Skip to main content

Assigning user roles

User roles provide a set of tenant-level permissions to users, beyond the general permissions granted by the user allocations. User roles let you grant a user a specific role or function in the tenant. Only a tenant administrator can assign roles to users, and this can only be done from the Management Console. User roles are optional and do not need to be assigned to any or all users. For users who have no user role, their permissions are based on their user allocation.

Note: See Assigning user allocations to learn about the different types of user allocation, and see managing managed spaces and managing shared spaces to learn about space-level permissions.

User roles in the Management Console

Admin users with access to the Users section of the Management Console can access the All Users tab. This view shows a list of users that have been added or invited to the tenant. Click the The UI icon showing three dots activate or deactivate the user, to assign and edit user roles, and to revoke mobile access if it has been granted.

View of users section on Management console

What is a user role

A user role is a set of permissions that are granted to a user in addition to the permissions granted to them with their user allocation. User roles are divided into administrator roles and user roles. Users with administrator roles are granted some administrative permissions. Users with user roles have permissions to create specific types of resources. By assigning user roles to users, you can better organize your users and what they can do in the tenant.

You can assign the following roles:

User roles
User role Type Use case Access granted with user role
TenantAdmin Administrator A full tenant administrator. A user with this role has complete access to the Management Console to manage and administer the tenant. Access to Management Console from Launcher
DataAdmin Administrator A partial administrator. A user with this role has access to the Management Console but only to manage data spaces. Access to Management Console from Launcher
SharedSpaceCreator User A user who can create shared spaces. Create space option under Add new button in hub
ManagedSpaceCreator User A user who can create managed spaces. Create space option under Add new button in hub
Developer User A user can generate API keys. API Keys option under User Profile menu
Note: By default, all users with a professional user allocation can create shared spaces. The tenant administrator can turn off this setting in the Management Console. Go to Settings > Entitlements, then toggle off the Professional entitlements can create shared spaces option. All users who obtain the SharedSpaceCreator role as a result of the Professional entitlements can create shared spaces option being turned on retain that role until an admin user manually removes the role.

How user roles interact with user allocation

Users who join the tenant are assigned a user allocation, either professional or analyzer. See Assigning user allocations for more information. User allocations divide users into content consumers and content creators. The user allocation also determines which areas of the tenant are visible to a user. Analyzer users are strictly content consumers, as a result, the Add New button is hidden from their view. Professional users are both content consumers and content creators, which means they have access to the Add New button. This lets them create new resources like apps and spaces. However, user roles provide additional permissions beyond user allocation permissions. For example, an Analyzer user who is assigned a space creator role will gain access to the Add New button to create a space.

Note: When designing your permission structure, provide professional user access to any user who will be assigned a specific user role.

How user roles interact with the data integration subscription

The data integration subscription gives you access to the data integration home, and roles specifically designed for data admins and data spaces.

Assigning user roles

User roles are assigned to users in the Management Console, and only users that have a TenantAdmin role can assign user roles.

Do the following:

  1. In the Management Console, go to the Users section.
  2. Either:
    1. Click the Three dots button on the user row.
    2. Check the box beside the user.
  3. Click Edit roles.
  4. On the User tab, select the user roles you want to assign.
  5. On the Admin tab, select the user roles you want to assign.
  6. Click Save.
Note: If the user is logged in when they are assigned a user role, they must log out and log in again for the user role to be applied.