Informatica®

10.2.1

Informatica Administrator
Reference Guide for
Enterprise Data Catalog
Informatica Informatica Administrator Reference Guide for Enterprise Data Catalog
10.2.1
May 2018
© Copyright Informatica LLC 2015, 2018

This software and documentation are provided only under a separate license agreement containing restrictions on use and disclosure. No part of this document may be
reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica LLC.

Informatica and the Informatica logo are trademarks or registered trademarks of Informatica LLC in the United States and many jurisdictions throughout the world. A
current list of Informatica trademarks is available on the web at https://www.informatica.com/trademarks.html. Other company and product names may be trade
names or trademarks of their respective owners.

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial
computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,
the use, duplication, disclosure, modification, and adaptation is subject to the restrictions and license terms set forth in the applicable Government contract, and, to the
extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License.

Portions of this software and/or documentation are subject to copyright held by third parties, including without limitation: Copyright DataDirect Technologies. All rights
reserved. Copyright © Sun Microsystems. All rights reserved. Copyright © RSA Security Inc. All Rights Reserved. Copyright © Ordinal Technology Corp. All rights
reserved. Copyright © Aandacht c.v. All rights reserved. Copyright Genivia, Inc. All rights reserved. Copyright Isomorphic Software. All rights reserved. Copyright © Meta
Integration Technology, Inc. All rights reserved. Copyright © Intalio. All rights reserved. Copyright © Oracle. All rights reserved. Copyright © Adobe Systems Incorporated.
All rights reserved. Copyright © DataArt, Inc. All rights reserved. Copyright © ComponentSource. All rights reserved. Copyright © Microsoft Corporation. All rights
reserved. Copyright © Rogue Wave Software, Inc. All rights reserved. Copyright © Teradata Corporation. All rights reserved. Copyright © Yahoo! Inc. All rights reserved.
Copyright © Glyph & Cog, LLC. All rights reserved. Copyright © Thinkmap, Inc. All rights reserved. Copyright © Clearpace Software Limited. All rights reserved. Copyright
© Information Builders, Inc. All rights reserved. Copyright © OSS Nokalva, Inc. All rights reserved. Copyright Edifecs, Inc. All rights reserved. Copyright Cleo
Communications, Inc. All rights reserved. Copyright © International Organization for Standardization 1986. All rights reserved. Copyright © ej-technologies GmbH. All
rights reserved. Copyright © Jaspersoft Corporation. All rights reserved. Copyright © International Business Machines Corporation. All rights reserved. Copyright ©
yWorks GmbH. All rights reserved. Copyright © Lucent Technologies. All rights reserved. Copyright © University of Toronto. All rights reserved. Copyright © Daniel
Veillard. All rights reserved. Copyright © Unicode, Inc. Copyright IBM Corp. All rights reserved. Copyright © MicroQuill Software Publishing, Inc. All rights reserved.
Copyright © PassMark Software Pty Ltd. All rights reserved. Copyright © LogiXML, Inc. All rights reserved. Copyright © 2003-2010 Lorenzi Davide, All rights reserved.
Copyright © Red Hat, Inc. All rights reserved. Copyright © The Board of Trustees of the Leland Stanford Junior University. All rights reserved. Copyright © EMC
Corporation. All rights reserved. Copyright © Flexera Software. All rights reserved. Copyright © Jinfonet Software. All rights reserved. Copyright © Apple Inc. All rights
reserved. Copyright © Telerik Inc. All rights reserved. Copyright © BEA Systems. All rights reserved. Copyright © PDFlib GmbH. All rights reserved. Copyright ©
Orientation in Objects GmbH. All rights reserved. Copyright © Tanuki Software, Ltd. All rights reserved. Copyright © Ricebridge. All rights reserved. Copyright © Sencha,
Inc. All rights reserved. Copyright © Scalable Systems, Inc. All rights reserved. Copyright © jQWidgets. All rights reserved. Copyright © Tableau Software, Inc. All rights
reserved. Copyright© MaxMind, Inc. All Rights Reserved. Copyright © TMate Software s.r.o. All rights reserved. Copyright © MapR Technologies Inc. All rights reserved.
Copyright © Amazon Corporate LLC. All rights reserved. Copyright © Highsoft. All rights reserved. Copyright © Python Software Foundation. All rights reserved.
Copyright © BeOpen.com. All rights reserved. Copyright © CNRI. All rights reserved.

This product includes software developed by the Apache Software Foundation (http://www.apache.org/), and/or other software which is licensed under various
versions of the Apache License (the "License"). You may obtain a copy of these Licenses at http://www.apache.org/licenses/. Unless required by applicable law or
agreed to in writing, software distributed under these Licenses is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
or implied. See the Licenses for the specific language governing permissions and limitations under the Licenses.

This product includes software which was developed by Mozilla (http://www.mozilla.org/), software copyright The JBoss Group, LLC, all rights reserved; software
copyright © 1999-2006 by Bruno Lowagie and Paulo Soares and other software which is licensed under various versions of the GNU Lesser General Public License
Agreement, which may be found at http:// www.gnu.org/licenses/lgpl.html. The materials are provided free of charge by Informatica, "as-is", without warranty of any
kind, either express or implied, including but not limited to the implied warranties of merchantability and fitness for a particular purpose.

The product includes ACE(TM) and TAO(TM) software copyrighted by Douglas C. Schmidt and his research group at Washington University, University of California,
Irvine, and Vanderbilt University, Copyright (©) 1993-2006, all rights reserved.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (copyright The OpenSSL Project. All Rights Reserved) and
redistribution of this software is subject to terms available at http://www.openssl.org and http://www.openssl.org/source/license.html.

This product includes Curl software which is Copyright 1996-2013, Daniel Stenberg, <[email protected]>. All Rights Reserved. Permissions and limitations regarding this
software are subject to terms available at http://curl.haxx.se/docs/copyright.html. Permission to use, copy, modify, and distribute this software for any purpose with or
without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

The product includes software copyright 2001-2005 (©) MetaStuff, Ltd. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http://www.dom4j.org/ license.html.

The product includes software copyright © 2004-2007, The Dojo Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to
terms available at http://dojotoolkit.org/license.

This product includes ICU software which is copyright International Business Machines Corporation and others. All rights reserved. Permissions and limitations
regarding this software are subject to terms available at http://source.icu-project.org/repos/icu/icu/trunk/license.html.

This product includes software copyright © 1996-2006 Per Bothner. All rights reserved. Your right to use such materials is set forth in the license which may be found at
http:// www.gnu.org/software/ kawa/Software-License.html.

This product includes OSSP UUID software which is Copyright © 2002 Ralf S. Engelschall, Copyright © 2002 The OSSP Project Copyright © 2002 Cable & Wireless
Deutschland. Permissions and limitations regarding this software are subject to terms available at http://www.opensource.org/licenses/mit-license.php.

This product includes software developed by Boost (http://www.boost.org/) or under the Boost software license. Permissions and limitations regarding this software
are subject to terms available at http:/ /www.boost.org/LICENSE_1_0.txt.

This product includes software copyright © 1997-2007 University of Cambridge. Permissions and limitations regarding this software are subject to terms available at
http:// www.pcre.org/license.txt.

This product includes software copyright © 2007 The Eclipse Foundation. All Rights Reserved. Permissions and limitations regarding this software are subject to terms
available at http:// www.eclipse.org/org/documents/epl-v10.php and at http://www.eclipse.org/org/documents/edl-v10.php.

This product includes software licensed under the terms at http://www.tcl.tk/software/tcltk/license.html, http://www.bosrup.com/web/overlib/?License, http://
www.stlport.org/doc/ license.html, http://asm.ow2.org/license.html, http://www.cryptix.org/LICENSE.TXT, http://hsqldb.org/web/hsqlLicense.html, http://
httpunit.sourceforge.net/doc/ license.html, http://jung.sourceforge.net/license.txt , http://www.gzip.org/zlib/zlib_license.html, http://www.openldap.org/software/
release/license.html, http://www.libssh2.org, http://slf4j.org/license.html, http://www.sente.ch/software/OpenSourceLicense.html, http://fusesource.com/downloads/
license-agreements/fuse-message-broker-v-5-3- license-agreement; http://antlr.org/license.html; http://aopalliance.sourceforge.net/; http://www.bouncycastle.org/
licence.html; http://www.jgraph.com/jgraphdownload.html; http://www.jcraft.com/jsch/LICENSE.txt; http://jotm.objectweb.org/bsd_license.html; . http://www.w3.org/
Consortium/Legal/2002/copyright-software-20021231; http://www.slf4j.org/license.html; http://nanoxml.sourceforge.net/orig/copyright.html; http://www.json.org/
license.html; http://forge.ow2.org/projects/javaservice/, http://www.postgresql.org/about/licence.html, http://www.sqlite.org/copyright.html, http://www.tcl.tk/
software/tcltk/license.html, http://www.jaxen.org/faq.html, http://www.jdom.org/docs/faq.html, http://www.slf4j.org/license.html; http://www.iodbc.org/dataspace/
iodbc/wiki/iODBC/License; http://www.keplerproject.org/md5/license.html; http://www.toedter.com/en/jcalendar/license.html; http://www.edankert.com/bounce/
index.html; http://www.net-snmp.org/about/license.html; http://www.openmdx.org/#FAQ; http://www.php.net/license/3_01.txt; http://srp.stanford.edu/license.txt;
http://www.schneier.com/blowfish.html; http://www.jmock.org/license.html; http://xsom.java.net; http://benalman.com/about/license/; https://github.com/CreateJS/
EaselJS/blob/master/src/easeljs/display/Bitmap.js; http://www.h2database.com/html/license.html#summary; http://jsoncpp.sourceforge.net/LICENSE; http://
jdbc.postgresql.org/license.html; http://protobuf.googlecode.com/svn/trunk/src/google/protobuf/descriptor.proto; https://github.com/rantav/hector/blob/master/
LICENSE; http://web.mit.edu/Kerberos/krb5-current/doc/mitK5license.html; http://jibx.sourceforge.net/jibx-license.html; https://github.com/lyokato/libgeohash/blob/
master/LICENSE; https://github.com/hjiang/jsonxx/blob/master/LICENSE; https://code.google.com/p/lz4/; https://github.com/jedisct1/libsodium/blob/master/
LICENSE; http://one-jar.sourceforge.net/index.php?page=documents&file=license; https://github.com/EsotericSoftware/kryo/blob/master/license.txt; http://www.scala-
lang.org/license.html; https://github.com/tinkerpop/blueprints/blob/master/LICENSE.txt; http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/
intro.html; https://aws.amazon.com/asl/; https://github.com/twbs/bootstrap/blob/master/LICENSE; https://sourceforge.net/p/xmlunit/code/HEAD/tree/trunk/
LICENSE.txt; https://github.com/documentcloud/underscore-contrib/blob/master/LICENSE, and https://github.com/apache/hbase/blob/master/LICENSE.txt.

This product includes software licensed under the Academic Free License (http://www.opensource.org/licenses/afl-3.0.php), the Common Development and
Distribution License (http://www.opensource.org/licenses/cddl1.php) the Common Public License (http://www.opensource.org/licenses/cpl1.0.php), the Sun Binary
Code License Agreement Supplemental License Terms, the BSD License (http:// www.opensource.org/licenses/bsd-license.php), the new BSD License (http://
opensource.org/licenses/BSD-3-Clause), the MIT License (http://www.opensource.org/licenses/mit-license.php), the Artistic License (http://www.opensource.org/
licenses/artistic-license-1.0) and the Initial Developer’s Public License Version 1.0 (http://www.firebirdsql.org/en/initial-developer-s-public-license-version-1-0/).

This product includes software copyright © 2003-2006 Joe WaInes, 2006-2007 XStream Committers. All rights reserved. Permissions and limitations regarding this
software are subject to terms available at http://xstream.codehaus.org/license.html. This product includes software developed by the Indiana University Extreme! Lab.
For further information please visit http://www.extreme.indiana.edu/.

This product includes software Copyright (c) 2013 Frank Balluffi and Markus Moeller. All rights reserved. Permissions and limitations regarding this software are subject
to terms of the MIT license.

See patents at https://www.informatica.com/legal/patents.html.

DISCLAIMER: Informatica LLC provides this documentation "as is" without warranty of any kind, either express or implied, including, but not limited to, the implied
warranties of noninfringement, merchantability, or use for a particular purpose. Informatica LLC does not warrant that this software or documentation is error free. The
information provided in this software or documentation may include technical inaccuracies or typographical errors. The information in this software and documentation
is subject to change at any time without notice.

