Supply Chain Security Roles
InterSystems Supply Chain Orchestrator™ manages authorization via role-based access control. It provides a default set of roles for use in each supply chain namespace; the role names include the namespace name. For example, the role listed below as SC_namespace_Business_User would be SC_TEST_Business_User for the namespace TEST.
These default roles are automatically updated upon upgrade, so do not customize them; instead create your own roles.
Default Roles for User Accounts
The following roles are meant to be used in defining user accounts:
This role is for business users, who need read only access to data and analytics.
This role provides the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%Service_SQL:U
-
SC_BI_API:RWU
-
SC_Data_API:R
This role has SELECT privileges for tables in the following SQL schemas: App, SC_BP, SC_Core_BP*, SC_Core_Data_Internal, SC_Data, SC_Core_Migrations, SC_Core_Metrics, SC_Core_Analytics*, and Ens_Workflow.
This role is for data analysts, who need to define cubes, KPIs, and business processes.
This role provides the following privileges:
-
%Admin_Operate:U
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%DeepSee_Analyzer:U
-
%DeepSee_AnalyzerEdit:U
-
%DeepSee_Architect:U
-
%DeepSee_ListingGroup:U
-
%DeepSee_Portal:U
-
%DeepSee_ReportBuilder:U
-
%Development:U
-
%Service_SQL:U
-
SC_BI_API:RWU
-
SC_Data_SQL
This role has SELECT privileges for tables in the following SQL schemas: App, SC_BP, SC_Core_BP*, SC_Core_Data_Internal, SC_Data, SC_Core_Migrations, SC_Core_Metrics, SC_Core_Analytics*, and Ens_Workflow.
This role is for interoperability developers, who need to write code, create DTLs and BPLs, and perform other activities to define productions. They may also need to import data into the supply chain tables.
This role includes the following privileges:
-
%Admin_Operate:U
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%Development:U
-
%Service_SQL:U
-
SC_BI_API:RWU
-
SC_Data_SQL
-
SC_Data_API:RWU
-
SC_Data_Model_API:R
Granted roles: %EnsRole_Administrator, %EnsRole_Monitor, %EnsRole_WebDeveloper
This role has SELECT privileges for tables in the following schemas: App, SC_BP, SC_Core_BP*, SC_Core_Migrations, and SC_Core_Metrics.
This role has SELECT, UPDATE, INSERT, and DELETE privileges for tables in the following schemas: SC_Core_Data_Internal and SC_Data.
This role is for data architects, and includes privileges of the data analyst but also permits modifying and creating data objects. Data architects customize supply chain database schemas, create custom objects, import data into supply chain tables, and create cubes, analytics, and KPIs.
This role includes the following privileges:
-
%Admin_Operate:U
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%DeepSee_Analyzer:U
-
%DeepSee_AnalyzerEdit:U
-
%DeepSee_Architect:U
-
%DeepSee_ListingGroup:U
-
%DeepSee_Portal:U
-
%DeepSee_ReportBuilder:U
-
%Development:U
-
%Service_SQL:U
Granted roles: %EnsRole_Administrator, %EnsRole_Monitor, %EnsRole_WebDeveloper
This role has SELECT privileges for tables in the following schemas: App, SC_BP, SC_Core_BP*, SC_Core_Data_Internal, SC_Data, SC_Core_Migrations, SC_Core_Metrics, and SC_Core_Analytics*.
This role is for application developers, who develop for the supply chain system end to end.
This role includes the following privileges:
-
%Admin_Operate:U
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%DeepSee_Admin:U
-
%DeepSee_Analyzer:U
-
%DeepSee_AnalyzerEdit:U
-
%DeepSee_Architect:U
-
%DeepSee_ArchitectEdit:U
-
%DeepSee_ListingGroup:U
-
%DeepSee_ListingGroupEdit:U
-
%Development:U
-
%Service_SQL:U
Granted roles: %EnsRole_Administrator, %EnsRole_Monitor, %EnsRole_WebDeveloper
This role has SELECT privileges for tables in the following schemas: App, SC_BP, SC_Core_BP*, SC_Core_Migrations, SC_Core_Metrics, and SC_CORE_Analytics*
This role has SELECT, UPDATE, INSERT, and DELETE privileges for tables in the following schemas: SC_Core_Data_Internal and SC_Data.
This role is for administrators of Supply Chain Orchestrator. These users manage users, manage scheduled tasks, and manage the backup and mirroring of the servers.
This role includes the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:R
-
database_resource:R where database_resource is the name of the resource that protects the globals database for this namespace
This role also grants the role %Manager.
Default Roles for Service Accounts
The following additional roles are meant to be used only in defining service accounts, rather than actual users of the system:
This role is meant for service accounts that need read-only access to data via APIs.
This role includes the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:R
-
database_resource:R where database_resource is the name of the resource that protects the globals database for this namespace
-
%Service_SQL:U
-
SC_Data_API:U
-
SC_Data_Model_API:R
In addition, this role has SELECT privileges for tables in the App schema.
This role is meant for service accounts that need CRUD access to data via APIs.
This role includes the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%Service_SQL:U
-
SC_Data_API:RWU
-
SC_Data_Model_API:R
In addition, this role has SELECT privileges for tables in the App schema.
This role is meant for service accounts that need to customize the data model, via API calls. As an example, use this for an automated data mapper.
This role includes the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:RW where database_resource is the name of the resource that protects the globals database for this namespace
-
%Service_SQL:U
-
SC_Data_Model_API:RWU
In addition, this role has SELECT privileges for tables in the App schema.
This role is meant for service accounts that need to query analytics results, via API calls. For example, use this to support dashboards in third-party software.
This role includes the following privileges:
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:R where database_resource is the name of the resource that protects the globals database for this namespace
-
%DeepSee_Analyzer:U
-
%DeepSee_AnalyzerEdit:U
-
%DeepSee_Architect:U
-
%DeepSee_ListingGroup:U
-
%DeepSee_ReportBuilder:U
-
%Service_SQL:U
-
SC_BI_API:RWU
-
SC_Data_Model_API:R
In addition, this role has SELECT privileges for tables in the App schema.
This role is meant for cloud services that connect to Supply Chain Orchestrator.
This role includes the following privileges:
-
%Admin_Secure:U
-
%DB_IRISLOCALDATA:R
-
%DB_IRISTEMP:RW
-
database_resource:R where database_resource is the name of the resource that protects the globals database for this namespace
-
%Service_SQL:U
-
SC_Cloud_Service_API:RWU
In addition, this role has SELECT privileges for tables in the App schema, as well as SELECT, INSERT, UPDATE, and DELETE privileges for tables in the SC_Core_Data_Internal.CloudService schema.
Creating Custom Roles
To create a custom role based on a default role, use the following conventions:
-
The name of the role should not start with SC_.
-
The custom role should add the desired default role as a granted role.
-
The role can add additional privileges.
