Security Guide
Understand Captain EPM's role-based access model, and learn how to use Security Drift to maintain compliance with ease.
User Roles
Captain EPM uses a four-tier role hierarchy. Roles are assigned per user in the admin portal; users cannot self-escalate.
Full access to all tenants, billing, and system configuration. Reserved for internal Captain EPM staff.
- Manage all tenants
- Access billing and subscriptions
- View system logs
- Manage Super Admins
Full control over a single tenant — create users, assign licenses, configure EPM connections.
- Create and manage users
- Assign EPM licenses
- Configure EPM environments
- View all tenant activity
Can execute jobs, run security audits, and create datasets. Cannot manage other users.
- Run rules and rule sets
- View and export audit logs
- Create datasets
- Run security reports
Read-only access to assigned dashboards and datasets. Cannot run calculations or modify security.
- View published dashboards
- Access shared datasets
- View own activity history
Permissions Matrix
| Feature | Super Admin | Tenant Admin | Power User | Standard |
|---|---|---|---|---|
| Run Rules / Jobs | ✅ | ✅ | ✅ | ❌ |
| View Audit Logs | ✅ | ✅ | ✅ | ❌ |
| Security Reports | ✅ | ✅ | ✅ | ❌ |
| Security Drift | ✅ | ✅ | ✅ | ❌ |
| Create Datasets | ✅ | ✅ | ✅ | ❌ |
| View Dashboards | ✅ | ✅ | ✅ | ✅ |
| Manage Users | ✅ | ✅ | ❌ | ❌ |
| Manage Tenants | ✅ | ❌ | ❌ | ❌ |
| Billing Access | ✅ | ❌ | ❌ | ❌ |
Security Drift & Snapshots
Security Drift is Captain EPM's compliance superpower. It lets you compare any two points in time to see exactly who gained or lost access to your Oracle EPM environment — essential for SOX, GDPR, and internal audits.
Take a Baseline Snapshot
Use the Security > Snapshots button to capture your current EPM security state. Snapshots are labeled with timestamp and user.
Compare Two Snapshots
Select any two snapshots from your library and click "Compare". Captain EPM generates a color-coded diff.
Review Drift Report
The report highlights: new access grants (green), removed access (red), and unchanged provisioning (grey).
Export for Compliance
Export the drift report to Excel for SOX, GDPR, or internal audit requirements with one click.
- Take a security snapshot before and after every provisioning event.
- Review Security Drift weekly during active project phases.
- Assign the minimum required role — avoid granting Tenant Admin unnecessarily.
- Export audit logs monthly and store them in a secure archive.