Skip to content

Creating and using security policies

What are policy statments?

Policy statements are JSON-formatted documents that list actions that are either allowed or denied for a certain resource.

Each policy can contain one or more statements listed after each other. Each statement will say three things:

  • The resources covered.
  • The actions controlled.
  • If the actions are to be allowed or denied.

If you have both a statement that allows an action and another statement that disallows it, the end result will be that access is denied, since explicit denies have higher priority.

Policy types

You can use two types of policies:

  • Managed policies – Managed policies that are created and managed by Rational BI. If you are new to using policies, we recommend that you start by using Rational BI managed policies.

  • Custom policies – Custom policies that you create and manage in your Rational BI account. Customer managed policies provide more precise control over your policies than Rational BI managed policies. You can create and edit a Rational BI policy by creating the JSON policy document directly.

Example policy

This is an example policy that permits reports to be listed for all accounts:

  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

The policy above has a single statement but any number of additional statements can be included in the list.

The statement itself has three entries:

  • The Effect which can be either Allow or Deny.
  • The Action which is a list of actions that can be performed. The full set of possible actions is listed here.
  • The Resource that is being controlled. The asterisk (*) indicates that it applies to all resources. The applicable resources differ per action.

Constructing policy statements can be difficult. Contact if you would like help and we will be happy to assist.

Custom policy statements require an enterprise subscription.

System managed policies

Policy Description
Administrator The user is an administrator at the organizational level and can invite new users, promote users to owner status, manage and delete users as well as create and delete workspaces. Only assign ownership status to those that are trusted to see all data associated with the organization as well as manage and invite new users.
Everyone Basic access to organizational information as well as the ability to view the accounts under the organization.
Power Users Access all accounts and read and write reports and data.
Database Managers Permissions to upload, manage and delete databases of existing datasets. Cannot change schemas.
Report Builders The ability to create, edit and delete reports.
Dataset Designers Create, design, modify and delete datasets and schemas. Users with this policy can also upload, manage and delete databases.
Report Consumer Read-only access to all reports and data in the account.

To limit account access, create a policy with a DENY permission to override.


Permissions let you specify access to Rational BI resources. Permissions are granted to groups and by default these groups start with no permissions.

In other words, members of groups can do nothing in Rational BI until you grant them your desired permissions. To give entities permissions, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. In addition, you can specify any conditions that must be set for access to be allowed or denied.

You can select a predefined policy managed by Rational BI or create your own using the policy editor.

To assign permissions to a user, group, role, or resource, you create a policy that lets you specify:

  • Actions – Which Rational BI service actions you allow. Any actions that you don't explicitly allow are denied.
  • Resources – Which Rational BI resources you allow the action on. Users cannot access any resources that you do not explicitly grant permissions to.
  • Effect – Whether to allow or deny access. Because access is denied by default, you typically write policies where the effect is to allow.


Actions are used within policy statements to determine what tasks a user is allowed to perform. Some actions can be filtered by the UUIDs of the object. This can be used as a means to set up granular permissions to subsets of of an organization where access should be partitioned.

Organization-level Actions

Action Resource Description
organization:describeOrganization Read basic information about the organization, such as name and description.
organization:updateOrganization Update basic information about the organization, such as name and description.
organization:associateUser Associate an existing user with the organization.
organization:putOrganizationLogo Upload a new logo for the organization.
organization:createUser Create or invite a new user into the organization.
organization:updateUser user/useruuid Update information about an existing user.
organization:describeUser user/useruuid Get information about a user.
organization:deleteUser user/useruuid Delete an existing user.
organization:listUsers List the users associated with the organization.
organization:listPolicies List the security policies defined within the organization.
organization:describePolicy policy/policyuuid Retrieve the name, description and policy statement assoicated with a security policy.
organization:deletePolicy policy/policyuuid Delete an existing security policy.
organization:createPolicy Create a new security policy.
organization:updatePolicy policy/policyuuid Update an existing security policy.
organization:assignPolicy Assign a security policy to a group.
organization:listGroups List the groups associated with the organization.
organization:deleteGroup Delete an existing group.
organization:createGroup Create a new group.
organization:updateGroup Update an existing group.
organization:describeGroup Return information such as name and description of a group, as well as group membership information.
organization:deleteAccount Return information about an account.
organization:listAccounts List existing accounts.
organization:createAccount Create a new account.
organization:readAccount Read data from an account.
organization:updateAccount Update meta-information about an account, such as name, description, time zone and currecy.
organization:describeBilling Return information about the current plan, billing information and invoices.
organization:updateBilling Update the current plan, input new payment methods and pay invoices.
organization:deleteOrganization Delete the organization.

Account-level Actions

Action Resource Description
account:listDatasets Enumerate the datasets within an account.
account:describeDataset dataset/datasetuuid Retrieve metadata related to a dataset such as the name and description. This does not include the data in databases nor does it include the database schema.
account:createDataset Create a new dataset.
account:deleteDataset dataset/datasetuuid Delete an existing dataset.
account:updateDataset dataset/datasetuuid Update the metadata properties of an existing dataset.
account:shareDataset dataset/datasetuuid Control the sharing properties of a dataset. Note that sharing a dataset will expose it to the non-authenticated users.
account:listReports Enumerate the reports within an account.
account:describeReport report/reportuuid Read metadata for a single report. Returns similar data that would be returned through the listReports action, but requires a specific report it to be provided.
account:deleteReport report/reportuuid Delete an existing report.
account:updateReport report/reportuuid Edit an existing report.
account:readReport report/reportuuid Read the report defintition of an existing report.
account:createReport Create a new report.
account:readReportHistory report/reportuuid Read the history of prior versions of a report.
account:readReportScreenshot report/reportuuid Retrieve screenshots of the current or historical versions of a report.

Dataset-level Actions

Action Resource Description
dataset:listDatabases dataset/datasetuuid Enumerate the databases on file for a database.
dataset:updateDatabase dataset/datasetuuid/databaseuuid Flag a specific database associated with a dataset active.
dataset:deleteDatabase dataset/datasetuuid/databaseuuid Delete a database.
dataset:readDatabase dataset/datasetuuid/databaseuuid Retrieve and read a database.
dataset:createDatabase dataset/datasetuuid/databaseuuid Create a new database within an existing dataset.
dataset:createSchema dataset/datasetuuid Create a new database schema. At the moment, only a single database schema per dataset is allowed.
dataset:readSchema dataset/datasetuuid/schemauuid Read the schema of an existing dataset.
dataset:updateSchema dataset/datasetuuid/schemauuid Modify the schema of an existing dataset.
dataset:deleteSchema dataset/datasetuuid/schemauuid Delete the schema of an existing dataset. At the moment, each dataset must have a single schema.