sign in sign up
<<
Home , View model

Configuring Manager Privileges and Permissions

© Copyright Informatica LLC 1993, 2021. Informatica LLC. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC. All other company and product names may be trade names or trademarks of their respective owners and/or copyrighted materials of such owners. Abstract

You can configure privileges to allow users access to the features in Metadata Manager. You can configure permissions to allow access to resources or objects in Metadata Manager. This article describes the privileges and permissions that you can configure in Metadata Manager.

Supported Versions

• Metadata Manager 9.6.1

Table of Contents

Introduction...... 2 Users, Groups, Privileges, and Roles...... 3 Privileges ...... 4 Catalog Privilege Group...... 4 Load Privilege Group...... 6 Model Privilege Group...... 7 Security Privilege Group...... 7 Permissions...... 8 Types of Permissions...... 9 Rules and Guidelines...... 9 Configuring Permissions for Users and Groups...... 9 Configuring Permissions for the Metadata Catalog...... 10 Sample Scenarios...... 11 Scenario 1...... 12 Scenario 2...... 13 Scenario 3...... 13 Scenario 4...... 14

Introduction

The Metadata Manager Service privileges determine the actions that you can perform using Metadata Manager. Permissions determine the resources and metadata objects that you can access in Metadata Manager.

To access specific features of Metadata Manager and perform the required actions on resources or objects in Metadata Manager, you must complete the following tasks:

1. In the Administrator tool, configure the users and groups that need to access Metadata Manager. 2. In the Administrator tool, assign the required privileges or roles to the users and groups. 3. In Metadata Manager, configure the appropriate permissions for the resources or objects that the users need to access.

2 Users, Groups, Privileges, and Roles

You can create and manage Metadata Manager users and groups and configure privileges and roles in the Administrator tool.

To access the application services and objects in the Informatica domain and to use the application clients, you must have a user account. The tasks you can perform depend on the type of user account that you have and the type of license that you have.

The Service Manager stores users and groups in the domain configuration and copies the list of users and groups to the Metadata Manager repository. The Service Manager periodically synchronizes the list of users and groups in the repository with the users and groups in the domain configuration database.

Users You can set up individual user accounts in the Informatica domain. Users can perform tasks based on the roles, privileges, and permissions assigned to them. Groups You can set up groups of users and assign different roles, privileges, and permissions to each group. The roles, privileges, and permissions assigned to the group determine the tasks that users in the group can perform within the Informatica domain. Privileges Privileges determine the actions that users can perform in application clients. You can assign different privileges to a user for each application service of the same service type. Roles Roles are collections of privileges that you can assign to users and groups. You assign roles or privileges to users and groups for the domain and for application services in the domain. The Administrator tool includes several predefined custom roles that you can assign to Metadata Manager users and groups. You can assign the following predefined custom roles to Metadata Manager users and groups:

Metadata Manager Basic User This role allows users to perform tasks such as view the catalog, view the lineage, and view the model. This user role provides view permissions on the catalog and the model. Metadata Manager Intermediate User This role allows users to perform tasks such as manage links between metadata objects in a catalog and load a resource. This role includes the privileges available to a Metadata Manager Basic User. Metadata Manager Advanced User This role allows users to manage objects, resources, models, and catalog permissions. This role includes the privileges available to a Metadata Manager Intermediate User. For more about creating users and groups and assigning roles and privileges, see the Informatica Security Guide.

3 Privileges

Metadata Manager Service privileges determine the Metadata Manager actions that users can perform using Metadata Manager. You assign privileges to users and groups in the Administrator tool.

The following table describes each Metadata Manager privilege group:

Privilege Group Description

Catalog Includes privileges to manage objects in the Browse tab of the Metadata Manager interface.

Load Includes privileges to manage objects in the Load tab of the Metadata Manager interface.

Model Includes privileges to manage objects in the Model tab of the Metadata Manager interface.

Security Includes privileges to manage objects in the Security tab of the Metadata Manager interface.

Catalog Privilege Group

The privileges in the Catalog privilege group determine the tasks that users can perform on the Browse tab of the Metadata Manager application. A user with the privilege to perform a certain action also requires permissions to perform the action on a particular object. Configure permissions on the Security tab of the Metadata Manager application.

