Understanding Predefined Roles

Most Oracle Enterprise Performance Management Cloud services use a common set of predefined functional roles to control access to environments.

Access to environments is granted by assigning users to roles. For example, to permit user John Doe to view reports belonging to a Planning and Budgeting test environment, he should be assigned to the Viewer role of the environment.

All EPM Cloud services other than Narrative Reporting and Oracle Enterprise Data Management Cloud use a common set of four predefined functional roles to control access to service environments:

  • Service Administrator

  • Power User

  • User

  • Viewer

The access that a predefined role grants within an environment depends on the service type. For example, the Power User role in Planning enables you to manage business rule security and control the approval process while the same role in Tax Reporting enables you to run tax automation and import data.

Predefined functional service roles are hierarchical. Access granted through lower-level roles is inherited by higher-level roles. For example, Service Administrators, in addition to the access that only they have, inherit the access granted through Power User, User, and Viewer roles.


In the identity domain, roles belonging to a test environment are distinguished by appending -test to the instance name; for example, Planning1-test User, where Planning1 is the instance name.

About the Identity Domain Administrator Role

In addition to the functional roles, all EPM Cloud services use the Identity Domain Administrator role to manage users.

Identity Domain Administrators use the Security Page of My Services to perform all identity domain management tasks such as managing users and their roles, configuring single sign-on, and setting up network restricted access.

See the Identity Domain Administrator role description in Getting Started with Oracle Cloud for a detailed description of this role.

Identity Domain Administrator is not a functional role; it does not inherit access privileges granted through functional roles. To access service features, the Identity Domain Administrator must be granted one of the four functional roles.


An Identity Domain Administrator manages both the test and production environments of all services belonging to an identity domain.

An Identity Domain Administrator can create other Identity Domain Administrators, who can share the administrative workload. Having multiple Identity Domain Administrators also ensures seamless operation in case an Identity Domain Administrator becomes unavailable.