User Roles and Application Permissions
Users can work with applications and cubes according to their assigned roles and permissions. Roles and permissions help you manage the business activities users are permitted to perform within an Essbase instance, and the application data that they can access.
User roles are incremental; access granted to lower-level roles is inherited by higher-level roles. For example, Service Administrators, in addition to the access that only they have, inherit the access granted to Power User and User roles. You assign user roles in the Security page (available only to Service Administrators).
Table 5-1 User Roles
| User Role | Description |
|---|---|
| Service Administrator |
Full access to administer users, applications, and cubes. |
| Power User |
Has same permission as User Role, with added ability to create applications and cubes. Has Application Manager permission for the applications and cubes this user created, as well as the ability to delete them. Any additional permission must be granted, the same as for User Role. |
| User Role |
Ability to access any provisioned application, or a cube that has a minimum access permission. This user role has no access to administrative tasks in applications or cubes unless that permission is granted at the application level. |
Users can access most Essbase features and functionality only after being assigned an application permission in addition to their user role. Application permissions determine more than simply which users and groups can see an application or cube. They also determine whether the user can view data, update data, or manage the cube or application.
Application permissions can be assigned to users and groups using the Permissions tab within the application inspector (available to Service Administrators, application managers, and some power users).
Table 5-2 Application Permissions
| Application Permission | Description |
|---|---|
| Application Manager |
Ability to create, delete, and modify cubes and application settings within the assigned application; assign users to an application; create and delete scenarios, and give permission to run calculation scripts. |
| Database Manager |
Ability to manage cubes, cube elements, locks, and sessions within the assigned application; create and delete scenarios, execute calculation scripts, and assign permissions to run calculation scripts. |
| Database Update |
Ability to read, load, update, and clear data values based on assigned scope. Ability to create and delete scenarios. Ability to run provisioned calculation scripts. |
| Database Access |
Ability to access scenarios, read data values in all cells, and access specific data and metadata, unless further overridden by filters. Can update values in specific cells, if granted write access to those cells through filters. |