Skip to main content

This documentation is for an older version of this product. See the latest version of this content.Opens in a new tab

Supply Chain Security Roles

Supply Chain Orchestrator manages authorization via role-based access control. The default roles are automatically updated upon upgrade, so do not customize them; instead create your own roles.

Note:

These roles are available in Supply Chain Framework v1.1.0 and later.

Default Roles for User Accounts

The following roles are meant to be used in defining user accounts:

SC_Business_User

This role is for business users, who need read only access to data and analytics.

This role provides the following privileges:

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:R

  • %DB_SC:R

  • %DeepSee_Analyzer:U

  • %DeepSee_Architect:U

  • %DeepSee_ListingGroup:U

  • %DeepSee_Portal:U

  • %Service_SQL:U

  • SC_Data_Model_API:R

  • SC_Data_API:RU

SC_Data_Analyst

This role is for data analysts, who need to define cubes, KPIs, and business processes.

This role provides the following privileges:

  • %DB_SC:RW

  • %DeepSee_Analyzer:U

  • %DeepSee_AnalyzerEdit:U

  • %DeepSee_Architect:U

  • %DeepSee_ListingGroup:U

  • %DeepSee_Portal:U

  • %DeepSee_ReportBuilder:U

  • %Service_SQL:U

  • SC_Data_Model_API:R

  • SC_Data_API:RWU

SC_InterOp_Dev

This role is for interoperability developers, who need to write code, create DTLs and BPLs, and perform other activities to define productions. They may also need to import data into the supply chain tables.

This role includes the following privileges:

  • %DB_SC:RW

  • %Service_SQL:U

  • SC_Data_API:RWU

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:R

  • SC_Data_Model_API:R

  • SC_Data_API:RWU

  • SC_BI_API:RWU

  • %Ens_Alerts

  • %Ens_Code

  • %Ens_DTL

  • %Ens_DTLTest

  • %Ens_Dashboard

  • %Ens_EDISchema

  • %Ens_EDISchemaAnnotations

  • %Ens_ITK

  • %Ens_Jobs

  • %Ens_LookupTables

  • %Ens_MessageContent

  • %Ens_MessageDiscard

  • %Ens_MessageEditResend

  • %Ens_MessageSuspend

  • %Ens_MsgBank_MessageEditResend

  • %Ens_Portal:U

  • %Ens_ProductionConfig

  • %Ens_ProductionDocumentation

  • %Ens_PubSub

  • %Ens_Purge

  • %Ens_Queues

  • %Ens_RuleLog

  • %Ens_Rules

  • %Ens_TestingService

  • %Ens_ViewFileSystem

  • %Ens_WorkflowConfig

SC_Data_Architect

This role is for data architects, and includes privileges of the data analyst but also permits modifying and creating data objects. Data architects customize supply chain database schemas, create custom objects, import data into supply chain tables, and create cubes, analytics, and KPIs.

This role includes the following privileges:

  • %DB_SC:RW

  • %Service_SQL:U

  • SC_Data_Model_API:RWU

  • SC_Data_API:RWU

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:R

  • %DeepSee_Analyzer:U

  • %DeepSee_AnalyzerEdit:U

  • %DeepSee_Architect:U

  • %DeepSee_ListingGroup:U

  • %DeepSee_Portal:U

  • %DeepSee_ReportBuilder:U

  • SC_Data_API:RWU

  • SC_BI_API:RWU

SC_Developer

This role is for application developers, who develop for the supply chain system end to end.

This role includes all the privileges of SC_Data_Architect and all the privileges of SC_InterOp_Dev, as listed previously.

SC_Sys_Admin

This role is for administrators of Supply Chain Orchestrator. These users manage users, manage scheduled tasks, and manage the backup and mirroring of the servers.

This role includes the following privileges:

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:R

  • %DB_SC:R

This role also grants the role %Manager.

Default Roles for Service Accounts

The following additional roles are meant to be used only in defining service accounts, rather than actual users of the system:

SC_API_RO

This role is meant for service accounts that need read-only access to data via APIs.

This role includes the following privileges:

  • %DB_SC:R

  • %Service_SQL:U

  • SC_BI_API:U

  • SC_Data_Model_API:R

  • SC_Data_API:U

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:R

SC_API_CRUD

This role is meant for service accounts that need CRUD access to data via APIs.

This role includes the following privileges:

  • %DB_SC:RW

  • %Service_SQL:U

  • SC_BI_API:U

  • SC_Data_Model_API:R

  • SC_Data_API:RWU

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:RW

SC_API_Datamodel_Admin

This role is meant for service accounts that need to customize the data model, via API calls. As an example, use this for an automated data mapper.

This role includes the following privileges:

  • %Service_SQL:U

  • SC_Data_Model_API:RWU

  • SC_Data_API:RWU

  • %DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:RW

  • %DB_SC:RW

SC_API_Analytics

This role is meant for service accounts that need to query analytics results, via API calls. For example, use this to support dashboards in third-party software.

This role includes the following privileges:

  • DB_IRISLIB:R

  • %DB_IRISLOCALDATA:R

  • %DB_IRISTEMP:RW

  • %DB_SC:RW

  • %Development:U

  • %DocDB_Admin:U

  • %Service_Console:U

  • %Service_DocDB:U

  • %Service_Native:U

  • %Service_Object:U

  • %Service_SQL:U

  • %Service_Telnet:U

  • %Service_Terminal:U

  • %Service_WebGateway:U

  • %System_CallOut:U

Creating Custom Roles

To create a custom role based on a default role, use the following conventions:

  • The name of the role should not start with SC_.

  • The custom role should add the desired default role as a granted role.

  • The role can add additional privileges.

See Also


Previous sectionAPI Reference
FeedbackOpens in a new tab