Managing roles for users in Watson Query
Watson Query has four user roles, which are specific to Watson Query. You can grant these roles to existing IBM® Cloud account users.
To learn more, review the following information.
Watson Query access control is not applied when data masking or row-level filtering applies to the preview in Watson™ services (other than Watson Query). The Watson Query internal access controls, which are controlled by using Manage access in the Watson Query UI, do not apply to the preview from the other Watson services with masking or row-level filtering. You must define your rules to manage access to the catalogs, projects, data assets, or connections for access control in the other Watson services.
The preview is subject to the data protection rules and catalog or project access control only.
Even though a user does not have access to query an object from Watson Query, they might be able to preview it in a catalog or project if they have access to that catalog or project the data asset.
Watson Query roles
Watson Query supports four roles: Manager (service administrator), Engineer, Steward, and User. For a user to be able to access and use the Watson Query service, you must assign them one of the four Watson Query roles. The Watson Query roles control access within a particular Watson Query instance and determine what users can do inside that Watson Query instance. Each of these roles can take advantage of different capabilities.
- You assign Watson Query roles within the Watson Query service, not as part of the Identity Management Service (IAM) on IBM Cloud.
- You can assign Watson Query roles directly to individual users only. You cannot assign Watson Query roles to IAM access groups.
- Watson Query Manager
- The user who provisions the Watson Query service is automatically assigned the Watson Query Manager role. After the service is provisioned, the Watson Query Manager
can give other users access to the service.
The Watson Query Manager is considered to be the manager of the Watson Query instance and assigns appropriate Watson Query roles to Cloud Pak for Data users.
- Watson Query Engineer
- Configures the data sources, virtualizes data, and manages access to virtual objects. Users with
this role can create a virtual table or view and grant access to it to users with the Engineer or User role.
Data source administrators are expected to provide access to a user with a Watson Query Engineer or Manager role before that user can add a data source.
- Watson Query User
-
Users with this role can create views of virtual tables to which they have access.
- Watson Query Steward
-
Watson Query Stewards can access data in all user tables and views. Watson Query automatically grants Db2®
SELECTIN
authority to the Steward role on all schemas.
Menu | Capabilities | Sub items | Manager | Engineer | Steward | User | Platform administrator | Platform operator | Platform editor | Platform viewer |
---|---|---|---|---|---|---|---|---|---|---|
Virtualization | Data sources | ✓ | ✓ | |||||||
Virtualize | ✓ | ✓ | ||||||||
Virtualized data | ✓ | ✓ | ✓ | ✓ | ||||||
Monitor dashboard. | Summary | ✓ | ✓1 | ✓1 | ✓1 | |||||
Database | Database partitions | ✓ | ✓ | ✓ | ✓ | |||||
Database time spent | ✓ | ✓ | ✓ | ✓ | ||||||
Database usage | ✓ | ✓ | ✓ | ✓ | ||||||
Statement | Individual executions | ✓2 | ||||||||
In-flight executions | ✓ | ✓ | ✓ | ✓ | ||||||
Package cache | ✓2 | |||||||||
Stored procedures | ✓ | |||||||||
Applications | Top consumers | ✓2 | ||||||||
Connections | ✓ | ✓ | ✓ | ✓ | ||||||
Throughput | Connection summary | ✓2 | ||||||||
Operating system time spent | ✓2 | |||||||||
Partition skew | ✓2 | |||||||||
Partition summary | ✓2 | |||||||||
WLM service class summary | ✓2 | |||||||||
WLM workload summary | ✓2 | |||||||||
I/O | Buffer pools | ✓ | ✓ | ✓ | ✓ | |||||
Prefetchers | ✓ | ✓ | ✓ | ✓ | ||||||
Logging performance | ✓ | ✓ | ✓ | ✓ | ||||||
Storage | Storage | ✓ | ✓ | ✓ | ✓ | |||||
Table performance | ✓ | ✓ | ✓ | ✓ | ||||||
Table space performance | ✓ | ✓ | ✓ | ✓ | ||||||
Run SQL | Run SQL | ✓ | ✓ | ✓ | ✓ | |||||
Explorer | Tables | ✓ | ✓ | ✓ | ✓ | |||||
Views | ✓ | ✓ | ✓ | ✓ | ||||||
Indexes | ✓ | ✓ | ✓ | ✓ | ||||||
Remote tables | ✓ | ✓ | ✓ | ✓ | ||||||
Aliases | ✓ | ✓ | ✓ | ✓ | ||||||
MQTs | ✓ | |||||||||
Schemas | ✓ | |||||||||
Sequences | ✓ | ✓ | ✓ | ✓ | ||||||
Application objects | ✓ | ✓ | ✓ | ✓ Note: Users with the User role can only view the User-defined Types tab
on the Application objects page.
|
||||||
Authorization | ✓ | |||||||||
Workload | ✓ | |||||||||
User management | User management | ✓ Note: To access User management, a user must have both the Watson Query
Manager role and the Platform administrator role.
|
✓ | |||||||
Configure connection | ✓ | ✓ | ✓ | ✓ | ||||||
Settings | Event monitor profile | ✓ | ||||||||
Monitoring profile | ✓ | |||||||||
Service settings | General | ✓ | ✓ | ✓ | ||||||
Governance | ✓3 | ✓ | ✓ | |||||||
Scaling | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
History | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
Access restriction | ✓ | ✓ | ✓ |
Permissions of Watson Query roles
Roles | Permissions |
---|---|
Watson Query Manager |
|
Watson Query Engineer |
|
Watson Query User |
|
Watson Query Steward |
|
CONTROL
privilege on that object as shown in the following
example.GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL
privilege, see the Db2 product
documentation.Platform roles
There are also IAM Platform access roles that apply to the user's Platform access. IAM Platform access roles provide permissions to manage the IBM Cloud account and to access IBM Cloud Pak® for Data as a Service functions such as scaling and monitoring of Watson Query.
The Platform Operator and Editor can access the same set of common functions in Watson Query to configure and operate service instances. For more information, see Add users to the account.
- Configure and operate, but not provision, service instances of Watson Query.
- View service dashboards for Watson Query.
- All Viewer role permissions.
- Permission to provision instances of services.
- Permission to update plans for service instances.
For more information, see Identity and access management (IAM) on IBM Cloud®.