Role Permissions Reference
This topic provides details about each of the permissions that can be applied to roles. These permissions grant access to functionality, i.e., the menus and screens in the Anzo and Administration applications. For example, role permissions determine whether a member of a role can access the Onboard menu and create a new data source or see the Blend menu and create a new graphmart. Whether a member can view, modify, or delete a data source or graphmart artifact that is created by someone else, however, is controlled by the user or group permissions that are applied at the artifact level.
For more information about artifact-level permissions, see Artifact Access Control Concepts. And for more information about roles versus users and groups, see User Management Concepts.
Permissions Screen
To view an overview of the configured permissions for all Anzo roles, you can view the Permissions page under the User Management menu in the Administration application. The screen displays a table; the heading row lists each role, and the first column lists each permission. The permissions are grouped into categories, such as Application or Data Onboarding. For example:
The rows for each role column include checkboxes that control permissions. You can select or clear checkboxes to enable or disable permissions for a role.
Permission Descriptions
The tables below list the permissions in each category and describe the pages and menus that are enabled for members of a role where that permission is applied.
The permissions described below give access to functionality in the Anzo and Administration applications. Whether members of the role have view or edit access to certain datasets, models, dashboards, graphmarts, etc. depends on the permissions that are granted at the artifact level.
Default
| Permission | Description |
|---|---|
| Activate Graphmarts | If the user has the appropriate permissions at the graphmart level, this permission allows them to activate and deactivate graphmarts and import graphmarts into Anzo. Does not give permission to create new graphmarts or delete graphmarts. To be able to access a Graphmart screen in the Anzo application and move the Inactive → Active slider, the Anzo Application permission also needs to be applied. |
| Browse Dashboards | Gives permission to view existing dashboards in the Hi-Res Analytics application. Does not give permission to create new dashboards. |
| Browse Models | Gives permission to view existing data models. Applying this permission exposes the Models menu item in the Anzo application. Must also have the Anzo Application permission to access the Anzo application. |
| Create Dashboards | Gives permission to create dashboards in the Hi-Res Analytics application. Applying this permission also exposes the Create Dashboard button on the Graphmart screens in the Anzo application when the user has the Anzo Application permission. |
| Create Graphmarts | Gives permission to create new graphmarts. Applying this permission exposes the Add Graphmart button on the Graphmarts screen. Must also have the Anzo Application permission to create graphmarts in the application. |
| Data on Demand | If the user has the appropriate permissions at the graphmart level, this permission enables the user to create Data on Demand endpoints. Applying this permission enables the Create New Endpoint button on the Data on Demand tab for graphmarts. Must also have the Anzo Application permission to access the application. |
| Import Artifacts | Gives permission to perform Import operations from the Anzo application. If a user is a member of a role that has Import Artifact assigned, they will see the Import option in the menu when they click the Add button to add a data source, dataset, model, etc. Must also have the Anzo Application permission. |
| Manage Graphmarts | Gives permission to manage permissions for graphmarts. Must also have the Anzo Application permission to access the graphmart screens. |
| Manage Models | Gives permission to create and import models. Must also have the Anzo Application permission to access the Model screen. |
| Rest API | Gives permission to send requests via the Anzo REST API. |
| Show Query Builder | Gives permission to find data and run SPARQL queries using the Query Builder. Applying this permission exposes the Query Builder option in the Access menu. Must also have the Anzo Application permission. |
| View Datasets | Gives permission to view the Datasets catalog. Applying this permission exposes the Datasets option in the Blend menu in the Anzo application. Must also have the Anzo Application permission. |
| View Graphmarts | Gives permission to view the list of existing graphmarts. Must also have the Anzo Application permission to view the Graphmarts screen in the Anzo application. |
Administration
| Permission | Description |
|---|---|
