Role Permissions Reference

This topic provides details about each of the permissions that can be applied to roles. These permissions grant access to functionality, i.e., the menus and screens in the Anzo and Administration applications. For example, role permissions determine whether a member of a role can access the Onboard menu and create a new data source or see the Blend menu and create a new graphmart. Whether a member can view, modify, or delete a data source or graphmart artifact that is created by someone else, however, is controlled by the user or group permissions that are applied at the artifact level.

For more information about artifact-level permissions, see Artifact Access Control Concepts. And for more information about roles versus users and groups, see User Management Concepts.

Permissions Overview Screen

To view an overview of the configured permissions for all Anzo roles, you can view the Permissions page under the User Management menu in the Administration application. The screen displays a table; the heading row lists each role, and the first column lists each permission. The permissions are grouped into categories, such as Application or Onboarding. For example:

The rows for each role column include checkboxes that control permissions. You can select or clear checkboxes to enable or disable permissions for a role.

Permission Descriptions

The tables below list the permissions in each category and describe the pages and menus that are enabled for members of a role where that permission is applied.

The permissions described below give access to functionality in the Anzo and Administration applications. Whether members of the role have view or edit access to certain data sets, models, dashboards, graphmarts, etc. depends on the permissions that are granted at the artifact level.

Default

Permission Description
Activate Graphmarts If the user has the appropriate permissions at the Graphmart level, this permission allows them to activate and deactivate the Graphmarts and import Graphmarts into Anzo. Does not give permission to create new Graphmarts or delete Graphmarts.

To be able to access a Graphmart screen in the Anzo application and move the InactiveActive slider, the Anzo Application permission also needs to be applied.

Browse Dashboards Gives permission to view existing Dashboards in the Hi-Res Analytics application. Does not give permission to create new Dashboards.
Browse Models Gives permission to view existing data Models. Applying this permission exposes the Models menu item in the Anzo application. Must also have the Anzo Application permission to access the Anzo application.
Create Dashboards Gives permission to create Dashboards in the Hi-Res Analytics application. Applying this permission also exposes the Create Dashboard button on the Graphmart screens in the Anzo application when the user has the Anzo Application permission.
Create Graphmarts Gives permission to create new Graphmarts. Applying this permission exposes the Add Graphmart button on the Graphmarts screen. Must also have the Anzo Application permission to create Graphmarts in the application.
Data on Demand If the user has the appropriate permissions at the Graphmart level, this permission enables the user to create Data on Demand endpoints. Applying this permission enables the Create New Endpoint button on the Data on Demand tab for Graphmarts. Must also have the Anzo Application permission to access the application.
Manage Graphmarts Gives permission to manage permissions for Graphmarts. Must also have the Anzo Application permission to access the Graphmart screens.
Manage Models Gives permission to create and import Models. Must also have the Anzo Application permission to access the Model screen.
Show Query Builder Gives permission to find data and run SPARQL queries using the Query Builder. Applying this permission exposes the Query Builder option in the Access menu. Must also have the Anzo Application permission.
View Datasets Gives permission to view the Dataset catalog. Applying this permission exposes the Datasets option in the Blend menu in the Anzo application. Must also have the Anzo Application permission.
View Graphmarts Gives permission to view the list of existing Graphmarts. Must also have the Anzo Application permission to view the Graphmarts screen in the Anzo application.
View Provenance Gives permission to view Provenance. Applying this permission exposes the Provenance option in the Anzo application menu. Must also have the Anzo Application permission to access the application.

Data Onboarding

Permission Description
Create Anzo Data Stores Gives permission to create Anzo Data Stores. Must also have the Administer System Setup permission to make the Anzo Data Store option available in the Administration application.
Create Data Sources Gives permission to add new Data Sources. Does not give permission to delete existing Data Sources. Must also have the Anzo Application and Onboard Structured Data permissions to access the Data Sources screen and add new sources.
Manage Dictionaries Gives permission to view, edit, and create Metadata Dictionaries. Applying this permission exposes the Metadata Hub option in the Onboard menu. Must also have the Anzo Application permission to access the application.
Onboard Structured Data Gives permission to access the Onboard > Structured Data menu. Must also have the Anzo Application permission.
Onboard Unstructured Data Gives permission to create Pipelines to onboard Unstructured data. Applying this permission exposes the Onboard > Unstructured Data menu. Must also have the Anzo Application permission.

