1. Home
  2. Guides
    1. Start
    2. Administer
    3. Analyze
    4. Configure
    5. Deploy
    6. Install
    7. Migrate
    8. Organize
    9. Secure
      1. Incorta Security Guide
      2. Secure Communication and Data
      3. Configure SSO
      4. Secure Objects and Business Data
        1. Security Roles
        2. Reset Superuser Password
        3. Set Read-only Schema Access
        4. Runtime Security Filter
        5. Session Variables
        6. SOX Compliance
    10. Upgrade
    11. Visualize
  3. Concepts
  4. Tools
  5. References
    1. Apache Spark
    2. Built-in Functions
    3. Incorta Component SDK
    4. Incorta Connector SDK
    5. Connectors
    6. Nexus
    7. Data Studio
    8. Public API
    9. Security
      1. HTTPS for Apache Tomcat with OpenSSL
      2. Enable Zookeeper SSL
      3. Enable MySQL SSL
      4. OAuth Configurations
      5. OAuth for Box
      6. OAuth for Dropbox
      7. OAuth for Google API
      8. Client credentials for a Google APIs project
      9. OAuth for Microsoft Azure Gen1
      10. OAuth for OneDrive
      11. OAuth for Sharepoint
      12. OAuth for Smartsheet
      13. Security Roles
    10. SQL Interface
    11. Visualizations
    12. Other
  6. Integrations
  7. Data applications
  8. Release Notes
  9. Incorta Premium

References → Security Roles

About Security Roles

Incorta defines access control through Users, Groups, and Roles. The Security Manager manages these entities.

A user can belong to no groups or multiple groups, and a group can be assigned to no roles or multiple roles. A user inherits all roles assigned to the groups they belong to. Roles define specific permissions within the platform and are immutable. You cannot create, edit, or delete a role.

Security model

Incorta employs an optimistic security model, which means that Incorta enforces the least restrictive role permissions and access rights. All users inherit the User role. A tenant administrator inherits the SuperRole by default. There is no direct way to assign a role to a user. Instead, you can assign one or more roles to a group. A group is a collection of zero or more users. You may assign a user to one or more groups.

Role-based access control

Role-Based Access Control (RBAC) enforces access to certain features and functionalities within Incorta Analytics Service. The Incorta Loader Service is not accessible. The Incorta Cluster Management console is a separate web interface and is enabled for a single administrator user.

There is no direct way to assign a role to a user, with two exceptions:

  • All users inherit the User role
  • A tenant administrator inherits the SuperRole role unless otherwise configured for the tenant

Role descriptions

RoleRole TypeDescription
UserUser RoleCan perform the following:
  ●   View, favorite, apply filters, and create bookmarks in dashboards that are shared with them.
  ●   Hide the tab and filter bars when viewing a dashboard.
  ●   The default role assigned to a user.
Privileged UserUser RoleCan share dashboards and folders, and publish dashboards via email and schedules.
Dashboard AnalyzerUser RoleCan personalize, share, and publish dashboards via email and schedules.
Individual AnalyzerUser RoleCan perform the following:
  ●   Create and modify folders.
  ●   Create, modify, and personalize dashboards, and also access the Analyzer.
  ●   Cannot share dashboards or folders.
Analyze UserUser RoleCan perform the following:
  ●   Create and modify folders.
  ●   Create, modify, and personalize dashboards, and also access the Analyzer.
  ●   Share or publish dashboards via email and schedules.
Advanced Analyzer UserUser RoleCan perform the following:
  ●   Create and modify folders.
  ●   Create, modify, and personalize dashboards, and also access the Analyzer.
  ●   Share dashboards and folders, and publish dashboards via email and schedules.
  ●   Use Augmented Analytics and Business Notebook.
  ●   Install SDK Components from the marketplace.

Note: This role is available starting 2024.7.x. After upgrading to 2024.7.x, users who created business Notebooks in a previous release must be assigned this role to continue to have access to their business Notebooks.
Copilot UserUser RoleCan use Copilot (Nexus) and view shared dashboards and business schemas.

Note:
  ●   This role is available starting 2024.7.2 and is required for any user who intends to interact with the Copilot capabilities in various contexts. For example, a schema manager should also be assigned this role to leverage Nexus capabilities when building materialized views. At the same time, an Individual Analyzer requires it to leverage natural language to Insight capabilities.
  ●   Starting 2025.7.1, Incorta Copilot has been renamed to Incorta Nexus.
Data Catalog UserUser RoleCan view the Data Catalog and manage assets they have edit access to.
Data GovernorUser RoleCan create and manage the Data Catalog, including definitions, documentation, and data asset assignments.
Schema ManagerAdmin RoleCan perform the following:
  ●   Create and modify schemas, business schemas, data connections, and data destinations.
  ●   Load data and share schemas with other users and groups.
User ManagerAdmin RoleCan create and modify users and groups, and assign roles and users to groups.
SuperRoleSuper RoleHas full access to all permissions.

