System Administration

Delivered WebApp Groups

All WebApps, also known as components, have three basic WebApp groups:

  • PowerUser — Full access to all pages in the component. The creator of a component is automatically added to this group. As a recommendation, add as few users to this WebApp group as possible. When new pages are created for a component, members of this group are automatically added to the PowerUser WebApp group with full page rights. Therefore, members of this group always have full access to all pages in the component, unless otherwise configured.
  • User — Access is determined by the application Designer.
  • PowerDesigner — Full access to all pages, not meant to be used on site in most cases.

    NOTE: The term full access means that users have read, write, edit, and delete access, as permitted by the page.

NOTE: WebApp groups for each component are listed on the WebApp Groups page.

Some components have additional WebApp groups.

Agent Interface

No additional groups defined.

Assemble

  • PowerUserLite — Enables users to create, change, delete and execute CranPort Packages. Users cannot change any Assemble configuration-related settings.
  • ExecutionOnly — Enables users to execute CranPort packages only, not to create or edit them

NOTE: Assemble WebApp groups can be viewed using the CranPort WebApp.

AutoGen

No additional groups defined.

Automate

Interface Developer — Ability to create and update interfaces

NOTE: Automate WebApp groups can be viewed using the InterfaceServer WebApp.

Collect

  • Service — Ability to run service pages for Collect via Admin > Resources > Service Pages
  • WorkFlowFailureAll — A user must be assigned to a role that uses this WebGroup to receive workflow notifications about table download failures in Collect.
  • WorKFlowFailureByTargetAccess — A user must be assigned to a role that uses this WebGroup to receive workflow notifications about table download failures in Collect.

Common

  • AdvancedDeveloper — Intended to be used for Migration Advanced Developers. It enables users to maintain module-specific settings, maintain data sources, and add automation engine tasks.

  • Analyze — Full access to only the Analyze pages (Common > Analyze > Duplicates, Profile and Trace) and Configuration pages (Common > Configuration)

  • AnalyzeLite — Enables users to execute profiling, tracing and duplicate detection activities.

  • CloudConfigurator – Not used
  • Manage — Not used
  • ReadOnly — Read-only access to all pages

  • RequestPoster — Passwords for external system data sources are stored in Common. Users who are assigned to a role with a role type of Post in MDM must be assigned to this group so that they can maintain their passwords.

    NOTE: If system passwords are used, users do not need to maintain their own passwords and do not need access to this WebApp group.

  • Tools — Full access to only Tools pages (Common > Tools > Build View and Schedules).

  • UserCredentials — Designed to be used by Integrate Roles, allowing users to maintain their user-specific application credentials.

Console

  • MappingApproval — Access to the Mapping Approval page only. This page is available from the green tab on the Quick Panel, and is populated when a field mapping that has been added in Map is waiting to be reviewed.
  • ReadOnly —- Read-only access to all pages

  • Wavesynchronizer — Access to buttons and pages related to comparing and synchronizing target designs across Waves

Construct

NOTE: The Stewardship Tier security key model is implemented in Construct by Wave Process Area Object ID. Refer to Set Security for more information.

The WebApp groups below can be customized to create more granular access for smaller groups.

  • Controlling — Custom Security Group can be assigned at the page level
  • Finance — Custom Security Group can be assigned at the page level
  • Materials — Custom Security Group can be assigned at the page level
  • Sales & Distribution — Custom Security Group can be assigned at the page level
  • Views — Not used

dspCompose™ (Mass Maintenance)

  • ReadOnly —Read-only access to all pages

  • Requester — Full access to all Request Data pages (Mass Maintenance > Requests)

    NOTE:Mass Maintenance users must be members of Integrate’s Post Monitor WebApp group to post requests using the Post Later feature.

dspConduct™ (Master Data Management)

  • ArchiveUser — Ability to view all archived request data (Master Data Management > Archives)
  • FinalFinishAdmin — Users in this group receive a workflow notification when a final finish package is created but fails to run successfully. Users can view all requests and have a read only support role.
  • RoleProcessor — Access to the Request Role page and all dependent pages to process MDM requests

  • UserManager — Access to the User Settings page in MDM to update a user’s workflow notification settings and back up user information.