Application

Permission Description
Anzo Application Grants access to the main Anzo application.
Anzo CLI Gives permission to use the administration command line interface.
Anzo for Excel Gives permission to open, edit, and create Mappings using the Anzo for Office Excel plugin.
Hi-Res Analytics Grants access to the Hi-Res Analytics application.

Administration

Permission Description
Administer System Setup Gives permission to access the options in the Administration application that are related to system setup, such as Server Settings, Licensing, Anzo Data Store, and Directory server configuration.

The image below shows the view of the Administration menu that users have if Administer System Setup and Anzo Application are the only two applied permissions:

Some menu items in the above image, such as Semantic Services, AnzoGraph, and Anzo Data Store, are also controlled by more granular permissions: Manage Semantic Services, Manage AnzoGraph, and Create Anzo Data Stores. To give an administrator full create, modify, and delete access to those functions, the granular permissions need to be enabled in addition to Administer System Setup.

Anzo Admin The Anzo Admin permission is a legacy permission that granted access to the Admin application that existed in pre-5.1 versions of Anzo. This permission no longer controls access to administrative functions and will be removed in an upcoming release.
Manage AnzoGraph Gives permission to view and create AnzoGraph connections. The image below shows the view of the Administration menu that users have if Manage AnzoGraph and Anzo Application are the only two applied permissions:

Manage AnzoGraph does not give permission to delete connections or change the configuration of an existing connection. Administer System Setup is required to grant permission to delete and change existing AnzoGraph connections.

Manage Certificates Gives permission to upload and delete server certificates. The image below shows the view of the Administration menu that users have if Manage Certificates and Anzo Application are the only two applied permissions:

Manage ETL Engines Gives permission to add new ETL engine connections and delete or change the configuration of existing connections.

The image below shows the view of the Administration menu that users have if Manage ETL Engines and Anzo Application are the only two applied permissions:

Manage File Stores Gives permission to create new File Store connections and view existing connections.

The image below shows the view of the Administration menu that users have if Manage File Stores and Anzo Application are the only two applied permissions:

Manage File Stores does not grant permission to delete or change existing file store connections. The Administer System Setup permission is required in conjunction with Manage File Stores to be able to delete or edit existing file stores.

Manage Query Blacklists Gives permission to create and remove queries from the Query Blocklist tab in the System Query Audit Log.

If a user only has the Manage Query Blacklist permission, the Administration menu is not available. Use this permission in conjunction with Administer System Setup to grant access to System Query Audit and the Query Blocklist.

Manage Semantic Services Gives permission to stop and start Semantic Services from the Semantic Services screen as well as view details about the services and use the Service Builder to generate and run semantic service requests.

If a user only has the Manage Semantic Services permission, the Administration menu is not available. Use this permission in conjunction with Administer System Setup to grant access to the Semantic Services screen.

Manage Users, Groups, and Roles Gives permission to create, change, and delete Users, Groups, and Roles. A user who has this permission has Admin level access to all Users, Groups, and Roles. The image below shows the view of the Administration menu users have if Manage Users, Groups, and Roles and Anzo Application are the only two applied permissions:

Profile Data Gives permission to Profile data sources, Datasets, and Graphmarts. Applying this permission exposes the Profile Data button on the Data Source, Dataset, and Graphmart screens.
Use Experimental Anzo Features Grants permission use experimental Anzo features. Experimental features are recently implemented and may not be reliable for production use.
View Activity Logs Gives permission to view the Activity Log. Applying this permission exposes the Activity Log icon () in the top menu bar of the Anzo and Administration applications. The Anzo Application permission is needed to give access to the Anzo application.
View Log Files Gives permission to view and download log files from the Log Files tab. Does not grant permission to change logging levels or add new log packages. Use this permission in conjunction with Administer System Setup to grant access to configure log levels and packages.

The image below shows the view of the Administration menu that users have if View Log Files and Anzo Application are the only two applied permissions:

Related Topics