Performance Analytics roles

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read

    • Assign roles to ensure that users can perform all necessary actions.

    Roles and personas

    Warning:
    Giving someone the pa_admin or pa_data_collector role is equivalent to giving them admin, from a security perspective.
    Role Authorizations Typical persona
    No role
    • View Performance Analytics visuals on the Service Portal.
    • View dashboards that have been shared with this user.

      Some dashboards require a subject matter related role for viewing, such as sn_hr_core_basic for the HR Agent dashboard. Dashboard owners and administrators can also restrict dashboard access by role. For more information, see Dashboard permissions.

    Requester who does not need any access to Performance Analytics beyond certain visualizations of results

    Any role (not necessarily a Performance Analytics role)
    • Open the indicator library
    • Create dashboards.
    • Restrict access by role to a dashboard they create.
    • Share dashboards they own.
    pa_viewer

    Contained by: All roles except pa_contributor
    Before Quebec, this role was necessary for the following actions. It may still be necessary on upgraded instances.
    • View Analytics Hub.
    • Create personal thresholds and targets for indicators.
    • Read, Update, and Delete thresholds and targets that they created.
    • View text analytics widgets on dashboards.
    		 Requester who needs and understands the details of key performance indicators
    sn_pa_diagnostics.pa_diagnostic

    Contained by: pa_admin
    • Read from the Diagnostics tables.
    • Activate or deactivate a diagnostic.
    • Run diagnostics.
    • Delete message records and diagnostic logs.
    		 No specific persona, but this role would typically be assigned to individual business analysts or groups of fulfillers.
    pa_contributor

    Contained by: pa_power_user, pa_admin

    		 For indicators for which the user is designated as a Contributor:
    • Read and update scores in scoresheets.
    • View the Analytics Hub.
    This user can also read dashboards that have been shared with them.    		 No specific persona, but this role would typically be assigned to individual fulfillers or groups, who are allowed to set indicator scores manually
    pa_kpi_signal_admin

    Contained by: admin

    		 Enables the user to dismiss a signal or reset the baseline for KPI Signals.

    Process owner who also has some training in Performance Analytics. Also needs the pa_viewer role.
    pa_target_admin

    Contained by: pa_power_user, pa_admin
    • Create targets.
    • Read, update, and delete all targets, including those that they do not own.
    • Assign targets to indicators.

    Manager who knows what targets to set but may not have any further input to Performance Analytics
    pa_threshold_admin

    Contained by: pa_power_user, pa_admin
    • Create global thresholds.
    • Read, update, and delete all thresholds, including those that they do not own.
    • Assign thresholds to indicators.

    Manager who knows what thresholds to set but may not have any further input to Performance Analytics
    pa_analyst

    Contained by: pa_power_user, pa_admin
    • CRUD text analytics keywords, phrases, and stop words
    • Read indicator sources.
    		 No specific persona, but this role would be assigned to individual fulfillers or groups whose expertise includes keywords, phrases, and stop words for word clouds.
    pa_power_user

    Contained by: pa_admin

    The pa_power_user role contains the viz_admin, pa_viewer, pa_contributor, pa_target_admin, pa_analyst, and pa_threshold_admin roles.
    • CRUD indicators and breakdowns.
    • CRUD widgets
    • Add Performance Analytics widgets to dashboards.
    • CRUD text index configurations for text analytics.
    • CRUD bucket groups.
    • CRUD indicator groups

    Business analyst and visualization designer. Understands the use cases for Performance Analytics and the requirements for indicators and breakdowns.
    pa_data_collector

    Contained by: pa_admin
    • CRUD, schedule, and run data collection jobs
    • CRUD indicator and breakdown sources
    • Read some system properties
    • CRUD system units
    • CRUD scripts and automated notifications
    • CRUD bucket groups
    • Activate or deactivate data snapshots

    Technical expert who understands the underlying database record structure of Performance Analytics
    pa_admin

    The pa_admin role contains the pa_power_user, sn_pa_diagnostics.pa_diagnostic, viz_admin, and pa_data_collector roles.
    • Read Performance Analytics properties.
    • Access Admin Console
    • Launch Dependency Assessment

