Documentation
Back to Documentation

EPM Role Matrix

Captain EPM does not bypass native Oracle EPM security. Because the Add-in connects directly to the Oracle EPM REST APIs using your provided credentials, it inherits the exact security profile and limitations of your assigned Oracle EPM Role.

Important Note on Access

Captain EPM is NOT limited to Administrators. It is a productivity tool built for the entire organization. However, if a user attempts to execute a feature they do not have Oracle EPM privileges for (e.g., a Viewer trying to write data), the Oracle API will simply reject the request and the Add-in will display the native "Unauthorized" error.

Service Administrator

Full, unrestricted access to all Captain EPM ribbon features.

  • Security Agent & User Management: Can extract users, audit groups, and run Security Drift snapshots.
  • Audit Logs: Can pull system-wide Data, Metadata, and Security logs.
  • Job Console: Can execute any rule, ruleset, or automation sequence.
  • File Repository: Can upload/download/delete files from the EPM Inbox/Outbox.
  • Sub Variables: Can view, create, update, and delete substitution variables.
  • Performance: Can view system-level CPU, Memory, and Request monitoring metrics.
  • Snapshots: Can trigger and download full environment LCM snapshots.
  • Sync Metadata & Data Load Diagnostic: Full access to dimension syncs and data load logs.
  • Data & Object Analysis: Full read/write access to intersections and metadata structures.
  • AI Tools (Assistant, Rule Advisor, Investigator, App Scan, Captain's Log): Unrestricted execution across the entire application footprint.

    • Power User

    Can run daily operational features and diagnostics, but is restricted from administrative APIs.

  • Job Console: Can run rules, rulesets, and job sequences (provided they have been provisioned access to the specific rules in EPM).
  • File Repository: Can upload/download files to accessible folders.
  • Data Analysis: Can analyze and write back data for intersections where they hold Write access.
  • Object Analysis: Can inspect objects and members they have access to.
  • Data Load Diagnostic: Available for diagnosing their own data load jobs.
  • AI Assistant & Captain's Log: Full access to chat and session logs.
  • Rule Advisor & Investigator: Can analyze business rules and calculation scripts they are permitted to view.
  • Security Agent & User Management: Blocked (Returns 403 Unauthorized).
  • Audit Logs: Blocked. Cannot pull system-wide logs.
  • Performance & Snapshots: Blocked. Restricted to Service Administrators.
  • Sub Variables & Sync Metadata: Generally blocked from updating global variables or pushing dimension changes.
  • Application Scan: Blocked. Requires full metadata extraction privileges.

    • User

    Limited to executing end-user tasks and analyzing specific data regions.

  • Job Console: Can only run explicitly provisioned business rules. Cannot execute rulesets or automation sequences.
  • Data Analysis: Can write back and analyze data exclusively for intersections where they hold Write/Read access.
  • AI Assistant & Captain's Log: Fully available for querying data and chatting.
  • Rule Advisor & Investigator: Typically blocked, as end-users lack access to view calculation script logic.
  • File Repository: Usually restricted or limited to personal folders.
  • Security Agent & User Management: Blocked.
  • Audit Logs & Performance: Blocked.
  • Snapshots & Application Scan: Blocked.
  • Sync Metadata & Sub Variables: Blocked.
  • Data Load Diagnostic: Blocked.
  • Object Analysis: Mostly blocked due to limited metadata visibility.

    • Viewer

    Strictly restricted to read-only capabilities by Oracle EPM.

  • Data Analysis: Can pull data into dashboards in strict Read-Only mode. Cannot submit data.
  • AI Assistant & Captain's Log: Can use the assistant to query reporting data and view session logs.
  • Job Console: Blocked. Cannot execute any rules or calculations.
  • Rule Advisor & Investigator: Blocked.
  • Security Agent & User Management: Blocked.
  • Audit Logs & Performance: Blocked.
  • Snapshots & Application Scan: Blocked.
  • Sync Metadata & Sub Variables: Blocked.
  • Data Load Diagnostic: Blocked.
  • File Repository & Object Analysis: Blocked.