| Administer System Setup | Gives permission to access the options in the Administration application that are related to system setup, such as Server Settings, Licensing, Anzo Data Store, and Directory server configuration. The image below shows the view of the Administration menu that users have if Administer System Setup and Anzo Application are the only two applied permissions:
Some menu items in the above image, such as Semantic Services, AnzoGraph, and Anzo Data Store, are also controlled by more granular permissions: Manage Semantic Services, Manage AnzoGraph, and Create Anzo Data Stores. To give an administrator full create, modify, and delete access to those functions, the granular permissions need to be enabled in addition to Administer System Setup. |
| Batch Direct Data Loading | Gives permission to create a graphmart from multiple data sources at once when ingesting sources via graphmarts. For more information, see Onboarding Data with the Automated Workflow. |
| Manage AnzoGraph | Gives permission to view and create AnzoGraph connections. Does not give permission to delete connections or change the configuration of an existing connection. Administer System Setup is required to grant permission to delete and change existing AnzoGraph connections. |
| Manage Certificates | Gives permission to upload and delete server certificates. |
| Manage File Stores | Gives permission to create new File Store connections and view existing connections. Does not grant permission to delete or change existing file store connections. The Administer System Setup permission is required in conjunction with Manage File Stores to be able to delete or edit existing file stores. |
| Manage Query Blocklists | Gives permission to create and remove queries from the Query Blocklist tab in the System Query Audit Log. If a user only has the Manage Query Blocklist permission, the Administration menu is not available. Use this permission in conjunction with Administer System Setup to grant access to System Query Audit and the Query Blocklist. |
| Manage Semantic Services | Gives permission to stop and start semantic services from the Semantic Services screen as well as view details about the services and use the Service Builder to generate and run semantic service requests. If a user only has the Manage Semantic Services permission, the Administration menu is not available. Use this permission in conjunction with Administer System Setup to grant access to the Semantic Services screen. |
| Manage Users, Groups, and Roles | Gives permission to create, change, and delete users, groups, and roles. A user who has this permission has Admin level access to all users, groups, and roles. |
| Profile Data | Gives permission to profile datasets and graphmarts. Applying this permission exposes the Profile Data button on the Dataset and Graphmart screens. |
| Use Experimental Anzo Features | Grants permission use experimental Anzo features. Experimental features are recently implemented and may not be reliable for production use. |
| View Activity Logs | Gives permission to view the Activity Log. Applying this permission exposes the Activity Log icon ( ) in the top menu bar of the Anzo and Administration applications. The Anzo Application permission is needed to give access to the Anzo application. |
| View Log Files | Gives permission to view and download log files from the Log Files tab. Does not grant permission to change logging levels or add new log packages. Use this permission in conjunction with Administer System Setup to grant access to configure log levels and packages. |
Application
| Permission | Description |
|---|---|
| Anzo Application | Grants access to the main Anzo application. |
| Anzo CLI | Gives permission to use the administration command line interface. |
| Hi-Res Analytics | Grants access to the Hi-Res Analytics application. |
Data Onboarding
| Permission | Description |
|---|---|
| Create Anzo Data Stores | Gives permission to create Anzo Data Stores. Must also have the Administer System Setup permission to make the Anzo Data Store option available in the Administration application. |
| Create Data Sources | Gives permission to add new data sources. Does not give permission to delete existing sources. Must also have the Anzo Application and Onboard Structured Data permissions to access the Data Sources screen and add new sources. |
| Onboard Structured Data | Gives permission to access the Onboard > Structured Data menu. Must also have the Anzo Application permission. |
| Onboard Unstructured Data | Gives permission to create pipelines to onboard unstructured data. Applying this permission exposes the Onboard > Unstructured Data menu. Must also have the Anzo Application permission. |
Migration
| Permission | Description |
|---|---|
| Manage Migration Packages | Gives permission to create, export, and import migration packages that include artifacts the user has access to. |
| Perform Migration Package Operations As Sysadmin | Gives permission to create, export, and import migration packages with sysadmin privileges. That means the package can include artifacts the user may not otherwise have permission to access. |