NOTICES

This Informatica product (the "Software") includes certain drivers (the "DataDirect Drivers") from DataDirect Technologies, an operating company of Progress Software
Corporation ("DataDirect") which are subject to the following terms and conditions:

1. THE DATADIRECT DRIVERS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
2. IN NO EVENT WILL DATADIRECT OR ITS THIRD PARTY SUPPLIERS BE LIABLE TO THE END-USER CUSTOMER FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, CONSEQUENTIAL OR OTHER DAMAGES ARISING OUT OF THE USE OF THE ODBC DRIVERS, WHETHER OR NOT INFORMED OF THE POSSIBILITIES
OF DAMAGES IN ADVANCE. THESE LIMITATIONS APPLY TO ALL CAUSES OF ACTION, INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, BREACH
OF WARRANTY, NEGLIGENCE, STRICT LIABILITY, MISREPRESENTATION AND OTHER TORTS.

The information in this documentation is subject to change without notice. If you find any problems in this documentation, please report them to us in writing at
Informatica LLC 2100 Seaport Blvd. Redwood City, CA 94063.

Informatica products are warranted according to the terms and conditions of the agreements under which they are provided. INFORMATICA PROVIDES THE
INFORMATION IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT.

Publication Date: 2018-05-04

Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Knowledge Base. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Informatica Product Availability Matrixes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Informatica Velocity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Informatica Marketplace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Informatica Global Customer Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1: Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Chapter 2: Enterprise Data Catalog Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Application Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Application Services and Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Plan the Application Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Analyst Service Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Data Integration Service Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Model Repository Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Catalog Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Informatica Cluster Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Content Management Service Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 3: Informatica Security Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Domain Security Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Domain Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Secure Communication Within the Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Secure Communication for Services and Service Managers. . . . . . . . . . . . . . . . . . . . . . . . . . . 18
User Security Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
User Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Native User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
LDAP User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4: Complete the Domain Configuration Overview. . . . . . . . . . . . . . . . . . . . 21

Verify Code Page Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Locale Environment Variables on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Environment Variables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configure Enterprise Data Catalog Environment Variables. . . . . . . . . . . . . . . . . . . . . . . . . 22
Configure Library Path Environment Variables on Linux. . . . . . . . . . . . . . . . . . . . . . . . . . 24
Domain Configuration Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

4 Table of Contents
Chapter 5: Create the Application Services Overview. . . . . . . . . . . . . . . . . . . . . . . . 25
Verify Application Service Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Application Services Dependencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create and Configure the Model Repository Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Create the Model Repository Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
After You Create the Model Repository Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Create Other Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Create and Configure the Data Integration Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Create the Data Integration Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
After You Create the Data Integration Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Creating the Catalog Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Email Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Email Notification Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Email Notification Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Troubleshooting Email Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Content Management Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Create the Content Management Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Chapter 6: Users and Groups Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Understanding User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Default Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Chapter 7: Privileges and Roles Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Privilege Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Content Management Service Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Data Integration Service Privilege. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Model Repository Service Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Catalog Service Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Managing Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
System-Defined Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Custom Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Assigning Privileges and Roles to Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Chapter 8: Permissions Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Types of Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Permission Search Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Domain Object Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table of Contents 5
 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

6 Table of Contents
Preface
The Informatica 10.2 Administrator Reference for Enterprise Data Catalog is written for the system
administrator who is responsible for installing the Informatica product. This guide assumes you have
knowledge of operating systems, relational database concepts, and the database engines, flat files, or
mainframe systems in your environment. This guide also assumes you are familiar with the interface
requirements for your supporting applications.

Informatica Resources

Informatica Network
Informatica Network hosts Informatica Global Customer Support, the Informatica Knowledge Base, and other
product resources. To access Informatica Network, visit https://network.informatica.com.

As a member, you can:

• Access all of your Informatica resources in one place.

• Search the Knowledge Base for product resources, including documentation, FAQs, and best practices.
• View product availability information.
• Review your support cases.
• Find your local Informatica User Group Network and collaborate with your peers.

Informatica Knowledge Base

Use the Informatica Knowledge Base to search Informatica Network for product resources such as
documentation, how-to articles, best practices, and PAMs.

To access the Knowledge Base, visit https://kb.informatica.com. If you have questions, comments, or ideas
about the Knowledge Base, contact the Informatica Knowledge Base team at
[email protected].

Informatica Documentation
To get the latest documentation for your product, browse the Informatica Knowledge Base at
https://kb.informatica.com/_layouts/ProductDocumentation/Page/ProductDocumentSearch.aspx.

If you have questions, comments, or ideas about this documentation, contact the Informatica Documentation
team through email at [email protected].

7
 Informatica Product Availability Matrixes
Product Availability Matrixes (PAMs) indicate the versions of operating systems, databases, and other types
of data sources and targets that a product release supports. If you are an Informatica Network member, you
can access PAMs at
https://network.informatica.com/community/informatica-network/product-availability-matrices.

Informatica Velocity
Informatica Velocity is a collection of tips and best practices developed by Informatica Professional
Services. Developed from the real-world experience of hundreds of data management projects, Informatica
Velocity represents the collective knowledge of our consultants who have worked with organizations from
around the world to plan, develop, deploy, and maintain successful data management solutions.

If you are an Informatica Network member, you can access Informatica Velocity resources at
http://velocity.informatica.com.

If you have questions, comments, or ideas about Informatica Velocity, contact Informatica Professional
Services at [email protected].

Informatica Marketplace
The Informatica Marketplace is a forum where you can find solutions that augment, extend, or enhance your
Informatica implementations. By leveraging any of the hundreds of solutions from Informatica developers
and partners, you can improve your productivity and speed up time to implementation on your projects. You
can access Informatica Marketplace at https://marketplace.informatica.com.

Informatica Global Customer Support

You can contact a Global Support Center by telephone or through Online Support on Informatica Network.

To find your local Informatica Global Customer Support telephone number, visit the Informatica website at
the following link:
http://www.informatica.com/us/services-and-training/support-services/global-support-centers.

If you are an Informatica Network member, you can use Online Support at http://network.informatica.com.

8 Preface
Chapter 1

Overview
Enterprise Data Catalog brings together all data assets in an enterprise and presents a comprehensive view
of the data assets and data asset relationships. Enterprise Data Catalog is installed within the Informatica
domain. The Informatica domain is the administrative unit for the Enterprise Data Catalog environment. The
Informatica domain includes a collection of nodes that represent the machines on which the application
services run. Application services represent server-based functionality. Enterprise Data Catalog application
services include services that you create and system services that are created when you create the domain.

To use Enterprise Data Catalog, you must install the Enterprise Data Catalog services and create a domain.
The Enterprise Data Catalog services consist of services to support the domain and application services to
perform tasks and manage databases. When you install Enterprise Data Catalog services on a machine, you
install all the files for all services.

You can see the following topics to get started after installing Enterprise Data Catalog:
Enterprise Data Catalog Services

Information about the application services in Enterprise Data Catalog.

Informatica Security

Information about securing the Informatica domain from internal and external threats along with the
types of security that you can configure. This topic also includes information about supported user
security methods and information about securing communication within the domain.

Domain Configuration

Information about configuring the domain services.

Creating the Application Services

Information about creating the different application services and the configuration steps to be
performed after creating the services.

Users and Groups

Information about managing users and groups that you can create and configure in the Informatica
domain.

Privileges and Roles

Information about the different privileges and roles that you can configure for the users and groups.

Permissions

Information about the permissions that you can configure for the users and groups to access different
objects in the Informatica domain.

Note: This document includes basic reference information about Informatica Administrator tasks that you
can perform in Enterprise Data Catalog. For more information about the Informatica Administrator concepts
and tasks, see the following guides:

• Informatica Administrator Guide

9
 • Informatica Application Service Guide
• Informatica Security Guide
• Informatica Enterprise Data Catalog Installation and Configuration Guide

10 Chapter 1: Overview
Chapter 2

Enterprise Data Catalog Services

Application services of Enterprise Data Catalog represent server-based functionality. After you complete the
installation, you can optionally create application services based on the license key generated for your
organization.

When you create an application service, you designate a node to run the service process. The service process
is the run-time representation of a service running on a node. The service type determines how many service
processes can run at a time.

If you have the high availability option, you can run an application service on multiple nodes. If you do not
have the high availability option, configure each application service to run on one node.

Some application services require databases to store information processed by the application service. When
you plan the Informatica domain, you also need to plan the databases required by each application service.

Enterprise Data Catalog uses the following application services:

• Data Integration Service

• Model Repository Service
• Catalog Service
• Informatica Cluster Service
• Content Management Service

Application Services
Application services represent server-based functionality. After you complete the installation, you create
application services based on the license key generated for your organization.

When you create an application service, you designate a node to run the service process. The service process
is the run-time representation of a service running on a node. The service type determines how many service
processes can run at a time.

If you have the high availability option, you can run an application service on multiple nodes. If you do not
have the high availability option, configure each application service to run on one node.

Some application services require databases to store information processed by the application service. When
you plan the Informatica domain, you also need to plan the databases required by each application service.

For more information about application services, see the Informatica Application Service Guide.

11
Application Services and Ports
Informatica domain services and application services in the Informatica domain have unique ports.

Content Management Service

The following table lists the default port associated with the Content Management Service:

Type Default Port

Content Management Service (HTTP) 8105

Content Management Service (HTTPS) No default port. Enter the required port number when you create the
service.

Data Integration Service

The following table lists the default port associated with the Data Integration Service:

Type Default Port

Data Integration Service (HTTP proxy) 8085

Data Integration Service (HTTP) 8095

Data Integration Service (HTTPS) No default port. Enter the required port number when you create the
service.

Profiling Warehouse database No default port. Enter the database port number.

Human Task database No default port. Enter the database port number.

Plan the Application Services

When you plan the Informatica domain, you also need to plan the application services that run in the domain.
You create application services based on the license key generated for your organization.

When you plan the application services, you must account for the associated services that connect to the
application service. You also must plan the relational databases that are required to create the application
service. When you install Enterprise Data Catalog, the installer creates the required application services.
Optionally, you can also create the application services after you complete the installation.

Analyst Service Overview

The Analyst Service is an application service that runs the Analyst tool in the Informatica domain. The
Analyst Service manages the connections between the service components and the users who log in to the
Analyst tool.

The Analyst Service connects to a Data Integration Service that runs profiles, scorecards, and mapping
specifications. The Analyst Service also connects to a Data Integration Service that runs workflows.

12 Chapter 2: Enterprise Data Catalog Services

 The Analyst Service connects to the Model Repository Service to identify a Model repository. The Analyst
Service connects to a Search Service that enables and manages searches in the Analyst tool.

Additionally, the Analyst Service connects to the Analyst tool, a flat file cache directory to store uploaded flat
files, and a business glossary export file directory.

You can use the Administrator tool to create and recycle an Analyst Service in the Informatica domain and to
access the Analyst tool. When you recycle the Analyst Service, the Service Manager restarts the Analyst
Service.

You can run more than one Analyst Service on the same node. You can associate a Model Repository Service
with one Analyst Service. You can associate one Data Integration Service with more than one Analyst Service.
The Analyst Service detects the associated Search Service based on the Model Repository Service assigned
to the Analyst Service.

Data Integration Service Overview

The Data Integration Service is an application service in the Informatica domain that performs data
integration tasks for Informatica Analyst and Informatica Developer.The Data Integration Service is an
application service in the Informatica domain that performs data integration tasks for Informatica Developer.
It also performs data integration tasks for external clients.

When you preview or run mappings, profiles, SQL data services, and web services in the Analyst tool or the
Developer tool, the application client sends requests to the Data Integration Service to perform the data
integration tasks. When you start a command from the command line or an external client to run mappings,
SQL data services, web services, and workflows in an application, the command sends the request to the
Data Integration Service.

When you preview or run mappings and profiles, the application client sends requests to the Data Integration
Service to perform the data integration tasks. When you start a command from the command line or an
external client to run mappings, the command sends the request to the Data Integration Service.

The Data Integration Service performs the following tasks:

• Runs mappings and generates mapping previews in the Developer tool.

• Runs profiles and generates previews for profiles in the Analyst tool and the Developer tool. Runs profiles
and generates previews for profiles in the Developer tool.
• Runs scorecards for the profiles in the Analyst tool and the Developer tool. Runs scorecards for the
profiles in the Analyst tool and the Developer tool.
• Runs SQL data services and web services in the Developer tool.
• Runs mappings in a deployed application.
• Runs workflows in a deployed application.
• Caches data objects for mappings and SQL data services deployed in an application. Caches data objects
for mappings deployed in an application.
• Runs SQL queries that end users run against an SQL data service through a third-party JDBC or ODBC
client tool.
• Runs web service requests against a web service.

