1. Home
  2. Previous Releases
  3. Latest Release
  4. Guides
    1. Start
    2. Administer
    3. Analyze
    4. Configure
    5. Deploy
    6. Install
    7. Migrate
    8. Organize
    9. Secure
      1. Incorta Security Guide
      2. Secure Communication and Data
      3. Configure SSO
      4. Secure Objects and Business Data
        1. Security Roles
        2. Reset Superuser Password
        3. Set Read-only Schema Access
        4. Runtime Security Filter
        5. Session Variables
        6. SOX Compliance
    10. Upgrade
    11. Visualize
  5. Concepts
  6. Tools
  7. References
    1. Apache Spark
    2. Built-in Functions
    3. Incorta Component SDK
    4. Incorta Connector SDK
    5. Connectors
    6. Data Studio Recipes
    7. Public API
    8. Security
      1. Client credentials for a Google APIs project
      2. Enable Zookeeper SSL
      3. Enable MySQL SSL
      4. Engine Audit
      5. HTTPS for Apache Tomcat with OpenSSL
      6. OAuth for Box
      7. OAuth for Dropbox
      8. OAuth for Google API
      9. OAuth for Microsoft Azure Gen1
      10. OAuth for OneDrive
      11. OAuth for Sharepoint
      12. OAuth for Smartsheet
      13. Security Roles
    9. SQL Interface
    10. Visualizations
    11. Other
  8. Integrations
  9. Data applications
  10. Releases

References → Security Roles

About Security Roles

A user belongs to zero or more Groups, and a Group is assigned to zero or more Roles. Roles are immutable. You cannot create, edit, or delete a Role. Groups, Security Roles, and Users are managed in the Security Manager.

Security Model

Incorta's security model is optimistic, meaning that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to user. Instead, you can assign one or more Roles to a Group. A Group is a collection of zero or more users. You assign a user to one or more groups.

Role Based Access Control

Role Based Access Control (RBAC) enforces access to certain features and functionality within the Incorta Analytics Services. The Incorta Loader Services is not accessible. The Incorta Cluster Management console is a separate web interface, and is enabled for a single administrator user.

There is no direct way to assign a Role to a user, with two exceptions:

  • All users inherit the User role

  • A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant

Role Descriptions

RoleRole TypeDescription
UserUser RoleCan view, favorite, apply filters, and create bookmarks in dashboards that are shared with them. Can hide the tab and filter bars when viewing a dashboard. The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Cannot share dashboards or folders.
Analyze UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules.
Advanced Analyzer UserUser RoleCan create and modify dashboards. Can personalize dashboards. Can create and modify folders. Can access Analyzer. Can share dashboards and folders, and publish dashboards via email and schedules. Can use Augmented Analytics and Business Notebook. Can install SDK Components from marketplace.

Note: This role is available starting 2024.7.x. After upgrading to 2024.7.x, users who created business Notebooks in a previous release must be assigned this role to continue to have access to their business Notebooks.
Schema ManagerAdmin RoleCan create and modify schemas, business schemas, data connections and data destinations. Can load data. Can share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify groups and users. Can add roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.
Note: Users with the SuperRole role or the Super User can view only dashboards and folders that they own or have access rights to.
Important

You can limit users with "User" or "Individual User" roles to not to download insights. You can do that by disabling the Download insights option found under Default Tenant Configurations > Security in the Cluster Management Console (CMC).

Role Permissions

There are four levels of permissions a Role might have for different content uses of Incorta. In descending order a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permission of the lower levels.

RoleCatalog (Content)SchemaSecurityData ConnectionData DestinationData CatalogData Flows
UserView
Privileged UserShare
Dashboard AnalyzerShareView
Individual AnalyzerManage*ViewViewViewView
Analyze UserManageViewViewViewView
Advanced Analyzer UserManageViewViewViewViewManage
Schema ManagerManageManageManageEditManage
User ManagerManage
SuperRoleManageManageManageManageManageManageManage
Notes
  • Catalog refers to the Content tab in the Navigation bar.
  • The Individual Analyzer can manage the Catalog (Content), but cannot share.
  • Users with only the Advanced Analyzer User, Analyze User, or Individual Analyzer roles have limited access to the Business Schema Manager where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.
  • There are additional areas that Advanced Analyzer User and SuperRole roles can manage. These areas include SDK Components, Business Notebooks, and Advanced Augmented Analytics.
  • Before 2024.7.x, the Analyze User role could manage Business Notebooks. However, starting 2024.7.x, this role is not sufficient to manage or access Business Notebooks.

Role Content Access

RoleDashboard Create / ModifyPersonalize DashboardsManage FoldersShare / PublishAnalyzerSchedulerSchema / Bus SchemaDataSecurity
UserNoNoNoNoNoYes**NoNoNo
Privileged UserNoNoNoYesNoYes**NoNoNo
Dashboard AnalyzerNoYesNoYesNoYes**NoNoNo
Individual AnalyzerYesYesYesNoYesYes**NoNoNo
Analyze UserYesYesYesYesYesYes**NoNoNo
Advanced Analyzer UserYesYesYesYesYesYes**NoNoNo
Schema ManagerNoNoNoNoNoYes**YesYesNo
User ManagerNoNoNoNoNoYes**NoNoYes
SuperRoleAllYesYesYesYesYesYesYesYes
Note on Scheduler access

** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.

Role Exceptions

Several Roles have exceptions or variations of content access. Following are exceptions certain Roles may have.

RoleExceptions
Individual AnalyzerDashboard sharing control shown in listing view, but operation is denied. The Individual User can not delete dashboards or folders they do not own.
Analyze UserDashboards shared with the Analyze User have editing and advanced menu settings disabled. Note: The Analyze User can share with user groups without restriction.
Schema ManagerCan only see shared data sources, files, and destinations. Can load data into shared schemas only with edit permission. Can delete non-owned schema objects.