User Roles
There are three user roles available in Toad Intelligence Central: Standard user, Power user, and Administrator. During installation of the Toad Intelligence Central server, the Toad Intelligence Central Administrator (root) user account is created. This account has access to all administrative privileges.
The root Administrator account (or any account with the Administrator role) can grant/edit the role for another user account. This can be done when creating a new account or when editing an existing account.
Review the following role descriptions.
- Administrator—Users with an Administrator role are granted all privileges in the administration of users, groups and objects. They are also granted some server and licensing privileges. The role of the Administrator (root user) cannot be changed.
- Power User—Power users have all the privileges of the Standard user. In addition, Power users can force consumers to take a shared object that is published or managed by the Power user.
- Standard User—All new users are granted the Standard role, by default.
Privileges by Role
Review the following privileges for each role. In particular, all actions performed through the Administration | Server section of the Web Console are available only to users with the Administrator role.
User Management Privileges
The following table lists the user management privileges that are provided by each role. See Manage Users and Groups for more information.
| Privilege/Action | Administrator | Power user | Standard user |
|---|---|---|---|
| Add users. This privilege is configuration dependent. See Configure New User Registration. | Y | configuration dependent | configuration dependent |
| Add groups. This privilege is configuration dependent. See Misc Administrator Activities. | Y | configuration dependent | configuration dependent |
| View users and groups | Y | Y | Y |
| Change a user's role to Administrator, Power user, or Standard user. See Manage Users and Groups. | Y | N | N |
| Change a user's email subscriptions. See Specify User Email Subscriptions. | Y | user's profile only | user's profile only |
| Disable/enable a user | Y | N | N |
| Remove a user | Y | N | N |
| Edit Intelligence Central users | any user | user's profile only | user's profile only |
| Reset the password of Intelligence Central users | any Intelligence Central user | user's password only | user's password only |
| Create Intelligence Central groups | Y | Y | Y |
| Edit/remove Intelligence Central group | any group | groups owned by user | groups owned by user |
| Remove an Active Directory group | Y | N | N |
| Synchronize Active Directory | Y | N | N |
Object Management Privileges
The following table lists the object management privileges that are provided by each role.
| Privilege/Action | Administrator | Power user | Standard user |
|---|---|---|---|
| Publish objects (non-secured folder) | Y | Y | Y |
| Publish objects to a secured folder | Y | folders for which user has publish privilege | folders for which user has publish privilege |
| View objects on Home page and view object details | all objects | objects shared with the user | objects shared with the user |
| View a secured folder and its contents | Y | folders shared with the user | folders shared with the user |
| (View or snapshot) Display the text for the underlying query | Y | objects managed by the user | objects managed by the user |
| (Automation script) Display the detailed execution logs | Y | objects managed by the user | objects managed by the user |
| Edit an object, grant/revoke access rights to the object, lock the object, delete the object, rename the object | all objects | objects managed by the user | objects managed by the user |
| Move an object | all objects | objects managed by the user | objects managed by the user |
| Move a non-secured folder and its contents | Y | folders in which all objects are owned by or managed by the user | folders in which all objects are owned by or managed by the user |
| Move a secured folder and its contents | Y | folders managed by the user | folders managed by the user |
| Create a secured folder. This privilege is configuration dependent. See Configure Server for Folder Security. | configuration dependent | configuration dependent | configuration dependent |
| Delete a folder | Y | folders in which all objects are managed by the user | folders in which all objects are managed by the user |
| Modify authentication key for an object | Y | objects managed by the user | objects managed by the user |
| (View or Automation script) Edit the default value for a variable | Y | objects managed by the user | objects managed by the user |
| (Automation script) Change script run account | Y | objects managed by the user | objects managed by the user |
| Force consumers to take a shared object published or managed by the user | Y | Y | N |
Privileges Based on User-Object Relationship
In addition to granting object manage privileges by user role, manage privileges to an object are also granted based on the user's relationship to the object, for example, the object's publisher. For more information about privileges based on object relationship, see Manager Privileges.
Misc Privileges
Only a user with the Administrator role can view and access the Server page (Administration | Server) in the Web Console. The Server page contains the following miscellaneous features:
- Configure New User Registration
- Synchronize Active Directory
- Download the Misc Administrator Activities
- Configure Misc Administrator Activities
- Enable/disable email notifications on server. See Server Email Notification Settings.
- Enable/disable email notification for a user (subscribe/unsubscribe a user). See Server Email Notification Settings.
- Health Check Dashboard
- Configure Server for Folder Security
| Privilege/Action | Administrator | Power user | Standard user |
|---|---|---|---|
|
View/access Administration | Server |
Y | N | N |
Licensing Privileges
The following table lists the licensing privileges provided by each role. See License Toad Intelligence Central for more information.
| Privilege/Action | Administrator | Power user | Standard user |
|---|---|---|---|
| View licenses | Y | Y | Y |
| Enter new licenses | Y | Y | Y |
| Delete licenses | Y | N | N |
Configure New User Registration
The root Administrator account (or any account with the Administrator role) can place some restrictions on how new users are registered and how accounts are created in Intelligence Central.
Enable/Disable Add Users and Self-Registration
By default anyone can self-register and add users to Toad Intelligence Central. Any user with an Administrator role can disable self-registration.
To enable/disable add users and self-registration
- Use a web browser to log in to Intelligence Central as a user with the Administrator role.
- Select Administration | Server | Permissions.