Create and configure a Data Integration Service in the Administrator tool. You can create one or more Data
Integration Services on a node. Based on your license, the Data Integration Service can be highly available.

Plan the Application Services 13

 Model Repository Service
The Model Repository Service is an application service that manages the Model repository. The Model
repository stores metadata created by Informatica clients and application services in a relational database to
enable collaboration among the clients and services.

When you access a Model repository object from Catalog Administrator or the Data Integration Service, the
client or service sends a request to the Model Repository Service. The Model Repository Service process
fetches, inserts, and updates the metadata in the Model repository database tables.

Note: When you create the Model Repository Service, you do not associate it with other application services.

Catalog Service
The Catalog Service is an application service that runs Enterprise Data Catalog in the Informatica domain.
The Catalog Service manages the connections between service components and the users that have access
to Enterprise Data Catalog and Catalog Administrator.

The catalog represents an indexed inventory of all the configured data assets in an enterprise. You can find
metadata and statistical information, such as profile statistics, data asset ratings, data domains, and data
relationships, in the catalog.

Informatica Cluster Service

The Informatica Cluster Service is an application service that runs and manages all the Hadoop services,
Apache Ambari server, and Apache Ambari agents on an internal Hadoop cluster. If you choose the internal
cluster deployment mode while you install Enterprise Data Catalog, you need to create the Informatica
Cluster Service before you create the Catalog Service. You can then specify the Informatica Cluster Service
value when you create the Catalog Service.

Content Management Service Overview

The Content Management Service is an application service that manages reference data. It provides
reference data information to the Data Integration Service and to the Developer and Analyst tools. A master
Content Management Service maintains probabilistic model and classifier model data files across the
domain.

The Content Management Service manages the following types of reference data:

Address reference data

You use address reference data when you want to validate the postal accuracy of an address or fix
errors in an address. Use the Address Validator transformation to perform address validation.

Identity populations

You use identity population data when you want to perform duplicate analysis on identity data. An
identity is a set of values within a record that collectively identify a person or business. Use a Match
transformation or Comparison transformation to perform identity duplicate analysis.

Probabilistic models and classifier models

You use probabilistic or classifier model data when you want to identify the type of information that a
string contains. Use a probabilistic model in a Parser or Labeler transformation. Use a classifier model in
a Classifier transformation. Probabilistic models and classifier models use probabilistic logic to identify
or infer the type of information in the string. Use a Classifier transformation when each input string
contains a significant amount of data.

14 Chapter 2: Enterprise Data Catalog Services

Reference tables

You use reference tables to verify the accuracy or structure of input data values in data quality
transformations.

The Content Management Service also compiles rule specifications into mapplets.

Use the Administrator tool to administer the Content Management Service. Recycle the Content Management
Service to start it.

Plan the Application Services 15

Chapter 3

Informatica Security Overview

You can secure the Informatica domain to protect from threats from inside and outside the network on which
the domain runs.

Security for the Informatica domain includes the following types of security:
Infrastructure Security

Infrastructure security protects the Informatica domain against unauthorized access to or modification
of services and resources in the Informatica domain. Infrastructure security includes the following
aspects:

• Protection of data transmitted and stored within the Informatica domain

• Authentication of users and services connecting to the Informatica domain
• Security of connections for external components, including client applications and relational
databases for repositories, sources, and targets.

Operational Security

Operational security controls access to the data and services in the Informatica domain. Operational
security includes the following aspects:

• Setting restrictions to user access to data and metadata based on the role of the user in the
organization
• Setting restrictions to user ability to perform operations within the Informatica domain based on the
user role in the organization

Informatica stores the domain configuration information and the list of users authorized to access the
domain in the domain configuration repository. The domain configuration repository also contains the
groups, roles, privileges, and permissions that are assigned to each user in the Informatica domain.

Informatica organizes the list of users by security domains. A security domain contains a collection of user
accounts. A domain can have multiple security domains.

Domain Security Overview

You can enable options in the Informatica domain to configure secure communication between the
components in the domain and between the domain and client components.

You can enable different options to secure specific components in the domain. You do not have to secure all
components in the domain. For example, you can secure the communication between the services in the
domain but not secure the connection between the Model Repository Service and the repository database.

16
 Informatica uses the TCP/IP and HTTP protocols to communicate between components in the domain. The
domain uses SSL certificates to secure communication between components.

When you install the Informatica services, you can enable secure communication for the services in the
domain and for the Administrator tool. After installation, you can configure secure communication in the
domain in the Administrator tool or from the command line.

During installation, the installer generates an encryption key to encrypt sensitive data, such as passwords,
that are stored in the domain. You can provide the keyword that the installer uses to generate the encryption
key. After installation, you can change the encryption key for sensitive data. You must upgrade the content of
repositories to update the encrypted data.

You can enable secure communication in the following areas:

Domain

Within the domain, you can select options to enable secure communication for the following
components:

• Between the Service Manager, the services in the domain, and the Informatica client tools
• Between the domain and the domain configuration repository
• Between the repository services and repository databases

Web application services

You can secure the connection between a web application service, such as the Analyst Service, and the
browser

Sources and targets

You can enable secure communication between the Data Integration Service and the source and target
databases.

Data storage

Informatica encrypts sensitive data, such as passwords, when it stores data in the domain. Informatica
generates an encryption key based on a keyword that you provide during installation. Informatica uses
the encryption key to encrypt and decrypt sensitive data that are stored in the domain.

Domain Security Management

You can configure Informatica domain components to use the Secure Sockets Layer (SSL) protocol or the
Transport Layer Security (TLS) protocol to encrypt connections with other components. When you enable SSL
or TLS for domain components, you ensure secure communication.

You can configure secure communication in the following ways:

Between services within the domain

You can configure secure communication between services within the domain.

Between the domain and external components

You can configure secure communication between Informatica domain components and web browsers
or web service clients.

Each method of configuring secure communication is independent of the other methods. When you configure
secure communication for one set of components, you do not need to configure secure communication for
any other set.

Domain Security Management 17

 Note: If you change a secure domain to a non-secure domain or from a non-secure domain to a secure
domain, you must delete the domain configuration in the Developer tool and configure the domain again in
the client.

Secure Communication Within the Domain

You can use the Secure Communication option to secure the connection between services and between
services and the service managers in the domain. Additionally, you can enable security for workflows and use
secure databases for the repositories that you create in the domain.

After you secure the domain, configure the Informatica client applications to work with a secure domain.

Secure Communication for Services and Service

Managers
You can configure secure communication within the domain during installation. After installation, you can
configure secure communication for the domain on the Administrator tool or from the command line.

Informatica provides an SSL certificate that you can use to secure the domain. However, you should provide
a custom SSL certificate for domains that require a higher level of security, such as a domain in a production
environment. Specify the keystore and truststore files that contain the SSL certificates you want to use.

Note: Informatica provides SSL certificates for evaluation purposes. If you do not provide an SSL certificate,
Informatica uses the same default private key for all Informatica installations. The security of your domain
could be compromised. Provide an SSL certificate to ensure a high level of security for the domain. The
certificate that you provide can be self-signed or from a certificate authority (CA).

When you configure secure communication for the domain, you secure the connections between the
following components:

• The Service Manager and all services running in the domain

• The Data Integration Service and the Model Repository Service
• The Data Integration Service and the workflow processes
• The domain services and the Informatica client tools and command line programs

User Security Management

You manage user security within the domain with privileges and permissions.

Privileges determine the actions that users can complete on domain objects. Permissions define the level of
access a user has to a domain object. Domain objects include the domain, folders, nodes, grids, licenses,
database connections, operating system profiles, and application services.

18 Chapter 3: Informatica Security Overview

 Privileges determine the actions that users can complete on domain objects. Permissions define the level of
access a user has to a domain object. Domain objects include the domain, node, license, database
connections, and application services.

Even if a user has the domain privilege to complete certain actions, the user might also require permission to
complete the action on a particular object. For example, a user has the Manage Services domain privilege
which grants the user the ability to edit application services. However, the user also must have permission on
the application service. A user with the Manage Services domain privilege and permission on the
Development Repository Service but not on the Production Repository Service can edit the Development
Repository Service but not the Production Repository Service.

Even if a user has the domain privilege to complete certain actions, the user might also require permission to
complete the action on a particular object.

To log in to the Administrator tool, a user must have the Access Informatica Administrator domain privilege.
If a user has the Access Informatica Administrator privilege and permission on an object, but does not have
the domain privilege that grants the ability to modify the object type, then the user can view the object. For
example, if a user has permission on a node, but does not have the Manage Nodes and Grids privilege, the
user can view the node properties but cannot configure, shut down, or remove the node.

To log in to the Administrator tool, a user must have the Access Informatica Administrator domain privilege.
If a user has the Access Informatica Administrator privilege and permission on an object, but does not have
the domain privilege that grants the ability to modify the object type, then the user can view the object.

If a user does not have permission on a selected object in the Navigator, the contents panel displays a
message indicating that permission on the object is denied.

User Authentication Overview

User authentication in the Informatica domain depends on the type of authentication that you configure when
you install the Informatica services.

The Informatica domain can use the following types of authentication to authenticate users in the
Informatica domain:

• Native user authentication

• LDAP user authentication

Native user accounts are stored in the Informatica domain and can only be used within the Informatica
domain. LDAP user accounts are stored in an LDAP directory service and are shared by applications within
the enterprise.

You can select the type of authentication to use in the Informatica domain during installation. You can use
native authentication and LDAP authentication together in the Informatica domain. The Service Manager
authenticates the users based on the security domain. If a user belongs to the native security domain, the
Service Manager authenticates the user in the domain configuration repository. If the user belongs to an
LDAP security domain, the Service Manager passes the user name and password to the LDAP server for
authentication.

User Authentication Overview 19

 Native User Authentication
If the Informatica domain uses native authentication, the Service Manager stores all user account
information and performs all user authentication within the Informatica domain. When a user logs in, the
Service Manager uses the native security domain to authenticate the user name and password.

The native security domain is created at installation and cannot be deleted. An Informatica domain can have
only one native security domain. You create and maintain user accounts in the native security domain in the
Administrator tool. The Service Manager stores details about the user accounts, including the user
credentials and privileges, in the domain configuration repository.

LDAP User Authentication

You can configure the Informatica domain to allow users in an LDAP directory service to log in to Informatica
client applications. The Informatica domain can use LDAP user authentication in addition to native user
authentication.

To enable the Informatica domain to use LDAP user authentication, you must set up a connection to an LDAP
server and specify the users and groups from the LDAP directory service that can have access to the
Informatica domain. You can use the Administrator tool to set up the connection to the LDAP server.

When you synchronize the LDAP security domains with the LDAP directory service, the Service Manager
imports the list of LDAP user accounts with access to the Informatica domain into the LDAP security
domains. When you assign privileges and permissions to users in LDAP security domains, the Service
Manager stores the information in the domain configuration repository. The Service Manager does not store
the user credentials in the domain configuration repository.

When a user logs in, the Service Manager passes the user name and password to the LDAP server for
authentication.

Note: The Service Manager requires that LDAP users log in to a client application with a password even
though an LDAP directory service may allow a blank password for anonymous login mode.

LDAP Security Domains Overview

An LDAP security domain contains a set of users and groups that are imported from an LDAP directory
service. You must create an LDAP security domain if you use LDAP user authentication.

Configure the LDAP security domains to store the list of users from an LDAP directory service that you want
to allow access to the Informatica domain and client applications. The LDAP security domain does not store
user account credentials. When a user logs in to an Informatica client, the Service Manager verifies that the
user account is in a security domain. If the user account belongs to an LDAP security domain, the Service
Manager authenticates the user with the LDAP directory service.

After installation, you can add users and groups to the native security domain. If you have users in an LDAP
directory service that you want to give access to Informatica client applications, you can set up LDAP
security domains in addition to the native security domain. Configure a connection to the LDAP server and
import the users and groups into the LDAP security domains.

After installation, you can configure a connection to the LDAP server and import users and groups from the
LDAP directory service into the LDAP security domain.

20 Chapter 3: Informatica Security Overview

Chapter 4

Complete the Domain

Configuration Overview
After you install Informatica services and before you create the application services, complete the
configuration for the domain services.