  • ReadOnly — Read-only access to all pages

dspMonitor™ (Data Quality)

  • Designer — Does not have access to any pages
  • GroupOwner — Access to make changes to any group, regardless if user is the group owner
  • Service — Ability to run service pages for dspMonitor™ via Admin > Resources > Service Pages
  • Subscribers — Receives workflow emails about errors with a link to the error report

dspTrack™

  • Application Administrator — Full access to the User Preferences page (Configuration > Workflow > User Preference) and the Work List, and the Parameters page (Configuration > Parameters). Members of this group manage application-level configuration.
  • Business User — Read-only access to the Plan pages based on the user’s assigned plan. The plan is assigned when the plan is added to the template security role’s key. Users in this WebApp group also have full access to the User Preferences page (Configuration > Workflow > User Preference) and the Work List.
  • Plan User — Full access to Plan pages associated with the keys assigned to the template security role
  • Project User — Full access to project pages associated with the keys assigned to the template security role.
  • WorkList only — Full access to the Work List

Entity Validation

  • Entity Validation Request Processor—Can add, edit and delete address records for a request, process a request and process individual records within a request. This security role cannot create requests.

  • Entity Validation Request Creator—Can create requests and has all the same security rights as Request Processor.

  • Entity Validation Configurator—Can update the Configuration pages and has all the same security rights as Request Creator and Request Processor. Use this security role for administrators.

Add-Ons

No additional groups defined.

Integrate

  • ExecutionOnly — Ability to post in Integrate, but not to activate or deactivate templates or processes
  • PostMonitor — Read-only access to Post Monitor, Post Monitor: Template, Post Files, and Post File Logs pages

NOTE: Mass Maintenance users must be members of this group to post requests using the Post Later feature.

Map

  • FieldMapper — Ability to perform (define, edit) field mapping actions on the Field Mappings page; user has read-only access to the remaining pages

  • FieldAndValueMapper — Enables users to maintain Field and Value Mapping. Intended for use by non-migration developer resources who are responsible for documenting mappings requirements.

  • PowerUserLite — Enables users to perform all Field and Value Mapping activities needed to build a data object end to end. It's recommended for use by Migration Developers. Users with this Group cannot change any Map configuration-related settings.
  • ReadOnly — Read-only access to all pages
  • ValueMapper — Ability to map Source Table values to Target Check Table values

System Administration

  • Administrator — Full access to all pages. Only Administrators or Power Users of System Administration have security to create WebApps.
  • Audit — Full access to all audit pages (Data Sources > Audit)

  • ContentKeySecurity — Provides restricted access to a type of security user, usually a SME or Data Steward, that can:

    • Create security roles with a Role Type of Content and

    • Assign security definition key values to users, and to security roles with Role Types of Standard and Content

  • CTS — Full access to all CTS pages (i.e., pages under the CTS menu)
  • CustomizationManager — Access to User/Role/Site level customization pages for creating and managing Custom Links, Custom Dashboard Layouts, Quick Links, and others.

  • Customizer — By default, users have access to this group which gives them the ability to replace Dashboards with alternate layouts.

    NOTE: To create dashboards, users must be a member of the CustomizationManager WebApp group.

  • DataSources — Full access to all Data Source pages (as in, pages under the Data Source menu)
  • Debugger — Read only access to exception stack traces.

  • Designer — Enables Design capabilities (as in, Design link on the Gear toolbar icon). Full access to all WebApp pages (i.e., pages under the WebApps menu).

    NOTE: Designers only have access to modify WebApps to which they have security.

    NOTE: A user who belongs to this WebApp group can use the Show SQL feature to view the SQL for the page. Refer to Show SQL for more information.

  • DesignerPlus — Provides experienced Stewardship Tier users with access to some advanced System Admin setup and configuration tasks.

  • JobMonitoring — Provides users with comprehensive access to Stewardship Tier Monitoring pages.
  • Language — Full access to all language pages (as in, pages under the Translations menu)
  • Search — Full access to all search and index pages (pages under Configuration > Search, Data Sources > Index, Resource > Bulk Duplicate Detection, and Resource > Monitor)
  • Security — Full access to all security pages (as in, pages under the Security menu)
  • Service — Not meant for users, but to assign to Service pages so that the background service can access them.

  • UserManagement — Provides restricted access to security, only allowing access to the pages used to create users and assign them to Application roles.

Target Design

  • PowerUserLite — Enables users to perform all Data Design activities needed to build a data object end to end. It's recommended for use by Migration Developers. Users cannot change any Console or Target Design configuration-related settings and cannot create Waves, Process Areas, or Object
  • ReadOnly — Read-only access to all pages.

Transform

  • ExecutionOnly — Designed to be used by:

    • A user whose role is to only process data objects or

    • Users that are running migration load cycles from within non-development environments.

    • Users in this WebApp group can:

      • Execute Objects, Targets, Sources, Rules and Reports

      • Publish / Unpublish Objects / Targets / Sources and Reports

      • Segment Reports

      • Assign users to reports or report segments

  • ReadOnly – Read-only access to all pages
  • ReportsOnly – Read-only access to pages accessed via Reports and My Reports
  • Service – Ability to run service pages for Transform via Admin > Resources > Service pages