    Performance Analytics technical expert who also understands business needs.
    admin The system administrator role. Users with the admin role can perform all pa_admin functions, edit properties, create database views, CRUD any dashboard, and assign ownership to dashboards. System administrator

    Spotlight roles

    Role Authorization Typical persona
    pa_spotlight

    Contains: pa_viewer, pa_spotlight_copy_breakdown

    		 CRUD Spotlight groups and criteria. Expert who understands the business logic of what records require reminders.
    pa_spotlight_viewer Access to the dashboards from the Analytics and Reporting Spotlight Solutions. Fulfiller who needs more than simple Priority setting to remind them of records that require action.
    pa_spotlight_copy_breakdown Can copy Spotlight groups to multiple elements of a breakdown. Spotlight expert or business analyst who understands the applicability of a Spotlight group by breakdown element.
    pa_spotlight_copy_domain Can copy Spotlight groups to multiple domains

    Domain administrator with Performance Analytics expertise

    Role hierarchy

    Certain roles such as pa_power_user and pa_admin include other roles. For example, pa_power_user includes pa_contributor. This diagram shows the role hierarchy.

    The pa_admin role hierarchy.

    Required roles for actions

    Module Action Minimal required role
    Admin Console Access pa_admin
    Analytics Hub (Scorecards) View

    None, since Quebec. However, upgraded instances may still require pa_viewer.
    Automated indicators CRUD pa_power_user
    Automation schedules Read and delete (other security restrictions likely apply) pa_data_collector
    Automation scripts CRUD pa_data_collector
    Breakdowns and elements, including breakdown relations CRUD pa_data_collector or pa_power_user
    Bucket groups CRUD pa_data_collector or pa_power_user
    Color schemes for charts and targets CRUD pa_power_user
    Dashboards (Responsive or Platform Analytics) Create a dashboard. Update a dashboard they created, including restricting access by role. Any roles necessary to access the data to display, or any one role
    Data snapshots Activate or deactivate pa_data_collector
    Responsive dashboards

    Add Performance Analytics widgets to responsive dashboards you own.

    		 pa_power_user
    Dashboards (Responsive or Platform Analytics) Read a dashboard that has been shared with you No role by default, but dashboards can require roles to view their data. For more information, see Dashboard permissions.
    Dashboards (Responsive or Platform Analytics) Update, delete, or share a dashboard that you own. pa_power_user
    Dashboards (Responsive or Platform Analytics) Update, delete, or share any dashboard. Reassign ownership of any dashboard. admin (and dashboard role dashboard_admin)
    Data collector jobs Read, write, execute pa_data_collector
    Dependency assessment Launch dependency assessment from indicator or breakdown form pa_admin
    External indicators and breakdowns CRUD pa_data_collector or pa_power_user
    Formula and manual indicators CRUD pa_power_user
    Indicator Groups CRUD pa_power_user
    Sources, either indicator or breakdown CRUD pa_data_collector
    Indicator targets Read and edit targets that you do not own pa_target_administrator
    Indicator targets or thresholds Create new. Read or edit ones you own.

    None, since Quebec. However, upgraded instances may still require pa_viewer.
    Indicator thresholds Read and edit thresholds that you do not own pa_threshold_administrator
    In-form analytics CRUD pa_power_user
    KPI Signals Reset baseline or dismiss signal pa_kpi_signal_admin
    Lists in all applications Access an interactive analysis No role by default, but some interactive analyses require roles to view their tables
    Manage diagnostics Read, execute, delete sn_pa_diagnostics.pa_diagnostic
    Scheduled email summary jobs CRUD pa_power_user
    Scoresheets CRUD pa_power_user
    Service Portal View Performance Analytics visuals No role
    System Properties Edit admin
    System Properties Read pa_data_collector for some, pa_admin for all
    System Units CRUD pa_data_collector
    Text Analytics Set up text index configurations pa_power_user
    Text Analytics View a text widget on a dashboard

    None, since Quebec. However, upgraded instances may still require pa_viewer.
    Text analytics keywords, phrases, or stop words CRUD pa_analyst
    What's on the Move News Rules and Statistics Generators Read, edit pa_power_user
    Visualizations that contain indicator information CRUD pa_power_user