Domain configuration includes tasks such as verifying code pages, configuring the environment variables for
the domain, and configuring the firewall.

Verify Code Page Compatibility

The code pages for application services must be compatible with code pages in the domain.

Verify and configure the locale settings and code pages:

Verify that the domain configuration database is compatible with the code pages of the application services that you
create in the domain.

The Service Manager synchronizes the list of users in the domain with the list of users and group in each
application service. If a user name in the domain has characters that the code page of the application
service does not recognize, characters do not convert correctly and inconsistencies occur.

Verify that the locale settings on machines that access the Administrator tool and the Informatica client tools is
compatible with code pages of repositories in the domain.

If the locale setting is not compatible with the repository code page, you cannot create an application
service.

Configure Locale Environment Variables on Linux

Verify that the locale setting is compatible with the code page for the repository. If the locale setting is not
compatible with the repository code page, you cannot create an application service.

Use LANG, LC_CTYPE, or LC_ALL to set the Linux code page.

Use the following command to verify that the value for the locale environment variable is compatible with the
language settings for the machine and the type of code page you want to use for the repository:
locale -a

21
 The command returns the languages installed on the Linux operating system and the existing locale settings.

Set the following locale environment variables:

Locale on Linux

Linux allows different locale values to represent the same locale. For example, “utf8,” “UTF-8,” “UTF8,”
and “utf-8” represent the same locale on a Linux machine. Informatica requires that you use a specific
value for each locale on a Linux machine. Make sure that you set the LANG environment variable
appropriately for all Linux machines.

Locale for Oracle database clients

For Oracle database clients, set NLS_LANG to the locale you want the database client and server to use
with the login. A locale setting consists of the language, territory, and character set. The value of
NLS_LANG depends on the configuration. For example, if the value is american_america.UTF8, set the
variable in a C shell with the following command:
setenv NLS_LANG american_america.UTF8

Configure Environment Variables

Enterprise Data Catalog uses environment variables to store configuration information when it runs the
application services and connects to the clients. Configure the environment variables to meet the Informatica
requirements.

Incorrectly configured environment variables can cause the Informatica domain or nodes to fail to start or
can cause connection problems between the Informatica clients and domain.

To configure environment variables on Linux, log in with the system user account you used to install
Enterprise Data Catalog.

Configure Enterprise Data Catalog Environment Variables

You can configure Enterprise Data Catalog environment variables to store memory, domain, and location
settings.

Set the following environment variables:

INFA_JAVA_OPTS

By default, Informatica uses a maximum of 512 MB of system memory.

The following table lists the minimum requirement for the maximum heap size settings, based on the
number of users and services in the domain:

Number of Domain Users Maximum Heap Size Maximum Heap Size

(1-5 Services) (6-10 Services)

1,000 or less 512 MB (default) 1024 MB

5,000 2048 MB 3072 MB

10,000 3072 MB 5120 MB

22 Chapter 4: Complete the Domain Configuration Overview

 Number of Domain Users Maximum Heap Size Maximum Heap Size
(1-5 Services) (6-10 Services)

20,000 5120 MB 6144 MB

30,000 5120 MB 6144 MB

Note: The maximum heap size settings in the table are based on the number of application services in
the domain.

If the domain has more than 1,000 users, update the maximum heap size based on the number of users
in the domain.

You can use the INFA_JAVA_OPTS environment variable to configure the amount of system memory
used by Enterprise Data Catalog. For example, to configure 1 GB of system memory for the Informatica
daemon on Linux in a C shell, use the following command:
setenv INFA_JAVA_OPTS “-Xmx1024m”
Restart the node for the changes to take effect.

INFA_DOMAINS_FILE

The installer creates a domains.infa file in the Enterprise Data Catalog installation directory. The
domains.infa file contains the connectivity information for the gateway nodes in a domain, including the
domain names, domain host names, and domain host port numbers.

Set the value of the INFA_DOMAINS_FILE variable to the path and file name of the domains.infa file.

Configure the INFA_DOMAINS_FILE variable on the machine where you install the Enterprise Data
Catalog services.

INFA_HOME

Use INFA_HOME to designate the Enterprise Data Catalog installation directory. If you modify the
Enterprise Data Catalog directory structure, you need to set the environment variable to the location of
the Enterprise Data Catalog installation directory or the directory where the installed Enterprise Data
Catalog files are located.

For example, you use a softlink in Linux for any of the Enterprise Data Catalog directories. To configure
INFA_HOME so that any Enterprise Data Catalog application or service can locate the other Enterprise
Data Catalog components it needs to run, set INFA_HOME to the location of the Enterprise Data Catalog
installation directory.

INFA_TRUSTSTORE

If you enable secure communication for the domain, set the INFA_TRUSTSTORE variable with the
directory that contains the truststore files for the SSL certificates. The directory must contain truststore
files named infa_truststore.jks and infa_truststore.pem.

You must set the INFA_TRUSTSTORE variable if you use the default SSL certificate provided by
Informatica or a certificate that you provide.

INFA_TRUSTSTORE_PASSWORD

If you enable secure communication for the domain and you specify the SSL certificate to use, set the
INFA_TRUSTSTORE_PASSWORD variable with the password for the infa_truststore.jks that contains the
SSL certificate. The password must be encrypted. Use the command line program pmpasswd to encrypt
the password.

Configure Environment Variables 23

 Configure Library Path Environment Variables on Linux
Configure library path environment variables on the machines that run the Data Integration Service
processes. The variable name and requirements depend on the platform and database.

Configure the LD_LIBRARY_PATH environment variable.

The following table describes the values that you set for the LD_LIBRARY_PATH for the different databases:

Database Value

Oracle <DatabasePath>/lib

IBM DB2 <DatabasePath>/lib

Sybase ASE “${SYBASE_OCS}/lib:${SYBASE_ASE}/lib:${LD_LIBRARY_PATH}”

ODBC <CLOSEDODBCHOME>/lib

Domain Configuration Repository

The domain configuration repository contains information about the domain configuration and user privileges
and permissions.

If the Informatica domain uses native user authentication, the domain configuration repository also contains
the user credentials. If the domain uses LDAP authentication, the domain configuration repository does not
contain the user credentials. All LDAP user credentials are stored outside the Informatica domain, in the
LDAP directory service.

When you create the Informatica domain during installation, the installer creates a domain configuration
repository in a relational database. You must specify the database in which to create the domain
configuration repository. You can create the repository on a database secured with the SSL protocol.

24 Chapter 4: Complete the Domain Configuration Overview

Chapter 5

Create the Application Services

Overview
If you chose not to create application services when you installed Live Data Map, use the Informatica
Administrator tool to create the application services in the required order.

Some application services depend on other application services. When you create these dependent
application services, you must provide the name of other running application services. Review the application
service dependencies to determine the order that you must create the services. For example, you must create
the Model Repository Service and Data Integration Service before you create the Catalog Service.

Before you create the application services, verify that you have completed the prerequisite tasks required by
the installation and configuration process. After you create each application service, review the next tasks
that you need to complete.

Verify Application Service Prerequisites

Before you create an application service, verify that you have performed the following prerequisite tasks:

Set up the database.

Set up the following databases:

• Model repository for the Model Repository Service.

• Data object cache database to cache logical data objects and virtual tables.
• Profiling warehouse to save the profiling and data quality statistics.
• Reference data warehouse to store reference data for the Content Management Service.

Install database client software on the service machines.

Install and configure the native database client software associated with the relational data sources and
the repository databases on the machine that runs the Data Integration Service.

Configure database client environment variables on Linux.

You must configure the database client environment variables on the machines that run the Data
Integration Service.

25
 Create a keytab file for the service.

If you set the service principal level at the process level, create a unique keytab file for the following
services:

• Model Repository Service

• Data Integration Service
• Content Management Service
• Catalog Service

Note: The name of the service that you create must match the service name in the keytab file name.

Set up keystore files.

To set up a secure connection to the application client, create a keystore file for the Catalog Service.

Determine the code page to use for the repository.

Verify that the domain configuration database is compatible with the code pages of the application
services that you create in the domain.

Configure locale environment variables on Linux.

Verify that the locale settings on machines that access the Informatica Administrator tool and the
Enterprise Data Catalog tools is compatible with the code pages of the repositories in the domain.
Configure library path environment variables on Linux.

Configure the library path environment variables on the machines that run the Data Integration Service.

Create connections to the databases that the application services access though cluster connectivity.

In the Informatica Administrator tool, create connections to the following databases:

• Reference data warehouse

• Data object cache database
• Profiling warehouse database

Application Services Dependencies

A dependent application service is an application service that requires one or more other application
services. Before you create a dependent service, you must create all of the application services that the
dependent service requires.

For example, the Data Integration Service depends on the Model Repository Service. When you create a Data
Integration Service, the Informatica Administrator tool prompts you for the name of a Model Repository
Service. Therefore, you must create a Model Repository Service before you create a Data Integration Service.

Services that access Model repository objects can depend on each other. The application service
dependencies determine the order that you must create the services.

Services that Access Model Repository Objects

Create the application services that access Model repository objects in the following order:

1. Model Repository Service.

The Model Repository Service has no application service dependencies.
2. Data Integration Service.

26 Chapter 5: Create the Application Services Overview

 The Data Integration Service depends on the Model Repository Service.
3. Catalog Service.
The Catalog Service depends on the Model Repository Service and the Data Integration Service.
4. Content Management Service.
The Content Management Service depends on the Model Repository Service and the Data Integration
Service.

Create and Configure the Model Repository Service

The Model Repository Service is an application service that manages the Model repository. The Model
repository stores metadata created by the Enterprise Data Catalog tools and application services in a
relational database to enable collaboration among the tools and services. The Model repository also stores
the resource configuration and data domain information.

When you access a Model repository object from the Enterprise Data Catalog tools or the Data Integration
Service, the client or service sends a request to the Model Repository Service. The Model Repository Service
process fetches, inserts, and updates the metadata in the Model repository database tables.

Create the Model Repository Service

Use the service creation wizard in the Administrator tool to create the service.

1. In the Administrator tool, click the Manage tab.

2. Click Actions > New > Model Repository Service.
The New Model Repository Service dialog box appears.
3. On the New Model Repository Service - Step 1 of 2 page, enter the following properties:

Property Description

Name Name of the service. The name is not case sensitive and must be unique within the domain. It
cannot exceed 128 characters or begin with @. It also cannot contain spaces or the following
special characters:
`~%^*+={}\;:'"/?.,<>|!()][

Description Description of the service. The description cannot exceed 765 characters.

Location Domain and folder where the service is created. Click Browse to choose a different folder. You
can move the service after you create it.

License License object that allows use of the service.

Node Node on which the service runs.

Backup Nodes If your license includes high availability, nodes on which the service can run if the primary node
is unavailable.

4. Click Next.
The New Model Repository Service - Step 2 of 2 page appears.

Create and Configure the Model Repository Service 27

 5. Enter the following properties for the Model repository database:

Property Description

Database Type The type of the repository database.

Username The database user name for the repository.

Password Repository database password for the database user.

Database Schema Available for Microsoft SQL Server. Name of the schema that will contain Model
repository tables.

Database Available for IBM DB2. Name of the tablespace in which to create the tables. For a multi-
Tablespace partition IBM DB2 database, the tablespace must span a single node and a single
partition.

6. Enter the JDBC connection string that the service uses to connect to the Model repository database.
Use the following syntax for the connection string for the selected database type:

Database Type Connection String Syntax

IBM DB2 jdbc:informatica:db2://

<host_name>:<port_number>;DatabaseName=<database_name>;BatchPerf
ormanceWorkaround=true;DynamicSections=3000

Microsoft SQL Server - Microsoft SQL Server that uses the default instance
jdbc:informatica:sqlserver://
<host_name>:<port_number>;DatabaseName=<database_name>;Snapsho
tSerializable=true
- Microsoft SQL Server that uses a named instance
jdbc:informatica:sqlserver://<host_name>
\<named_instance_name>;DatabaseName=<database_name>;SnapshotSe
rializable=true

Oracle jdbc:informatica:oracle://
<host_name>:<port_number>;SID=<database_name>;MaxPooledStatement
s=20;CatalogOptions=0;BatchPerformanceWorkaround=true

7. If the Model repository database is secured with the SSL protocol, you must enter the secure database
parameters in the Secure JDBC Parameters field.
Enter the parameters as name=value pairs separated by semicolon characters (;). For example:
param1=value1;param2=value2

28 Chapter 5: Create the Application Services Overview

 Enter the following secure database parameters:

Secure Database Description

Parameter

EncryptionMethod Required. Indicates whether data is encrypted when transmitted over the network.
This parameter must be set to SSL.