Note: Users with the SuperRole or the Super User role can view only dashboards and folders that they own or have access rights to.
Important

You can limit users with "User" or "Individual User" roles from downloading insights by disabling the Download insights option available under Default Tenant Configurations → Security in the Cluster Management Console (CMC).

Role permissions

There are four levels of permissions a Role might have for different content uses of Incorta. In descending order, a Role can: Manage, Share, View, or have no permissions. Having a higher level of permission access grants the permissions of the lower levels.

RoleCatalog (Content)SchemaSecurityData ConnectionData Destination (Dashboard Destination)Data CatalogData Flow (Data Studio)
UserView
Privileged UserShare
Dashboard AnalyzerShare
Individual AnalyzerManage*ViewView
Analyze UserManageViewView
Advanced Analyzer UserManageViewViewManage
Copilot UserManageView (Business Schema)
Data Catalog UserView
Data GovernorManage
Schema ManagerManageManageManageManage
User ManagerManage
SuperRoleManageManageManageManageManageManageManage

Role permissions for other Incorta components

The following table lists certain Roles’ additional permissions for other Incorta components:

RoleSDK_ComponentStandalone_NotebookAdvanced_Augmented_Analytics
Advanced Analyzer UserManageManage
Copilot UserManage
SuperRoleManageManageManage
Notes
  • Catalog refers to the Content tab in the Navigation bar, Data Destination refers to Dashboard Destination, and Data Flow refers to Data Studio.
  • The Individual Analyzer can manage the Catalog (Content), but cannot share.
  • Users with only the Advanced Analyzer User, Analyze User, or Individual Analyzer roles have limited access to the Business Schema Manager, where they can view a list of business schemas shared with them without the need to be assigned the Schema Manager role. They can only open a shared business schema in the Business Schema Designer view mode, explore its data, export it, and view its description and sharing configurations.
  • Before 2024.7.x, the Analyze User role could manage Business Notebooks. However, starting 2024.7.x, this role is not sufficient to manage or access Business Notebooks.
Important

User Permissions
Incorta determines permissions based on a combination of assigned roles and access rights granted when sharing objects. Together, these factors define the functionalities and features available to users.

For example:

  • If a user, Joe, belongs only to a group with the User role, which only permits viewing access to the Catalog (Content Manager), and another user, Tom, grants Joe edit rights to a dashboard, Joe can only view the dashboard.
  • Similarly, if Joe belongs to a group with the Analyze User role, which allows users to manage the Catalog, and Tom grants Joe view access to a dashboard, Joe will be restricted to viewing the dashboard.

Role content access

RoleManage DashboardsManage FoldersShare or PublishAnalyzerSchedulerSchema / Business SchemaDataData StudioData CatalogSecurity
UserNoNoNoNoYes**NoNoNoNoNo
Privileged UserNoNoYesNoYes**NoNoNoNoNo
Dashboard AnalyzerYes***NoYesNoYes**NoNoNoNoNo
Individual AnalyzerYesYesNoYesYes**YesNoNoNoNo
Analyze UserYesYesYesYesYes**YesNoNoNoNo
Advanced Analyzer UserYesYesYesYesYes**YesNoNoNoNo
Copilot UserNoNoNoNoYes**Yes (Business Schema only)NoNoNoNo
Data Catalog UserNoNoNoNoYes**NoNoNoYesNo
Data GovernorNoNoNoNoYes**NoNoYesYesNo
Schema ManagerNoNoNoNoYes**YesYesYesNoNo
User ManagerNoNoNoNoYes**NoNoNoNoYes
SuperRoleYesYesYesYesYesYesYesYesYesYes
Notes

** Only the SuperRole can see scheduled items. The Scheduler tab is active, but no schedules are shown even when the current user is the sharing target.

*** The Dashboard Analyzer role can personalize dashboards, but cannot create or modify them.

Role exceptions

Several Roles have exceptions or variations of content access. The following are exceptions certain Roles may have.

RoleExceptions
Individual Analyzer
  ●   Dashboard sharing control is available in listing view, but the operation is denied.
  ●   The Individual User can not delete dashboards or folders that they do not own.
Analyze User
  ●   Dashboards shared with the Analyze User have editing and advanced menu settings disabled.
  ●   The Analyze User can share with user groups without restriction.
Schema Manager
  ●   Can only see shared data sources, files, and destinations.
  ●   Can load data into shared schemas only with edit permission.
  ●   Can delete non-owned schema objects.