The following table lists the privileges in the Catalog privilege group and the permissions required to perform a task on an object. The table also lists the Metadata Manager custom roles that have these privileges and permissions assigned by default:

Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

Share Shortcuts - Write User can share a folder that contains Metadata Manager a shortcut with other users and Advanced User groups.

View Lineage - Read User can perform the following - Metadata Manager actions: Advanced User - Run lineage analysis on - Metadata Manager metadata objects, categories, and Intermediate User business terms. - Metadata Manager Basic - Run data lineage analysis from the User PowerCenter Designer. Users must also have read permission on the PowerCenter repository folder.

View Related - Read User can view related catalogs. - Metadata Manager Catalogs Advanced User - Metadata Manager Intermediate User - Metadata Manager Basic User

View Reports - Read User can view Metadata Manager - Metadata Manager reports in Data Analyzer. Advanced User - Metadata Manager Intermediate User

4 Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

View Profile - Read User can view profiling information - Metadata Manager Results for metadata objects in the catalog Advanced User from a relational source. - Metadata Manager Intermediate User

View Catalog - Read User can perform the following - Metadata Manager actions: Advanced User - View resources and metadata - Metadata Manager objects in the metadata catalog. Intermediate User - Search the metadata catalog. - Metadata Manager Basic User

View - Read User can view relationships for - Metadata Manager Relationships metadata objects, categories, and Advanced User business terms. - Metadata Manager Intermediate User - Metadata Manager Basic User

Manage View Write User can create, edit, and delete Metadata Manager Relationships Relationships relationships for custom metadata Advanced User objects, categories, and business terms.

View Comments - Read User can view comments for metadata - Metadata Manager objects, categories, and business Advanced User terms. - Metadata Manager Intermediate User - Metadata Manager Basic User

Post Comments View Write User can add comments for metadata - Metadata Manager Comments objects, categories, and business Advanced User terms. - Metadata Manager Intermediate User

Delete - Post Write User can delete comments for - Metadata Manager Comments Comments metadata objects, categories, and Advanced User - View business terms. - Metadata Manager Comments Intermediate User

View Links - Read User can view links for metadata - Metadata Manager objects, categories, and business Advanced User terms. - Metadata Manager Intermediate User - Metadata Manager Basic User

Manage Links View Links Write User can create, edit, and delete links - Metadata Manager for metadata objects, categories, and Advanced User business terms. - Metadata Manager Intermediate User

5 Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

View Glossary - Read User can perform the following - Metadata Manager actions: Advanced User - View business glossaries in the - Metadata Manager Glossary view. Intermediate User - Search business glossaries.

Manage Objects - Write User can perform the following Metadata Manager actions: Advanced User - Edit metadata objects in the catalog. - Create, edit, and delete custom metadata objects. Users must also have the View Model privilege. - Create, edit, and delete custom metadata resources. Users must also have the Manage Resource privilege.

Load Privilege Group

The privileges in the Load privilege group determine the tasks that users can perform on the Load tab of the Metadata Manager application. A user with the privilege to perform a certain action also requires permissions to perform the action on a particular object. Configure permissions on the Security tab of the Metadata Manager application.

Note: In Metadata Manager 9.6.1 HotFix 2 and previous versions, you do not need to assign privileges to perform any task on the Load tab.

The following table lists the privileges and permissions required to manage an instance of a resource in the Metadata Manager warehouse. The table also lists the Metadata Manager custom roles that have these privileges and permissions assigned by default: :

Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

View Resource - Read User can perform the following actions: - Metadata Manager - View resources and resource Advanced User properties in the Metadata Manager - Metadata Manager warehouse. Intermediate User - Export resource configurations. - Download the Metadata Manager Agent installer.

Load Resource View Resource Write User can perform the following actions: - Metadata Manager - Load metadata for a resource into the Advanced User Metadata Manager warehouse.* - Metadata Manager - Create links between objects in Intermediate User connected resources for data lineage. - Configure search indexing for resources. - Import resource configurations.

6 Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

Manage View Resource Write User can perform the following actions: Metadata Manager Schedules - Create and edit schedules. Advanced User - Add schedules to resources.