ValidateServerCertificate Optional. Indicates whether Informatica validates the certificate that the database
server sends.
If this parameter is set to True, Informatica validates the certificate that the
database server sends. If you specify the HostNameInCertificate parameter,
Informatica also validates the host name in the certificate.
If this parameter is set to False, Informatica does not validate the certificate that
the database server sends. Informatica ignores any truststore information that you
specify.

HostNameInCertificate Optional. Host name of the machine that hosts the secure database. If you specify
a host name, Informatica validates the host name included in the connection string
against the host name in the SSL certificate.

cryptoProtocolVersion Required. Specifies the cryptographic protocol to use to connect to a secure

database. You can set the parameter to cryptoProtocolVersion=TLSv1.1 or
cryptoProtocolVersion=TLSv1.2 based on the cryptographic protocol used by
the database server.

TrustStore Required. Path and file name of the truststore file that contains the SSL certificate
for the database.
If you do not include the path for the truststore file, Informatica looks for the file in
the following default directory: <Informatica installation directory>/
tomcat/bin

TrustStorePassword Required. Password for the truststore file for the secure database.

Note: Informatica appends the secure JDBC parameters to the JDBC connection string. If you include the
secure JDBC parameters directly in the connection string, do not enter any parameter in the Secure
JDBC Parameters field.
8. Click Test Connection to verify that you can connect to the database.
9. Select No content exists under specified connection string. Create new content.
10. Click Finish.
The domain creates the Model Repository Service, creates content for the Model repository in the
specified database, and enables the service.
After you create the service through the wizard, you can edit the properties or configure other properties.

After You Create the Model Repository Service

After you create the Model Repository Service, perform the following tasks:

• Create the Model repository user.

• Create other application services.

After You Create the Model Repository Service 29

 Create Other Services
After you create the Model Repository Service, create the application services that depend on the Model
Repository Service.

Create the dependent services in the following order:

1. Data Integration Service

2. Informatica Cluster Service if you chose internal Hadoop cluster option for Enterprise Data Catalog
installation
3. Catalog Service
4. Email Service if you want users to receive email alerts on Catalog Service status.
5. Content Management Service

Create and Configure the Data Integration Service

The Data Integration Service is an application service that performs data integration jobs for Informatica
Administrator, Enterprise Data Catalog, and Catalog Administrator.

When you run scans on resources and view the metadata and profiling statistics in Enterprise Data Catalog,
the client tool sends requests to the Data Integration Service to perform the data integration jobs.

Create the Data Integration Service

Use the service creation wizard in the Administrator tool to create the service.

Before you create the Data Integration Service, verify that you have created and enabled the Model Repository
Service. You also need to verify that you have created a Model repository user that the Data Integration
Service can use to access the Model Repository Service.

1. In the Administrator tool, click the Manage tab.

2. Click the Services and Nodes view.
3. In the Domain Navigator, select the domain.
4. Click Actions > New > Data Integration Service.
The New Data Integration Service wizard appears.
5. On the New Data Integration Service - Step 1 of 14 page, enter the following properties:

Property Description

Name Name of the service. The name is not case sensitive and must be unique within the domain. It
cannot exceed 128 characters or begin with @. It also cannot contain spaces or the following
special characters:
`~%^*+={}\;:'"/?.,<>|!()][

Description Description of the service. The description cannot exceed 765 characters.

30 Chapter 5: Create the Application Services Overview

 Property Description

Location Domain and folder where the service is created. Click Browse to choose a different folder.
You can move the service after you create it.

License License object that allows use of the service.

Assign Select Node to configure the service to run on a node. If your license includes grid, you can
create a grid and assign the service to run on the grid after you create the service.

Node Node on which the service runs.

Backup Nodes If your license includes high availability, nodes on which the service can run if the primary
node is unavailable.

Model Model Repository Service to associate with the service.

Repository
Service

Username User name that the service uses to access the Model Repository Service. Enter the Model
repository user that you created.

Password Password for the Model repository user.

Security Domain LDAP security domain for the Model repository user. The field appears when the Informatica
domain contains an LDAP security domain. Not available for a domain with Kerberos
authentication.

6. Click Next.
The New Data Integration Service - Step 2 of 14 page appears.
7. Enter the HTTP port number to use for the Data Integration Service.
8. Accept the default values for the remaining security properties. You can configure the security properties
after you create the Data Integration Service.
9. Select Enable Service.
The Model Repository Service must be running to enable the Data Integration Service.
10. Verify that the Move to plugin configuration page is not selected.
11. Click Next.
The New Data Integration Service - Step 3 of 14 page appears.
12. Set the Launch Job Options property to one of the following values:
• In the service process. Configure when you run SQL data service and web service jobs. SQL data
service and web service jobs typically achieve better performance when the Data Integration Service
runs jobs in the service process.
• In separate local processes. Configure when you run mapping, profile, and workflow jobs. When the
Data Integration Service runs jobs in separate local processes, stability increases because an
unexpected interruption to one job does not affect all other jobs.
If you configure the Data Integration Service to run on a grid after you create the service, you can
configure the service to run jobs in separate remote processes.
13. Accept the default values for the remaining execution options and click Next.
The New Data Integration Service - Step 4 of 14 page appears.

Create and Configure the Data Integration Service 31

 14. If you created the data object cache database for the Data Integration Service, click Select to select the
cache connection. Select the data object cache connection that you created for the service to access the
database.
15. Accept the default values for the remaining properties on this page and click Next.
The New Data Integration Service - Step 5 of 14 page appears.
16. For optimal performance, enable the Data Integration Service modules that you plan to use.
The following table lists the Data Integration Service modules that you can enable:

Module Description

Web Service Module Runs web service operation mappings.

Mapping Service Module Runs mappings and previews.

Profiling Service Module Runs profiles and scorecards.

SQL Service Module Runs SQL queries from a third-party client tool to an SQL data service.

Workflow Orchestration Service Module Runs workflows.

17. Click Next.

The New Data Integration Service - Step 6 of 14 page appears.
You can configure the HTTP proxy server properties to redirect HTTP requests to the Data Integration
Service. You can configure the HTTP configuration properties to filter the web services client machines
that can send requests to the Data Integration Service. You can configure these properties after you
create the service.
18. Accept the default values for the HTTP proxy server and HTTP configuration properties and click Next.
The New Data Integration Service - Step 7 of 14 page appears.
The Data Integration Service uses the result set cache properties to use cached results for SQL data
service queries and web service requests. You can configure the properties after you create the service.
19. Accept the default values for the result set cache properties and click Next.
The New Data Integration Service - Step 8 of 14 page appears.
20. If you created the profiling warehouse database for the Data Integration Service, select the Profiling
Service module.
21. If you created the workflow database for the Data Integration Service, select the Workflow Orchestration
Service module.
22. Verify that the remaining modules are not selected.
You can configure properties for the remaining modules after you create the service.
23. Click Next.
The New Data Integration Service - Step 11 of 14 page appears.
24. If you created the profiling warehouse database for the Data Integration Service, click Select to select
the database connection. Select the profiling warehouse connection that you created for the service to
access the database.
25. Select whether or not content exists in the profiling warehouse database.
If you created a new profiling warehouse database, select No content exists under specified connection
string.

32 Chapter 5: Create the Application Services Overview

 26. Click Next.
The New Data Integration Service - Step 12 of 14 page appears.
27. Accept the default values for the advanced profiling properties and click Next.
The New Data Integration Service - Step 14 of 14 page appears.
28. If you created the workflow database for the Data Integration Service, click Select to select the database
connection. Select the workflow database connection that you created for the service to access the
database.
29. Click Finish.
The domain creates and enables the Data Integration Service.
After you create the service through the wizard, you can edit the properties or configure other properties.

After You Create the Data Integration Service

After you create the Data Integration Service, perform the following tasks:

• Verify the host file configuration on Linux.

• Create other application services.

Verify the Host File Configuration on Linux

If you configured the Data Integration Service on Linux to launch jobs as separate processes, verify that the
host file on the node that runs the service contains a localhost entry. Otherwise, jobs fail when the Launch
Jobs as Separate Processes property for the Data Integration Service is enabled.

Create Other Services (DIS)

After you create the Data Integration Service, create the application services that depend on the Data
Integration Service.

Create the dependent services in the following order:

1. Informatica Cluster Service if you choose internal Hadoop cluster for deploying Enterprise Information
Catalog.
2. Catalog Service
3. Content Management Service

Creating the Catalog Service

Create the Catalog Service to run the Enterprise Data Catalog application and manage the connections
between the Enterprise Data Catalog components. You can configure the general, application service, and
security properties of the Catalog Service.

Note: The Catalog Service has the same privileges as the user account that creates it. Ensure that the user
account does not have privileges to read or modify sensitive files on the system.

1. In the Administrator tool, select a domain, and click the Services and Nodes tab.
2. On the Actions menu, click New > Catalog Service.

Creating the Catalog Service 33

 The New Catalog Service Step 1 of 4 dialog box appears.
3. Configure the general properties in the dialog box.
The following table describes the properties:

Property Description

Name Name of the service. The name is not case-sensitive and must be unique within the domain. The
name cannot exceed 128 characters or begin with @. The name cannot contain character spaces.
The characters in the name must be compatible with the code page of the Model repository that
you associate with the Catalog Service.
The name cannot contain the following special characters:
`~%^*+={}\;:'"/?.,<>|!()][

Description Description of the service. The description cannot exceed 765 characters.

Location Domain in which the service runs.

License License to assign to the Catalog Service. Select the license that you installed with Informatica.

Assign Node configuration type. Specify whether the node is in a single node, high availability, or grid
environment.

Node Node in the Informatica domain on which the Catalog Service runs. If you change the node, you
must recycle the Catalog Service.

4. Click Next.
The New Catalog Service - Step 2 of 4 dialog box appears.
5. Configure the application service properties in the dialog box.
The following table describes the properties:

Property Description

Model Repository Model Repository Service to associate with the Catalog Service. The Model Repository
Service Service manages the Model repository that Enterprise Data Catalog uses. If you update
the property to specify a different Model Repository Service, recycle the Catalog Service.

User name The database user name for the Model repository.

Password An encrypted version of the database password for the Model repository.

Data Integration Data Integration Service that you want to associate with the Catalog Service so that you
Service can perform profiling and data domain discovery in Enterprise Data Catalog. If you update
the property to specify a different Data Integration Service, recycle the Catalog Service.

Content Optional property. Application service that manages reference data. You specify this
Management property if you want to include data domains in the Enterprise Data Catalog results.
Service

6. Click Next.
The New Catalog Service - Step 3 of 4 dialog box appears.
7. Configure the security properties in the dialog box.

34 Chapter 5: Create the Application Services Overview

 The following table describes the properties:

Property Description

HTTP Port A unique HTTP port number used for each Data Integration Service process. The defaults
is 8085.

Enable Transport Indicates that the Catalog Service must use HTTPS. If you did not configure the Data
Layer Security Integration Service to use HTTPS, the Catalog Service does not start.

HTTPS Port Port number for the HTTPS connection.

Keystore File Path and file name of the keystore file. The keystore file contains the keys and
certificates required if you use the SSL security protocol with Catalog Administrator.
Required if you select Enable Transport layer Security.

Keystore Password Password for the keystore file. Required if you select Enable Transport layer Security.

SSL Protocol Secure Sockets Layer protocol to use.

8. Click Next.
The New Catalog Service - Step 4of 4 dialog box appears.
9. Configure the Hadoop cluster properties in the dialog box.
The following table describes the properties:

Property Description

External Cluster Indicates the deployment type for Enterprise Data Catalog. You can choose to deploy in an
internal Hadoop cluster or an external Hadoop cluster on Cloudera.

Zookeeper Applies to external cluster. Multiple Zookeeper addresses in a comma-separated list.

Addresses

HDFS Namenode Applies to external cluster. The URI to access HDFS.

URI Use the following format to specify the NameNode URI in the Cloudera distribution:hdfs://
<Namenode>:<Port>
Where
- <Namenode> is the host name or IP address of the NameNode
- <Port> is the port number that the NameNode listens for Remote Procedure Calls (RPC).

Yarn resource Applies to external cluster. The service within Hadoop that submits the MapReduce tasks to
manager URI specific nodes in the cluster.
Use the following format:<Hostname>:<Port>
Where
- Hostname is the name or IP address of the Yarn resource manager.
- Port is the port number on which Yarn resource manager listens for Remote Procedure
Calls (RPC).