-
In the New User Registration section, select one of the following options.
Only the Administrator can add users Select this option to allow only users with an Administrator role to add users to Intelligence Central. Anyone can self-register and add users
Select this option to allow anyone to self-register and add users. A pre-existing account on Toad Intelligence Central will not be required when self-registering.
-
Allow browser self-registration—Select this option to allow self-registration through the Intelligence Central Web interface (browser).
This option is enabled by default. Depending on your security requirements, you may choose to disable this ability.
-
For more information about Administrator privileges, see User Roles.
Specify Default User Role
You can specify a default user role for all new accounts. The default role is applied when a new user account is created. Only Administrators can specify a default user role. Administrators can then change the new account's role later.
To specify default user role
- Use a web browser to log in to Intelligence Central as a user with the Administrator role.
- Select Administration | Server | Permissions.
- In the Default user role field, select a role from the drop-down list.
Restrict Registration to Active Directory Users
You can require that new accounts use only Active Directory credentials.
To restrict new accounts to Active Directory users
- Use a web browser to log in to Intelligence Central as a user with the Administrator role.
- Select Administration | Server | Permissions.
- Select New users can register with Active Directory (Windows) credentials only. When selected, only
Active Directory users can be added to Toad Intelligence Central. No new
Intelligence Central users can be added.
Configure New Group Creation
By default anyone can create group, and any user with Administrator role can update this rule.
To specify default user role who can create group
- Use a web browser to log in to Intelligence Central as a user with the Administrator role
- Select Administration | Server | Permissions
- In the New Group Creation section, select a role from the drop-down list
Synchronize Active Directory
When a domain in the Active Directory® forest is synchronized with Intelligence Central, changes to users and groups in the domain are replicated on Intelligence Central. Any user with an Administrator role (User Roles) can manage synchronizing Toad Intelligence Central with Active Directory.
Synchronize status
From a web browser login to Intelligence Central as a user with an Administrator role. Click Administration | Server | Settings.
Table 1: Domains in the Active Directory forest synchronized with Toad Intelligence Central
| Field / Action | Description |
|---|---|
|
Last synchronized |
Show the time the domain was last synchronized with Toad Intelligence Central. If the last attempt was unsuccessful then the error is reported in red. |
|
Edit |
Click to edit the schedule or to show/change the username and password used to connect to the domain. This username/password pair is used to synchronize Toad Intelligence Central with Active Directory. The credentials are saved on Toad Intelligence Central. |
|
Remove |
Click to remove the domain from this list. The users and groups added from this domain will remain on Toad Intelligence Central, but will not be synchronized again. The Active Directory credentials saved on Toad Intelligence Central are removed. |
|
Synch Now |
Click to synchronize Toad Intelligence Central with the domain now. Note that if a Synchronization operation is already in progress then Toad Intelligence Central must wait till that is finished before it can synchronize again. |
Synchronize rules
Changes to users and groups in Active Directory are replicated on Intelligence Central according to the following rules.
Table 2: Synchronization rules
| Active Directory | Toad Intelligence Central |
|---|---|
| User details updated | Update the user details from Active Directory (name and email address). |
| User disabled | Disable the user in Intelligence Central |
|
User deleted |
Delete the user from Intelligence Central if the user is inactive. Inactive users have no published objects, no objects shared with them as an individual and are part of no other group. Otherwise, disable the user in Intelligence Central. This is to ensure that if the user owns any objects that they will be kept. |
| User renamed | Delete or disable the old user in Intelligence Central (as above). A new user account is not automatically created in Toad Intelligence Central. |
| User enabled | Enable the user in Intelligence Central. |
| Group details updated | Update the group details in Intelligence Central (name and description). |
| Group deleted | Remove the group from Intelligence Central. Users in the group who are inactive on Toad Intelligence Central are automatically deleted. Inactive users are users who have no published objects, no objects shared with them and are part of no other group. |
| Group membership updated (User added to the group) | Add the user to the group in Intelligence Central. Create a the new Intelligence Central user account if the user does not already have one. |
| Group membership updated (User removed from the group) | Remove the user from the group in Intelligence Central. Delete the user if the user is inactive. Inactive users have no published objects, no objects shared with them as an individual and are part of no other group. |
Email Notifications
Intelligence Central can send activity reports and error alerts to users for objects they own or manage. A user with the Administrator role can receive an additional report—the Daily or Weekly Digest—that summarizes activities relevant to the Administrator role.
How to Configure Notifications
Email notifications can be enabled or configured on three different levels.
- Server Level—You can enable email service for the server and configure server email settings. Only users with the Administrator role can perform this configuration. See Server Email Notification Settings.
- User Level—You can subscribe individual users to the email notification service. Only users with the Administrator role can perform this configuration. See Server Email Notification Settings.
- Email Notification Level—You can select which email notifications each individual user receives. Users with the Administrator role can configure email notifications for other users. Each user can edit their own profile. See Specify User Email Subscriptions.
Types of Email Notifications
There are four types of email notifications.
- Personal Digest—Provides a summary of activity for the objects a user owns or manages.
- Error Alerts—Sent when an error occurs during script execution or snapshot refresh for objects a user owns or manages. Also available to Administrators.
- Daily Admin Digest—Provides a daily summary of activities relevant to the Administrator role. Available to Administrators only.
- Weekly Admin Digest—Provides a weekly summary of activities relevant to the Administrator role. Available to Administrators only.