Purge Metadata View Resource Write User can remove metadata for a Metadata Manager resource from the Metadata Manager Advanced User warehouse.

Manage - Purge Metadata Write User can create, edit, and delete Metadata Manager Resource - View Resource resources. Advanced User

* To load metadata for Business Glossary resources, the Load Resource, Manage Resource, and View Model privileges are required.

Model Privilege Group

The privileges in the Model privilege group determine the tasks that users can perform on the Model tab of the Metadata Manager application. You cannot configure permissions on a model.

The following table lists the privileges required to manage models and the Metadata Manager custom roles that have these privileges and permissions assigned by default:

Privilege Includes Permission Description Metadata Manager Custom Privilege Roles Assigned with this Privilege

View Model - - User can open models and classes and - Metadata Manager Advanced view model and class properties. View User relationships and attributes for - Metadata Manager classes. Intermediate User - Metadata Manager Basic User

Manage View Model - User can create, edit, and delete Metadata Manager Advanced Model custom models. Add attributes to User packaged models.

Export/ View Model - User can import and export custom Metadata Manager Advanced Import models and modified packaged User Models models.

Security Privilege Group

The privileges in the Security privilege group determines the tasks that users can perform on the Security tab of the Metadata Manager application.

By default, the Manage Catalog Permissions privilege in the Security privilege group is assigned to the Administrator, or a user with the Administrator role on the Metadata Manager Service. You can assign the Manage Catalog Permissions privilege to other users.

7 The following table lists the privilege and permission required to manage Metadata Manager security. The table also lists the Metadata Manager custom roles that have these privileges and permissions assigned by default:

Privilege Includes Permission Description Metadata Manager Privileges Custom Roles Assigned with this Privilege

Manage Catalog - Full Control The user can perform the following actions: Metadata Manager Permissions - Assign users and groups permissions on Advanced User resources, metadata objects, categories, and business terms. - Edit permissions on resources, metadata objects, categories, and business terms.

Permissions

You can view and configure user and group permissions on resources and metadata objects in Metadata Manager. Permissions determine which resources and metadata objects that Metadata Manager users can access on the Browse tab and the Load tab. Permissions do not affect objects on the Model tab.

By default, only Metadata Manager administrator users have access to the resources and metadata objects in the Metadata Manager warehouse. To grant access to these objects to other users, you must configure the permissions for Metadata Manager users and groups.

Permissions work with the Metadata Manager Service privileges that you configure for users and groups in the Administrator tool. To access a resource or metadata object, a user must have sufficient Metadata Manager Service privileges and appropriate permissions on the object. For example:

• To view a metadata object in the metadata catalog, a user needs the View Catalog privilege, Read permission on the resource that contains the object, and Read permission on the metadata object. To prevent the user from accessing other metadata objects within the resource, set the permission on the other objects to No Access.

• To view a business glossary in the Glossary view, a user needs the View Glossary privilege and Read permission on the business glossary.

• To view a resource in the Load tab, a user needs the View Resource privilege and Read permission on the resource.

• To load a resource, a user needs the Load Resource privilege and Write permission on the resource.

Note: In Metadata Manager 9.6.1 HotFix 2 and previous versions, you do not need to assign privileges to perform any task on the Load tab.

Use the Permissions tab to configure permissions on resources and metadata objects.

You can complete the following tasks:

Configure permissions for users and groups. Select a user or group, and then specify which resources and metadata objects that the user or group can access. Configure permissions on metadata objects. Select a resource or metadata object, and then specify which users and groups can access the object.

8 Types of Permissions

Permissions in Metadata Manager determine the level of access that users and groups have on resources and metadata objects.

You can configure the following permissions:

Full control Configure permissions on an object in the metadata catalog. Includes write and read permission. Write Write permission on a resource or metadata object. Includes read permission. Read Read permission on a resource or metadata object. No access User cannot access the resource or metadata object. Permission not specified User inherits permissions on the object from the parent object.

Rules and Guidelines

Use the following rules and guidelines when you configure permissions:

• When you configure permissions on a resource or metadata object, child objects of the resource or metadata object inherit the permissions of the parent object.

