System and organization administrators use a combination of user logins, privileges, permissions, and roles (role-based access control) to manage Data Director users. Role-based access control provides management of users and the tasks that they can perform on objects. You can grant and revoke roles and permissions at the system level, on organizations, and on database groups, databases, and templates within organizations.

Roles are sets of permissions required to perform particular jobs. Jobs are sets of tasks that a user with a particular role is responsible for performing, such as the set of tasks that are the responsibility of a database administrator. System and organization administrators define roles as part of defining security policies, and grant the roles to users. To change the permissions and tasks associated with a particular job, the system or organization administrator updates the role settings. The updated settings take effect for all users associated with the role.

To add a user to a job, the system or organization administrator grants the role to the user.

To remove a user from a job, the system or organization administrator revokes the role from the user. Changes are effective immediately.

Roles apply only to the organization in which they are created. For example, an organization administrator creates a database administrator role that includes permission to add and remove database users, start and stop databases, and perform backups for a specific database in that organization. Users that are granted the database administrator role in that organization can perform database administrator tasks only within that organization.

Organization administrators usually manage role and permission assignments for their organizations. However, any user that has the permission to grant and revoke permissions on an object can grant all permissions on that object to any user or any role. Organization administrators can also grant permissions directly to users.

Each user's login account is unique in the system. Managing access, roles, and permissions for each user is based on their user login account. The organization administrator can grant users access to one or more organizations. Within those organizations, each user can be granted multiple roles and permissions.

Users who cannot view or access certain objects or cannot perform certain operations were not granted the permissions to do so.

The following figure illustrates the scope of users and roles in Data Director.

Scope of users and roles in Data Director
Diagram showing the scope of users and roles in Data Director

In the figure, user Bob is logged in to Data Director and has been granted access to the system and to the organization Alliance. Bob is also granted the SysAdmin role at the system level, and the DBAdmin role in the organization Alliance. Bob's SysAdmin role applies to the system level. The SysAdmin role does not propagate to any organizations. The role DBAdmin in organization Alliance and the role DBAdmin in organization Benefits are separate roles that apply only within their organizations. Bob has the DBAdmin role in the Alliance organization but does not have access to the Benefits organization.