoint Permissible Actions and Configuring How a Viewpoint Displays Properties.