Yarn resource Applies to external cluster. http URI value for the Yarn resource manager.
manager http URI

Creating the Catalog Service 35

 Property Description

Yarn resource Applies to external cluster. Scheduler URI value for the Yarn resource manager.
manager
scheduler URI

Service Cluster Name of the service cluster. Ensure that you have a directory /Informatica/LDM/
Name <ServiceClusterName> in HDFS.
Note: If you do not specify a service cluster name, Enterprise Data Catalog considers
DomainName_CatalogServiceName as the default value. You must then have the /
Informatica/LDM/<DomainName>_<CatalogServiceName> directory in HDFS.
Otherwise, Catalog Service might fail.

Is Cluster Secure Applies to external cluster. Choose to enable cluster authentication.

Enable Service Select the option to enable the Catalog Service.

Informatica Applies to internal cluster. Name of the Informatica Cluster Service, which is an application
Cluster Service service that Enterprise Data Catalog uses in internal cluster deployment.

10. Click Finish.

If you did not choose to enable the Catalog Service earlier, you must recycle the service to start it.

Email Service
The Email Service is a system service that manages email notifications on the status of Catalog Service.

Enable the Email Service to allow Informatica administrators to configure email notifications. You can
configure the service to run on multiple nodes. Designate the primary node to run the service. All other nodes
are backup nodes for the service. If the primary node is not available, the service runs on a backup node.

Email Notification Overview

You can configure and receive email notifications on Catalog Service status to closely monitor and
troubleshoot the application service issues. You use the Email Service and an associated Model Repository
Service to send email notifications. The Model repository stores metadata for the email notifications that you
configure. The Model Repository Service and the Email Service must be running for the Email Service to send
email notifications.

Email Notification Process

Before you can receive email notifications on Catalog Service status, you must configure and enable the
Email Service before you enable the Catalog Service. You need to specify a Model Repository Service when
you configure the Email Service. If you change the Model Repository Service for the Email Service at run time,
recycle the Email Service first followed by Catalog Service to reflect the changes in the Catalog Service.

You can perform the following tasks to complete the email notification process:

1. Configure and enable the Email Service in Informatica Administrator. For more information about
enabling the Email Service, see the Informatica Application Services Guide.

36 Chapter 5: Create the Application Services Overview

 2. When you create the Catalog Service as part of the Enterprise Information Catalog installation, using the
infacmd command line program, or in Informatica Administrator, choose to receive email alerts.
3. Enable the Catalog Service.
4. Create a user and configure the email ID that needs to receive the email alerts.
5. Assign the Admin - Monitoring privilege to the user.

Troubleshooting Email Notifications

If you do not receive email notifications on Catalog Service status as expected, verify that the email alert
configuration meets the requirements for the email notifications.

Verify the following conditions are true when you troubleshoot email notifications:

• Catalog Service and associated services, such as Model Repository Service and Data Integration Service,
are enabled and running.
• If you changed the Model Repository Service associated with the Email Service, you recycled the Email
Service followed by the Catalog Service.
• If you changed the Email Service configuration, you restarted the Email Service followed by the Catalog
Service.
• You configured a valid email ID for the email recipient or user in Informatica domain.

Content Management Service

The Content Management Service is an application service that manages reference data. A reference data
object contains a set of data values that you can search while performing data quality operations on source
data. The Content Management Service also compiles rule specifications into mapplets. A rule specification
object describes the data requirements of a business rule in logical terms.

The Content Management Service uses the Data Integration Service to run mappings to transfer data
between reference tables and external data sources. The Content Management Service also provides
transformations, mapping specifications, and rule specifications with the following types of reference data:

• Address reference data

• Identity populations
• Probabilistic models and classifier models
• Reference tables

Create the Content Management Service

Use the service creation wizard in the Administrator tool to create the service.

Before you create the Content Management Service, verify that you have created and enabled the Model
Repository Service and Data Integration Service. You also need to verify that you have created a Model
repository user that the Content Management Service can use to access the Model Repository Service.

1. In the Administrator tool, click the Manage tab.

2. Click Actions > New > Content Management Service.
The New Content Management Service dialog box appears.

Content Management Service 37

 3. On the New Content Management Service - Step 1 of 2 page, enter the following properties:

Property Description

Name Name of the service. The name is not case sensitive and must be unique within the domain.
It cannot exceed 128 characters or begin with @. It also cannot contain spaces or the
following special characters:
`~%^*+={}\;:'"/?.,<>|!()][

Description Description of the service. The description cannot exceed 765 characters.

Location Domain and folder where the service is created. Click Browse to choose a different folder.
You can move the service after you create it.

License License object that allows use of the service.

Node Node on which the service runs.

HTTP Port HTTP port number to use for the Content Management Service.

Data Integration Data Integration Service to associate with the service. The Data Integration Service and the
Service Content Management Service must run on the same node.

Model Repository Model Repository Service to associate with the service.

Service

Username User name that the service uses to access the Model Repository Service. Enter the Model
repository user that you created.

Password Password for the Model repository user.

Security Domain LDAP security domain for the Model repository user. The field appears when the Informatica
domain contains an LDAP security domain. Not available for a domain with Kerberos
authentication.

Reference Data Reference data warehouse connection that you created for the Content Management Service
Location to access the reference data warehouse. Click Select to select the connection.

4. Click Next.
The New Content Management Service - Step 2 of 2 page appears.
5. Accept the default values for the security properties.
6. Select Enable Service.
The Model Repository Service and Data Integration Service must be running to enable the Content
Management Service.
7. Click Finish.
The domain creates and enables the Content Management Service.
After you create the service through the wizard, you can edit the properties or configure other properties.

38 Chapter 5: Create the Application Services Overview

Chapter 6

Users and Groups Overview

To access the application services and objects in the Informatica domain and to use the application clients,
you must have a user account.

During installation, a default administrator user account is created. Use the default administrator account to
log in to the Informatica domain and manage application services, domain objects, and other user accounts.
When you log in to the Informatica domain after installation, change the password to ensure security for the
Informatica domain and applications.

User account management in Informatica involves the following key components:

• Users. You can set up different types of user accounts in the Informatica domain. Users can perform
tasks based on the roles, privileges, and permissions assigned to them.
• Authentication. When a user logs in to an application client, the Service Manager authenticates the user
account in the Informatica domain and verifies that the user can use the application client. The
Informatica domain can use native or LDAP authentication to authenticate users. The Service Manager
organizes user accounts and groups by security domain. It authenticates users based on the security
domain the user belongs to.
• Groups. You can set up groups of users and assign different roles, privileges, and permissions to each
group. The roles, privileges, and permissions assigned to the group determines the tasks that users in the
group can perform within the Informatica domain.
• Privileges and roles. Privileges determine the actions that users can perform in application clients. A role
is a collection of privileges that you can assign to users and groups. You assign roles or privileges to
users and groups for the domain and for application services in the domain.
• Account lockout. You can configure account lockout to lock a user account when the user specifies an
incorrect login in the Administrator tool or any application clients, like the Developer tool and Analyst tool.
You can also unlock a user account.

Users
A user with an account in the Informatica domain can log in to the following application clients:

• Informatica Administrator
• Informatica Developer
The Users section of the Navigator organizes users into security domain folders. A security domain is a
collection of user accounts and groups in an Informatica domain. Native authentication uses the Native
security domain which contains the users and groups created and managed in the Administrator tool. LDAP
authentication uses LDAP security domains which contain users and groups imported from the LDAP
directory service.

39
 When you select a security domain folder in the Users section of the Navigator, the contents panel displays
all users belonging to the security domain. Right-click a user and select Navigate to Item to display the user
details in the contents panel.

When you select a user in the Navigator, the contents panel displays the following tabs:

• Overview. Displays general properties of the user and all groups to which the user belongs.
• Privileges. Displays the privileges and roles assigned to the user for the domain and for application
services in the domain.

Understanding User Accounts

An Informatica domain can have the following types of accounts:

• Default administrator
• Domain administrator
• Application client administrator
• User
An Informatica domain can have the following types of accounts:

• Default administrator
• Domain administrator
• Application client administrator
• User
The Informatica domain has a default administrator account.

Default Administrator
When you install Informatica services, the installer creates the default administrator with a user name and
password you provide. You can use the default administrator account to initially log in to the Administrator
tool.

The default administrator has administrator permissions and privileges on the domain and all application
services.

The default administrator can perform the following tasks:

• Create, configure, and manage all objects in the domain, including nodes, application services, and
administrator and user accounts.
• Configure and manage all objects and user accounts created by other domain administrators and
application client administrators.
• Log in to any application client.

The default administrator is a user account in the native security domain. You cannot create a default
administrator. You cannot disable or modify the user name or privileges of the default administrator. You can
change the default administrator password.

Domain Administrator
A domain administrator can create and manage objects in the domain.

The domain administrator can log in to the Administrator tool and create and configure application services
in the domain. However, by default, the domain administrator cannot log in to application clients. The default

40 Chapter 6: Users and Groups Overview

administrator must explicitly give a domain administrator full permissions and privileges to the application
services so that they can log in and perform administrative tasks in the application clients.

The domain administrator can log in to the Administrator tool and configure application services in the
domain. However, by default, the domain administrator cannot log in to application clients. The default
administrator must explicitly give a domain administrator full permissions and privileges to the application
services so that they can log in and perform administrative tasks in the application clients.

To create a domain administrator, assign a user the Administrator role for a domain.

Application Client Administrator

An application client administrator can create and manage objects in an application client. You must create
administrator accounts for the application clients. To limit administrator privileges and keep application
clients secure, create a separate administrator account for each application client.

By default, the application client administrator does not have permissions or privileges on the domain.
Without permissions or privileges on the domain, the application client administrator cannot log in to the
Administrator tool to manage the application service.

You can set up the following application client administrators:

Informatica Developer administrator

Has full permissions and privileges in Informatica Developer. The Informatica Developer administrator
can log in to Informatica Developer to create and manage projects and objects in projects and perform
all tasks in the application client.

To create an Informatica Developer administrator, assign a user the Administrator role for a Model
Repository Service.

Catalog administrator

The administration tasks include configuring resources, assigning schedules, and custom attributes. The
administrator also monitors the tasks that extract metadata using the resources.

User
A user with an account in the Informatica domain can perform tasks in the application clients.

Typically, the default administrator or a domain administrator creates and manages user accounts and
assigns roles, permissions, and privileges in the Informatica domain. However, any user with the required
domain privileges and permissions can create a user account and assign roles, permissions, and privileges.

Users can perform tasks in application clients based on the privileges and permissions assigned to them.

Managing Users
You can create, edit, and delete users in the native security domain. You cannot delete or modify the
properties of user accounts in the LDAP security domains. You cannot modify the user assignments to LDAP
groups.

You can create, edit, and delete users depending on the type of license. You can assign roles, permissions,
and privileges to a user account. The roles, permissions, and privileges assigned to the user determines the
tasks the user can perform within the Informatica domain.

You can assign roles, permissions, and privileges to a user account in the native security domain or an LDAP
security domain. The roles, permissions, and privileges assigned to the user determines the tasks the user
can perform within the Informatica domain.

You can also unlock a user account.

Users 41
Groups
A group is a collection of users and groups that can have the same privileges, roles, and permissions.

The Groups section of the Navigator organizes groups into security domain folders. A security domain is a
collection of user accounts and groups in an Informatica domain. Native authentication uses the Native
security domain which contains the users and groups created and managed in the Administrator tool. LDAP
authentication uses LDAP security domains which contain users and groups imported from the LDAP
directory service.

The Groups section of the Navigator organizes groups into security domain folders. A security domain is a
collection of user accounts and groups in an Informatica domain. Native authentication uses the Native
security domain which contains the users and groups created and managed in the Administrator tool.

The Groups section of the Navigator organizes groups into security domain folders. A security domain is a
collection of user accounts and groups in an Informatica domain. Native authentication uses the Native
security domain which contains the users and groups created and managed in the Administrator tool.

When you select a security domain folder in the Groups section of the Navigator, the contents panel displays
all groups belonging to the security domain. Right-click a group and select Navigate to Item to display the
group details in the contents panel.

When you select a group in the Navigator, the contents panel displays the following tabs:

• Overview. Displays general properties of the group and users assigned to the group.
• Privileges. Displays the privileges and roles assigned to the group for the domain and for application
services in the domain.