• You cannot configure permissions on logical groups in the metadata catalog. For example, logical groups for an Oracle resource include the Indexes, Procedures, Tables, and Views groups. Metadata Manager groups all tables under the Tables logical group. You can configure permissions on the individual tables, but not on the Tables logical group.

Configuring Permissions for Users and Groups

View and configure permissions for users and groups on the Permissions tab. You can view the permissions on the resources and metadata objects for a user or group. You can also configure the permissions for the user or group.

To configure permissions for specific child objects of a parent object, set permissions for all child objects to No Access. Then configure the appropriate permissions for the child objects.

For example, a user Dave needs the Write permission only on the first two monthly revenue reports tables among the 100 monthly revenue reports tables under the Tables logical group in an Oracle resource. To configure permissions for Dave, select the 100 monthly revenue reports tables, and set the permission to No Access. Then select the first two monthly revenue reports tables, and set the permission on the tables to Write.

Perform the following steps to configure permissions for users and groups:

1. On the Permissions tab, select the user or group in the Users/Groups pane. The Permissions pane displays the user or group permissions for each resource and metadata object in the metadata catalog. Note: Permissions preceded by an asterisk (*) are inherited from permissions on a parent object. 2. Click Edit Permissions. The Edit Permissions window appears as shown in the following image.

9 In this example, the group named Operator is given the Read permission to the Ora_scala11gr2 resource:

3. Select the resource or metadata object for which you want to configure permissions. 4. Select the permission from the list and click Apply. 5. Click OK.

Configuring Permissions for the Metadata Catalog

You can view and configure permissions for resources and metadata objects in the metadata catalog. You can view the user and group permissions on the resources and metadata objects and configure the user and group permissions for the objects.

When you select a resource or metadata object, Metadata Manager shows the users and groups for which you configured permissions. To configure permissions for a user or group that is not displayed, you can add the user or group when configuring permissions for the resource or metadata object.

Note: You can also configure permissions for metadata objects from the Browse tab. You can select an object, right- click, and choose Set Permissions to change to the Permissions tab. Permissions preceded by an asterisk (*) were inherited from permissions on a parent object.

Perform the following steps to configure permissions for a resource or metadata object:

1. On the Permissions tab, select a resource or metadata object. The configured permissions for users and groups on the resource or metadata object appear in the right pane. 2. Click Edit Permissions. The Edit Permissions window appears as shown in the following figure.

10 In this example, the group named Operator is configured with the Read access permission for a selected Oracle resource, Auto_Oracle1:

3. To edit the permissions for a user or group, select the permission in the Permission list. 4. To remove the permissions for a user or group, click Remove for the corresponding user or group. 5. To add permissions for another user or group, select the user or group in the Add another User/Group list, select the required permission, and click Add. 6. Click OK.

Sample Scenarios

The following sample scenarios describe how to configure the required privileges and permissions for users to perform specific tasks in Metadata Manager: Scenario 1

Configure the privileges and permissions for a new user named Steve so that Steve can perform the following tasks in Metadata Manager:

• View the model for an Oracle database resource.

• View the catalog.

• View lineage for a column in an Oracle database resource. Scenario 2

Modify the privileges and permissions for an existing user named Jane so that the Jane can perform the following tasks in Metadata Manager:

• Load a Sybase database resource.

• Create links between objects in the Sybase database resource to run lineage across metadata sources.

• View information about a category or business term in the business glossary named Enterprise Billing Terms.

11 Scenario 3

Modify the privileges and permissions for an existing user named Alan so that Alan can perform the following tasks in Metadata Manager:

• Import and export custom models.

• Configure catalog permissions for an Oracle database resource.

• Manage resources for a Microsoft SQL Server database resource. Scenario 4

Configure privileges for a new user named Bob so that Bob can perform the following tasks in Metadata Manager:

• Create a custom resource in the catalog, based on an existing custom model.

• Create objects under the custom resource in the catalog.

Scenario 1

The following scenario lists the privileges and permissions that you must configure for a new user.

Create a user named Steve and configure privileges and permissions for the new user to perform the following tasks in Metadata Manager:

• Open models and classes for an Oracle database resource and view the class properties.

• View resources and objects in the metadata catalog.

