Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

Identity Provider Roles

Identity provider roles define your identity and control authentication and basic platform access. These roles come from Ataccama’s identity provider, which synchronizes with your organization’s identity provider and passes roles to ONE.

We do not recommend creating new identity provider roles in ONE nor editing the existing ones. Contact your identity provider admin if any changes are required.

What identity provider roles are for

Identity provider roles serve two purposes:

  • Control platform access: Determine whether a user can log in to ONE and which platform features are available to them.

  • Simplify governance role assignment: Can be mapped to governance roles within groups, so users automatically receive appropriate permissions.

Some platform features require specific identity provider roles, which are assigned in ONE. See Reserved identity provider roles.

How identity provider roles differ from governance roles

See Governance roles vs. identity provider roles

Environment admins

During environment setup, environment admin users are designated through the Cloud Portal. These admins are imported into ONE and automatically receive multiple admin roles.

If you need admin-level access, contact your environment admin.

Assign identity provider roles to users

You can assign and remove reserved identity provider roles directly in ONE. Other identity provider roles are assigned in your identity provider or the Ataccama Cloud Portal.

Prerequisites

To edit identity provider roles in ONE, you need the organizationconfig-admin role. Environment admins typically receive this role through the Cloud Portal.

To manage a user’s identity provider roles:

  1. Go to Global Settings > User management > Users.

  2. Select a user to open their details.

  3. Select Assign roles to add roles, or select the X icon next to a role to remove it.

When you assign or remove a role, synchronization between the identity provider and ONE starts automatically and no further action is needed.

If you’ve assigned a role but the user still can’t access the feature, have them log out and log back in.

Reserved identity provider roles

Certain identity provider roles are loaded from the identity provider but are built-in within the Ataccama platform. In other words, these roles grant you specific capabilities, without which you cannot access a certain module or action.

For the majority of functionalities, no identity provider role is needed. Access is instead handled using access levels, assigned through stewardship or sharing.

The following roles are built-in in the Ataccama platform:

Functionality Role Description

AI Agent and Gen AI features

  • agent-user

  • ai-evolution-user

Can use AI features but cannot manage AI settings (such as which tools are allowed).

*agent-admin * ai-evolution-admin

Can manage AI settings and use all AI features.

Data Observability

dataobservability-admin

Can manage Data Observability settings.

Lineage

  • lss-admin

  • mde-lineage-admin

Superuser for lineage.

  • lss-editor

  • mde-lineage-editor

Read and write access, can run lineage import.

  • lss-viewer

  • mde-lineage-viewer

Read-only access, can view lineage diagrams.

Processing Center

dpm-admin

Can access DPM jobs in the Processing Center. These jobs might contain details that should be available only to admins users.

Notifications

notifications-admin

Can manage notification settings.

Was this page useful?