Default Groups
The Informatica domain has a set of user groups that are created during installation.

By default, the Informatica domain has the following user groups after installation:

• Administrator
• Everyone
• Operator

Administrator Group
The Informatica domain includes a default group named Administrator. The default administrator account
created during installation belongs to this group.

The Administrator group has administrator permissions and privileges on the domain and all application
services. You can add users to or remove users from the Administrator group. All users in the Administrator
group have the same permissions and privileges as the default administrator created during installation.

You cannot delete the default administrator account from the Administrator group and you cannot delete the
Administrator group.

Everyone Group
The Informatica domain includes a default group named Everyone. All users in the domain belong to the
group.

By default, the Everyone group does not have any privileges. You can assign privileges, roles, and
permissions to the Everyone group to grant the same access to all users.

42 Chapter 6: Users and Groups Overview

You cannot perform the following tasks on the Everyone group:

• Edit or delete the Everyone group.

• Add users to or remove users from the Everyone group.
• Move a group to the Everyone group.

Operator Group
The Informatica domain includes a default group named Operator.

By default, the Operator group has permission on all of the objects in the domain. You can assign the
Operator role to the Operator group and use it to manage the Operator users in the domain.

You can perform the following tasks on the Operator group:

• Assign privileges and roles to the group.

• Add users to or remove users from the group.
• Move a group to the group.
• Edit or delete the group.

Managing Groups
You can create, edit, and delete groups in the native security domain.

You can assign roles, permissions, and privileges to a group in the native or an LDAP security domain. You
cannot delete or modify the properties of group accounts in the LDAP security domains. The roles,
permissions, and privileges assigned to the group determines the tasks that users in the group can perform
within the Informatica domain.

You can assign roles, permissions, and privileges to a group. The roles, permissions, and privileges assigned
to the group determines the tasks that users in the group can perform within the Informatica domain.

You can assign roles, permissions, and privileges to a group. The roles, permissions, and privileges assigned
to the group determines the tasks that users in the group can perform within the Informatica domain.

Groups 43
Chapter 7

Privileges and Roles Overview

You manage user security with privileges and roles.

Privileges
Privileges determine the actions that users can perform in application clients. Informatica includes the
following privileges:

• Analyst Service privilege. Determines actions that users can perform using Informatica Analyst.
• Content Management Service privilege. Determines actions that users can perform using reference tables
in the Informatica Developer tool and the Informatica Analyst tool.
• Data Integration Service privilege. Determines actions on applications that users can perform using the
Administrator tool and the infacmd command line program. This privilege also determines whether users
can drill down and export profile results.
• Model Repository Service privilege. Determines actions on projects that users can perform using
Informatica Analyst and Informatica Developer.
Privileges determine the actions that users can perform in application clients. Informatica includes domain
privileges that determine actions that users can perform using the Administrator tool.

You assign privileges to users and groups for application services. You can assign different privileges to a
user for each application service of the same service type.

You assign privileges to users and groups on the Security tab of the Administrator tool.

The Administrator tool organizes privileges into levels. A privilege is listed below the privilege that it includes.
Some privileges include other privileges. When you assign a privilege to users and groups, the Administrator
tool also assigns any included privileges.

Privilege Groups
The domain and application service privileges are organized into privilege groups. A privilege group is an
organization of privileges that define common user actions. For example, the domain privileges include the
following privilege groups:

• Tools. Includes privileges to log in to the Administrator tool.

• Security Administration. Includes privileges to manage users, groups, roles, and privileges.

44
 • Domain Administration. Includes privileges to manage the domain, folders, nodes, grids, licenses, and
application services.
• Domain Administration. Includes privileges to manage the domain, folders, and application services.

• Security Administration. Includes privileges to manage users, groups, roles, and privileges.
• Domain Administration. Includes privileges to manage the domain, folders, nodes, grids, licenses, and
application services.
• Tools. Includes privileges to log in to the Administrator tool.
• Monitoring. Includes privileges to monitor Ultra Messaging deployments and view statistics.

Tip: When you assign privileges to users and user groups, you can select a privilege group to assign all
privileges in the group.

Roles
A role is a collection of privileges that you assign to a user or group. Privileges determine the actions that
users can perform. You assign a role to users and groups for the domain and for application services in the
domain.

The Roles section of the Navigator organizes roles into the following folders:

• System-defined Roles. Contains roles that you cannot edit or delete. The Administrator role is a system-
defined role.
• Custom Roles. Contains roles that you can create, edit, and delete. The Administrator tool includes some
custom roles that you can edit and assign to users and groups.
When you select a folder in the Roles section of the Navigator, the contents panel displays all roles belonging
to the folder. Right-click a role and select Navigate to Item to display the role details in the contents panel.

When you select a role in the Navigator, the contents panel displays the following tabs:

• Overview. Displays general properties of the role and the users and groups that have the role assigned for
the domain and application services.
• Privileges. Displays the privileges assigned to the role for the domain and application services.

Roles 45
Content Management Service Privileges
The Content Management Service privileges determine actions that licensed users can perform on reference
tables.

The following table lists the privileges and permissions required to manage reference tables:

Privilege Permission Description

Create Write on project - Create a reference table in the Analyst and Developer tool.
Reference - Create a reference table with infacmd rtm import.
Tables - Import a reference table object to the Model repository.
- Copy a reference table in the Analyst and Developer tool.
- Create a reference table from profile data.
Note: The Create privilege also grants the Edit privilege by default.

Edit Reference Read on project - Edit reference table data values in the Developer tool and Analyst tool.
Table Data and - Add profile data to a reference table.
Metadata - Add or delete columns in a reference table. Change reference table metadata
such as column names, descriptions, and default values.

Data Integration Service Privilege

The Data Integration Service privileges determine actions that users can perform on applications using the
Administrator tool and the infacmd command line program. They also determine whether users can drill
down and export profile results using the Analyst tool and the Developer tool.

The Data Integration Service privileges determine actions that users can perform on applications using the
Administrator tool and the infacmd command line program. They also determine whether users can drill
down and export profile results using the Developer tool.

The following table lists the required permissions and the actions that users can perform with the privilege in
the Application Administration privilege group:

Privilege Name Permission On Description

Manage Data Integration User is able to perform the following actions:

Applications Service - Back up and restore an application to a file.
- Deploy an application to a Data Integration Service and resolve name
conflicts.
- Start an application after deployment.
- Find an application.
- Start or stop objects in an application.
- Configure application properties.

46 Chapter 7: Privileges and Roles Overview

 The following table lists the required permissions and the actions that users can perform with the privilege in
the Profiling Administration privilege group:

Privilege Name Permission On Description

Drilldown and Read on project User is able to perform the following

Export Results Execute on relational data source connection is actions:
also required to drill down on live data - Drill down profiling results.
- Export profiling results.

Model Repository Service Privileges

The Model Repository Service privileges determine actions that users can perform on projects using
Informatica Analyst and Informatica Developer.

The Model Repository Service privileges determine actions that users can perform on projects using
Informatica Developer.

The Model repository object permissions determine the tasks that users can complete on objects in projects.

The following table lists the required permissions and the actions that users can perform with the Model
Repository Service privileges:

Privilege Permission Description

N/A Read on project User can view projects and objects in projects.

N/A Write on project User can create, edit, and delete objects in projects.

N/A Grant on project User can grant and revoke permissions on projects for users and groups.

Access Analyst N/A User can access the Model repository from the Analyst tool.

Access Developer N/A User can access the Model repository from the Developer tool.

Create, Edit, and N/A User can create projects.

Delete Projects

Create, Edit, and Write on projects User can perform the following actions:
Delete Projects - Edit projects.
- Delete projects if the user created the projects.
- Upgrade the content of the Model Repository Service. To upgrade the
service from the Actions menu or from the command line, the user must
also have the Manage Service privilege for the domain and permission
on the Model Repository Service. To upgrade the service using the
service upgrade wizard, the user must also have the Administrator role
for the domain.

Manage Data N/A User can create, edit, and delete data domains in the data domain
Domains glossary. This privilege is part of the Data Domain Administration
privilege group.

Manage N/A User can configure scorecard notifications. This privilege is part of the
Notifications Profiling Administration privilege group.

Model Repository Service Privileges 47

 Privilege Permission Description

Manage Team- N/A User can manage the locked or unlocked states of Model repository
based Development objects. If the Model repository is integrated with a version control
system, the user can manage the checked out or checked in states of
objects. The user can also manage the ownership of checked-out objects.

Show Security N/A User can view the following details:

Details - Names of projects for which users do not have read permission.
- Error and warning message details.

Privilege Permission Description

N/A Read on project User can view projects and objects in projects.

N/A Write on project User can create, edit, and delete objects in projects.

N/A Grant on project User can grant and revoke permissions on projects for users and groups.

Access Developer N/A User can access the Model repository from the Developer tool.

Create, Edit, and Delete N/A User can perform the following actions:
Projects - Create projects.
- Upgrade the Model Repository Service.

Create, Edit, and Delete Write on project User can perform the following actions:
Projects - Edit projects.
- Delete projects if the user created the projects.

Show Security Details N/A User can view the following details:
- Names of projects for which users do not have read permission.
- Error and warning message details.

Catalog Service Privileges

The Catalog Service privileges determine the actions that users can perform on Catalog Administrator and
Enterprise Data Catalog.

48 Chapter 7: Privileges and Roles Overview

The following table lists the required privileges in the Catalog Privileges group and the actions that users can
perform:

Privilege Name Description

Catalog Management: Catalog View Users can perform the following actions:
- View custom attributes
- Search data assets
- Filter data assets using search filters
- View data asset overview
- View data asset lineage
- View data asset relationships

Catalog Management: Catalog Edit Users can perform the following actions:
- Edit custom attributes
- Configure search filters
- View search filters

Catalog Management: Domain Creation Users can perform the following actions:
- Create data domains
- Update data domain
- View data domains
- Delete data domain

Catalog Management: Domain Curation Users can perform the following actions:
- View data domains
- Accept or reject data domains

Resource Management: Admin - View Users can perform the following actions:
Resource - View resource
- View schedule

Resource Management: Admin - Edit Users can perform the following actions:
Profiling - View resource
- View schedule
- Update profile settings
- Create global profiling configuration
- Update global profiling configuration
- Delete global profiling configuration
- View global profiling configuration

Resource Management: Admin - Edit Users can perform the following actions:
Resource - Create resource
- Update resource
- View resource
- Delete resource
- Purge resource
- Edit profiling settings
- Create schedule
- Update schedule
- Delete schedule
- View schedule
- Assign schedule to resource
- Purge schedule
- Assign connection
- Unassign connection

Domain Management: Admin - View Users can perform the following actions:
Domain and Domaingroup - View data domain and data domain group

Catalog Service Privileges 49

 Privilege Name Description

Domain Management: Admin - Edit Users can perform the following actions:
Domain and Domaingroup - Create data domains and data domain groups
- Update data domain and data domain group
- View data domains and data domain group
- Delete data domain and data domain group

Data Privileges: View Data Users can perform the following actions:
- View the value frequency results in Enterprise Data Catalog

Data Privileges: View Sensitive Data Users can perform the following actions:
- View the value frequency results for an asset that contains sensitive data

Admin - Create Attribute Users can perform the following actions:

- Update system attribute
- Create custom attribute
- Update custom attribute
- Delete custom attribute

Admin - Monitoring Users can perform the following actions:

- View monitoring job
- Drill down monitoring job
- Resume monitoring job
- Pause monitoring job
- Cancel monitoring job

The following table lists the required privilege and the action that users can perform with the privilege in the
API Privileges group:

Privilege Name Description

REST API Privilege Users can perform Enterprise Data Catalog functions using REST APIs.

Managing Roles
A role is a collection of privileges that you can assign to users and groups. You can assign the following
types of roles:

• System-defined. Roles that you cannot edit or delete.

• Custom. Roles that you can create, edit, and delete.
A role includes privileges for the domain or an application service type. You assign roles to users or groups
for the domain or for each application service in the domain.

A role includes privileges for the domain or an application service type. You assign roles to users or groups
for the domain or for each application service in the domain.

A role includes privileges for the domain or an application service type. You assign roles to users or groups
for the domain or for each application service in the domain.

50 Chapter 7: Privileges and Roles Overview

 UMSM has the following types of roles:

• Administrator. This is a system-defined role that has privileges to administer the Administrator tool. With
this role, you can create and manage user accounts, create the Ultra Messaging Service and configure it,
configure UMSM components, and UM deployments.
• Operator. This is a custom role that has privileges to monitor UM deployments.