• Run data lineage analysis on metadata objects in an Oracle database resource. Perform the following steps in the Administrator tool:

1. Create the user named Steve. 2. Assign the following privileges to Steve: a. Select the View Model privilege under the Model privilege group. b. Select the View Catalog privilege under the Catalog privilege group. c. Select the View Lineage privilege under the Catalog privilege group.

Note: Alternatively, you can assign the custom role of a Metadata Manager Basic User to Steve to grant all of these privileges.

In Metadata Manager, select the Oracle database resource and configure the Read permission for Steve.

12 Scenario 2

The following scenario lists the privileges and permissions that you must modify for a user to perform the listed tasks in Metadata Manager.

The following table lists the tasks that Jane can currently perform and the additional tasks that Jane must perform:

Tasks Currently Permitted Additional Tasks Required

No permissions configured. The user is unable to view Load metadata for a Sybase database resource into the Metadata the resources. Manager warehouse.

View links for metadata objects, categories, and Create, edit, and delete links between metadata objects in the business terms. Sybase database resource.

No permissions configured. The user is unable to view View the Enterprise Billing Terms business glossary and search business glossaries. for terms in this business glossary.

Use the Administrator tool to modify the privileges for Jane to perform the additional tasks:

• Load metadata for a resource into the Metadata Manager warehouse. Select the Load Resource privilege under the Load privilege group and assign this privilege to the user.

• Create, edit, and delete links between metadata objects. Select the Manage Links privilege under the Catalog privilege group and assign this privilege to the user.

• View business glossaries and search for terms in the business glossary. Select the View Glossary privilege under the Catalog privilege group.

Note: Alternatively, you can assign Jane the custom role of a Metadata Manager Intermediate User to configure all the additional privileges.

In Metadata Manager, configure the following permissions for Jane to perform the additional tasks:

• Select the Sybase database resource and configure the Write permission for Jane.

• Select the Enterprise Billing Terms business glossary and configure the Read permission for Jane.

Scenario 3

The following sample scenario lists the privileges and permissions that you must modify for a user to perform the listed tasks in Metadata Manager.

The following table lists the tasks that Alan can currently perform and the additional tasks that Alan must perform:

Tasks Currently Permitted Additional Tasks Required

Open models and classes and view the properties, Export and import custom models. relationships, and attributes for classes.

View metadata resources and objects in the metadata Assign permissions for users and groups on metadata catalog. objects and resources in an Oracle database.

Load metadata for a resource in the Metadata Manager Create, edit, and delete resources for a Microsoft SQL warehouse. Server database.

13 Use the Administrator tool to modify the privileges required by Alan to perform the additional tasks:

• Export and import custom models. Select the Export/Import Models privilege under the Model privilege group and assign this privilege to the user.

• Assign permissions for users and groups on metadata objects and resources. Select the Manage Catalog Permissions privilege under the Security privilege group and assign this privilege to the user.

• Create, edit, and delete resources. Select the Manage Resource privilege under the Load privilege group.

Note: Alternatively, you can assign the custom role of a Metadata Manager Advanced User to Alan to configure all the additional privileges.

In Metadata Manager, configure the following permissions for Alan to perform the additional tasks:

• Select the Oracle database resource and configure the Full Control permission for Alan.

• Select the Microsoft SQL Server database resource and configure the Write permission for Alan.

Note: Configuring the Export/Import Models privilege for Alan in the Administrator tool allows Alan to export and import custom models. You do not have to configure any permissions in Metadata Manager.

Scenario 4

The following sample scenario lists the privileges that you must modify for a user to perform the listed tasks in Metadata Manager.

Create a new user named Bob and provide the required privileges for Bob to complete the following tasks:

• Create a custom resource in the catalog, based on an existing custom model.

• Create objects under the custom resource in the catalog. Perform the following steps in the Administrator tool:

1. Create the user named Bob. 2. Assign the following privileges to Bob:

• Select the View Model privilege under the Model privilege group.

• Select the View Catalog privilege under the Catalog privilege group.

• Select the Manage Objects privilege under the Catalog privilege group.

Note: Alternatively, you can assign the custom role of a Metadata Manager Advanced User to Bob to grant all of these privileges.

Authors

Suraj Jayan

Acknowledgements

The author would like to acknowledge Lori Troy, Vishwanath Belur, and Rashmi Mani.

14