About permissions for administrative roles

  • Article

Planning Server includes four predefined administrative roles. Each role enables its members to perform a specific set of tasks within a specific scope. Although all administrators can perform tasks in Planning Business Modeler, its primary users are members of the Data Administrator and Modeler roles.

The following table provides a high-level description of the administrative roles. Users who belong to multiple administrative roles can perform all tasks that are associated with each role.

Role

Main Tasks in Business Modeler

Scope

Global Administrator

Create and delete applications and model sites.

NoteNote:

To open a model site and use Planning Business Modeler, members of the Global Administrator role must also belong to another administrative role.

System

Modeler

Create and manage data and workflow processes.

Application or Model site

Data Administrator

Create and manage data and workflow processes. Perform data integration tasks.

Application or Model site

User Administrator

Manage users.

Application or Model site

About administrative roles

In Planning Business Modeler, the availability of tasks is based on the administrative role to which you belong and the scope of the role.

The scope of administrative roles

The Global Administrator role has a system-wide scope. The other administrative roles have either an application scope or a model-site scope.

  • At the application level, a user in the Modeler, Data Administrator, or User Administrator role has permissions for all model sites in the application.

  • At the model-site level, a user in the Modeler, Data Administrator, or User Administrator role has permissions only for the specific model site.

Global Administrator

A user who belongs to the Global Administrator role cannot connect to a server in Planning Business Modeler unless he or she also belongs to another administrative role. The only exception is to create the first application on Planning Server. A user who belongs only to the Global Administrator role can open Planning Business Modeler to create the first application.

Warning

Because of the potential for database errors when you use a multiple-server environment, we recommend that all Global Administrator tasks are performed in the Planning Administration Console.

Members of the Global Administrator role can perform the following tasks in Planning Business Modeler:

  • Create or delete applications and model sites.

  • Add users to or remove users from the User Administrator role for the model site.

Modeler

Typically, members of the Modeler role have both the technical and business expertise to perform modeling tasks. Members of the Modeler role can perform the following tasks in Planning Business Modeler within their scope (application or model site):

  • Create, modify, or delete models, dimensions, and member sets.

  • Deploy models and model sites.

  • Create, modify, or delete assumptions.

  • Create, modify, or delete cycles, workflow assignments, and calendars.

  • Create, modify, or delete associations.

  • Create, modify, delete, or run rules.

  • Create, modify, delete, or run jobs. However, they cannot run Data Load, Data Export, or Data Movement jobs.

  • Create, modify, or delete business roles within their scope. However, only members of the User Administrator role can manage role membership.

Users who are assigned to the Modeler role have unrestricted Read and Write access to all business data within their scope. This is true even if they belong to a business role that has restricted settings.

Data Administrator

Members of the Data Administrator role use Planning Business Modeler as the primary tool for data integration tasks. Members of the Data Administrator role can perform all Modeler role tasks and also the following tasks:

  • Run, synchronize, or load associations.

  • Run Data Load, Data Export, or Data Movement jobs.

  • Synchronize data to and load data from the application or staging database. Planning Business Modeler uses the PerformancePoint Service Identity (SI) account to perform data integration tasks on a staging or application database. This account must have explicit permissions to the Microsoft SQL Server 2005 database.

Users who are assigned to the Data Administrator role have unrestricted Read and Write access to all business data within their scope. This is true even if they belong to a business role that has restricted settings.

User Administrator

Typically, members of the User Administrator role are executive administrators and business analysts. Members of the User Administrator role can do the following tasks in Planning Business Modeler:

  • Assign users to and remove users from Data Administrator, Modeler, and User Administrator roles that have a model site scope.

  • Assign users to or remove users from business roles in the model site.

  • Edit user permissions for a member set in the model site. This feature must first be enabled by a member of the Data Administrator or Modeler role.

For more information, see the Add users to or remove users from a business role, Add users to or remove users from an administrative role, and Edit user permissions in a business role topics.

Tasks that administrators can perform in Planning Business Modeler

The following table lists each workspace in Planning Business Modeler and the range of tasks that members of each administrative role can perform in the workspace. Users who belong to multiple administrative roles can perform all tasks that are associated with each role. In Planning Business Modeler, the scope of the role affects whether some tasks are available to members of the Data Administrator and Modeler roles. The scope can be either for an application (which includes all model sites in the application) or for a specific model site.

Workspace

Global Administrator

Modeler

Data Administrator

User Administrator

Site Summary

Create and delete applications and model subsites

NoteNote:

To open a model site and use Planning Business Modeler, members of the Global Administrator role must also belong to another administrative role.

All (within scope), except create and delete applications and model subsites

All (within scope), except create and delete applications and model subsites

None

Models

None

All (within scope), except synchronize models to the staging area and load models from the staging area

All (within scope)

None

Dimensions

None

All (within scope), except synchronize dimensions to the staging area and load dimensions from the staging area

All (within scope)

None

Forms and Reports

None

All (within scope)

All (within scope)

None

Process Management

None

All (within scope), except run Data Load, Data Export, or Data Movement jobs

All (within scope)

None

Security and Roles

Manage User Administrator membership for the model site

NoteNote:

To open a model site and use Planning Business Modeler, members of the Global Administrator role must also belong to another administrative role.

All, except manage role membership and edit user permissions for member sets

All, except manage role membership and edit user permissions for member sets

Manage membership for administrative and business roles for the model site, and edit user permissions for a member set in the model site

Associations

None

All (within scope), except run associations

All (within scope). Must have Data Administrator permissions on both source and target model sites to run associations.

None

See Also

Concepts

An administrative role scenario

Other Resources

About user-defined business roles