Role-based access control enables system and organization administrators to control user access to Data Director and to control what users can do after they log in. To implement role-based access control, system and organization administrators associate (or revoke) privileges, permissions, and roles with (or from) user login accounts.


User logins (users) are unique accounts that enable users to access Data Director. They include a password and identifying information such as name, email address, and phone number. Because user login accounts are unique, system and organization administrators can control each user's access and actions by granting or revoking privileges, permissions, and roles to or from the user's login account.

Users can be active or inactive. Inactive users cannot log in.


Privileges control all actions in Data Director. They define the allowable actions within an organization. Privileges apply to particular types of Data Director objects. For example, you can apply the Stop Database privilege to organizations, database groups, and databases and apply the Create Database privilege to organizations and database groups. Privileges by themselves are not associated with specific objects within an organization.


Permissions associate a user and privilege pair with an object in Data Director. Examples are granting a user permission to start or stop a specific database, to modify an organization's backup templates, or to create other users in an organization.

You can grant permissions to users by assigning a role to a user, or by granting permissions directly to the user.


Roles are collections of permissions that can be associated with or granted to users. Roles provide a convenient way to package all the permissions required to perform a job, such as that of database administrator. Roles apply only to the entity in which they are created. If you create a role at the system level, it applies only to the system. If you create a role in an organization, it applies only to the organization. Organizations have no visibility into each others' roles. If two organizations in the same Data Director data cloud each have a role that has the same name, those roles are distinct within each organization.

One user can have multiple roles within an organization. Users can have access to multiple organizations and can have multiple roles in each organization.

A user can have different roles for different objects. For example, if you have two database groups in your organization, DBG1 and DBG2, you can grant the Database Admin role to a particular user on DBG1 and grant that user the DB User role on DBG2. These assignments might allow the user to perform administrative tasks in DBG1, but not in DBG2.