When you select a role in the Roles section of the Navigator, you can view all users and groups that have
been directly assigned the role for the domain and application services. You can view the role assignments
by users and groups or by services. To navigate to a user or group listed in the Assignments section, right-
click the user or group and select Navigate to Item.

You can search for system-defined and custom roles.

System-Defined Roles
A system-defined role is a role that you cannot edit or delete. The Administrator role is a system-defined role.

When you assign the Administrator role to a user or group for the domain, Analyst Service, Data Integration
Service, or Model Repository Service, the user or group is granted all privileges for the service. The
Administrator role bypasses permission checking. Users with the Administrator role can access all objects
managed by the service.

Administrator Role
When you assign the Administrator role to a user or group for the domain or the Data Integration Service, the
user or group can complete some tasks that are determined by the Administrator role, not by privileges or
permissions.

You can assign a user or group all privileges for the domain or the Data Integration Service and then grant the
user or group full permissions on all domains. However, this user or group cannot complete the tasks
determined by the Administrator role.

For example, a user assigned the Administrator role for the domain can configure domain properties in the
Administrator tool. A user assigned all domain privileges and permission on the domain cannot configure
domain properties.

The following table lists the tasks determined by the Administrator role for the domain or the Data Integration
Service:

Service Tasks

Domain - Configure domain properties.

- Create operating system profiles.
- Delete operating system profiles.
- Grant permission on the domain and operating system profiles.
- Manage and purge log events.
- Receive domain alerts.
- Run the License Report.
- View user activity log events.
- Shut down the domain.
- Access the service upgrade wizard.

Data Integration Service - Upgrade the Data Integration Service using the Actions menu.

Managing Roles 51
 Custom Roles
A custom role is a role that you can edit or delete.

By default, the Administrator tool includes the following custom roles:

• Analyst Service custom role

• Operator custom role

You can edit the privileges for these roles, or delete the roles. You can also create your own custom roles.

Assigning Privileges and Roles to Users and Groups

You determine the actions that users can perform by assigning the following items to users and groups:

• Privileges. A privilege determines the actions that users can perform in application clients.
• Roles. A role is a collection of privileges. When you assign a role to a user or group, you assign the
collection of privileges belonging to the role.
Use the following rules and guidelines when you assign privileges and roles to users and groups:

• You assign privileges and roles to users and groups for the domain and for each application service that
is running in the domain.
• You can assign different privileges and roles to a user or group for each application service of the same
service type.
• A role can include privileges for the domain and multiple application service types. When you assign the
role to a user or group for one application service, privileges for that application service type are assigned
to the user or group.
If you change the privileges or roles assigned to a user, the changed privileges or roles take effect the next
time that the user logs in.

Note: You cannot edit the privileges or roles assigned to the default Administrator user account.

Inherited Privileges
A user or group can inherit privileges from the following objects:

• Group. When you assign privileges to a group, all subgroups and users belonging to the group inherit the
privileges.
• Role. When you assign a role to a user, the user inherits the privileges belonging to the role. When you
assign a role to a group, the group and all subgroups and users belonging to the group inherit the
privileges belonging to the role. The subgroups and users do not inherit the role.
You cannot revoke privileges inherited from a group or role. You can assign additional privileges to a user or
group that are not inherited from a group or role.

The Privileges tab for a user or group displays all the roles and privileges assigned to the user or group for
the domain and for each application service. Expand the domain or application service to view the roles and
privileges assigned for the domain or service. Click the following items to display additional information
about the assigned roles and privileges:

• Name of an assigned role. Displays the role details on the details panel.
• Information icon for an assigned role. Highlights all privileges inherited with that role.
Privileges that are inherited from a role or group display an inheritance icon. The tooltip for an inherited
privilege displays which role or group the user inherited the privilege from.

52 Chapter 7: Privileges and Roles Overview

Chapter 8

Permissions Overview
You manage user security with privileges and permissions. Permissions define the level of access that users
and groups have to an object.

Even if a user has the privilege to perform certain actions, the user may also require permission to perform
the action on a particular object.

You use different tools to configure permissions on the following objects:

Object Type Tool Description

Connection Administrator tool You can assign permissions on connections defined in the
objects Analyst tool Administrator tool, Analyst tool, or Developer tool. These tools
share the connection permissions.
Developer tool
Enterprise Information
Catalog

Domain objects Administrator tool You can assign permissions on the following domain objects:
domain, folders, nodes, grids, licenses, application services, and
operating system profiles.

Model repository Analyst tool You can assign permissions on projects defined in the Analyst tool
projects Developer tool and Developer tool. These tools share project permissions.

Types of Permissions
Users and groups can have the following types of permissions in a domain:

Direct permissions

Permissions that are assigned directly to a user or group. When users and groups have permission on an
object, they can perform administrative tasks on that object if they also have the appropriate privilege.
You can edit direct permissions.

Inherited permissions

Permissions that users inherit. When users have permission on a domain or a folder, they inherit
permission on all objects in the domain or the folder. When groups have permission on a domain object,
all subgroups and users belonging to the group inherit permission on the domain object. For example, a
domain has a folder named Nodes that contains multiple nodes. If you assign a group permission on the
folder, all subgroups and users belonging to the group inherit permission on the folder and on all nodes
in the folder.

53
 Permissions that users inherit. When users have permission on a domain, they inherit permission on all
objects in the domain. When groups have permission on a domain object, all subgroups and users
belonging to the group inherit permission on the domain object.

Permissions that users inherit. When users have permission on a domain, they inherit permission on all
objects in the domain. When groups have permission on a domain object, all subgroups and users
belonging to the group inherit permission on the domain object.

You cannot revoke inherited permissions. You also cannot revoke permissions from users or groups
assigned the Administrator role. The Administrator role bypasses permission checking. Users with the
Administrator role can access all objects.

You can deny inherited permissions on some object types. When you deny permissions, you configure
exceptions to the permissions that users and groups might already have.

Effective permissions

Superset of all permissions for a user or group. Includes direct permissions and inherited permissions.

When you view permission details, you can view the origin of effective permissions. Permission details
display direct permissions assigned to the user or group, direct permissions assigned to parent groups, and
permissions inherited from parent objects. In addition, permission details display whether the user or group
is assigned the Administrator role which bypasses permission checking.

Permission Search Filters

When you assign permissions, view permission details, or edit permissions for a user or group, you can use
search filters to search for a user or group.

When you manage permissions for a user or group, you can use the following search filters:

Security domain

Select the security domain to search for users or groups.

Pattern string

Enter a string to search for users or groups. The Administrator tool returns all names that contain the
search string. The string is not case sensitive. For example, the string "DA" can return "iasdaemon," "daph
ne," and "DA_AdminGroup."

You can also sort the list of users or groups. Right-click a column name to sort the column in ascending or
descending order.

Domain Object Permissions

You configure privileges and permissions to manage user security within the domain. Permissions define the
level of access a user has to a domain object. To log in to the Administrator tool, a user must have
permission on at least one domain object. If a user has permission on an object, but does not have the
domain privilege that grants the ability to modify the object type, then the user can only view the object.

For example, if a user has permission on a node, but does not have the Manage Nodes and Grids privilege,
the user can view the node properties, but cannot configure, shut down, or remove the node.

54 Chapter 8: Permissions Overview

You can configure permissions on the following types of domain objects:

Domain Object Description of Permission

Type

Domain Enables Administrator tool users to access all objects in the domain. When users have permission
on a domain, they inherit permission on all objects in the domain.

Folder Enables Administrator tool users to access all objects in the folder in the Administrator tool. When
users have permission on a folder, they inherit permission on all objects in the folder.

Node Enables Administrator tool users to view and edit the node properties. Without permission, a user
cannot use the node when defining an application service or creating a grid.

Grid Enables Administrator tool users to view and edit the grid properties. Without permission, a user
cannot assign the grid to a Data Integration Service.

License Enables Administrator tool users to view and edit the license properties. Without permission, a
user cannot use the license when creating an application service.

Application Enables Administrator tool users to view and edit the application service properties.
Service

Domain Object Description of Permission

Type

Domain Enables Administrator tool users to access all objects in the domain. When users have
permission on a domain, they inherit permission on all objects in the domain.

Node Enables Administrator tool users to view and edit the node properties.

Application Service Enables Administrator tool users to view and edit the application service properties.

License Enables Administrator tool users to view and edit the license properties.

Domain Object Description of Permission

Type

Domain Enables Administrator tool users to access all objects in the domain. When users have
permission on a domain, they inherit permission on all objects in the domain.

Node Enables Administrator tool users to view and edit the node properties.

Application Service Enables Administrator tool users to view and edit the application service properties.

License Enables Administrator tool users to view and edit the license properties.

You can use the following methods to manage domain object permissions:

• Manage permissions by domain object. Use the Permissions view of a domain object to assign and edit
permissions on the object for multiple users or groups.
• Manage permissions by user or group. Use the Manage Permissions dialog box to assign and edit
permissions on domain objects for a specific user or group.

Domain Object Permissions 55

 Note: You configure permissions on an operating system profile differently than you configure permissions
on other domain objects.

56 Chapter 8: Permissions Overview

Index

A default administrator
description 40
Administrator modifying 40
role 51 passwords, changing 40
Administrator role 51 dependent services
administrators overview 26
application client 41 direct permission
default 40 description 53
domain 40 domain
application services administrator 40
Content Management Service 37 Administrator role 51
dependencies 26 user security 18
overview 11 domain administrator
permissions 54 description 40
prerequisites 25 domain objects
authentication permissions 54
LDAP 20 domain permissions
native 20 direct 53
effective 53
inherited 53

C domains
application services 11
Catalog Service configuring 21
creating 33
dependent service 26
overview 14
privileges 48
E
code page compatibility Edit Reference Table Metadata
application services 21 privilege 46
locale 21 effective permission
configuration description 53
domains 21 email notification
environment variables 22 overview 36
environment variables on Linux 24 process 36
Content Management Service Enterprise Data Catalog
creating 37 services 11
dependent service 26 environment variables
overview 14 configuring 22
privileges 46 configuring on Linux 24
rule specifications 14 LANG 21
Create Reference Tables LANG_C 21
privilege 46 LC_ALL 21
custom roles LC_CTYPE 21
assigning to users and groups 52 library paths on Linux 24
description 50, 52 Linux 22
locale 21
Everyone group

D description 42

Data Integration Service

after creating 33
configuring 30
F
creating 30 folders
dependent service 26 permissions 54
host file configuration 33
privileges 46

57
G M
grids Model Repository Service
permissions 54 after creating 29
groups configuring 27
default Everyone 42 creating 27
managing 43 overview 14
overview 42 privileges 47
privileges, assigning 52
roles, assigning 52

N
H native authentication
description 20
host file native groups
Data Integration Service 33 managing 43
native security domain
description 20

I native users
managing 41
InfaHadoop Service nodes
overview 14 application services 11
Informatica Analyst permissions 54
administrator 41
Informatica Developer
administrator 41
Informatica domain
O
permissions 18 operating system profiles
privileges 18 permissions 54
user security 18 overview
users, managing 41 Content Management Service 14
inherited permission
description 53
inherited privileges
description 52
P
passwords
changing for default administrator 40

L permissions
application services 54
LANG description 53
environment variables 21 direct 53
LC_ALL domain objects 54
environment variables 21 effective 53
LC_CTYPE folders 54
environment variables 21 grids 54
LDAP authentication inherited 53
description 20 licenses 54
LDAP groups nodes 54
managing 43 operating system profiles 54
LDAP security domain search filters 54
description 20 types 53
LDAP security domains working with privileges 53
description 20 prerequisites
LDAP users application services 25
managing 41 privilege groups
licenses description 44
permissions 54 privileges
Linux assigning 52
environment variables 22 Catalog Service 48
library paths 24 Content Management Service 46
locale environment variables Data Integration Service 46
configuring 21 description 44
localhost inherited 52
Data Integration Service 33 Model Repository Service 47
working with permissions 53

58 Index
R security domains (continued)
native 20
roles services
Administrator 51 application services 11
assigning 52 system-defined roles
custom 52 Administrator 51
managing 50 assigning to users and groups 52
overview 45 description 50
rule specifications
Content Management Service 14
U
S user accounts
created during installation 40
search filters default 40
permissions 54 overview 40
security users
permissions 18 managing 41
privileges 18, 44 overview 39
security domains privileges, assigning 52
LDAP 20 roles, assigning 52

Index 59