Managing roles for users and groups in Watson Query

Managing roles for users in Watson Query

Watson Query has four user roles, which are specific to Watson Query. You can grant these roles to existing IBM® Cloud account users.

To learn more, review the following information.

Watson Query roles
Permissions of Watson Query roles
Platform roles

Restriction:

Watson Query access control is not applied when data masking or row-level filtering applies to the preview in Watson™ services (other than Watson Query). The Watson Query internal access controls, which are controlled by using Manage access in the Watson Query UI, do not apply to the preview from the other Watson services with masking or row-level filtering. You must define your rules to manage access to the catalogs, projects, data assets, or connections for access control in the other Watson services.

The preview is subject to the data protection rules and catalog or project access control only.

Even though a user does not have access to query an object from Watson Query, they might be able to preview it in a catalog or project if they have access to that catalog or project the data asset.

Watson Query roles

Watson Query supports four roles: Manager (service administrator), Engineer, Steward, and User. For a user to be able to access and use the Watson Query service, you must assign them one of the four Watson Query roles. The Watson Query roles control access within a particular Watson Query instance and determine what users can do inside that Watson Query instance. Each of these roles can take advantage of different capabilities.

For a user to have access to the Watson Query service, you must assign them one of the following Watson Query roles.

Note: Users that are added with a Watson Query Manager role or a Watson Query Engineer role must also be added as a collaborator to the Platform assets catalog before they can add or configure data sources.

Note:

You assign Watson Query roles within the Watson Query service, not as part of the Identity Management Service (IAM) on IBM Cloud.
You can assign Watson Query roles directly to individual users only. You cannot assign Watson Query roles to IAM access groups.

Watson Query Manager: The user who provisions the Watson Query service is automatically assigned the Watson Query Manager role. After the service is provisioned, the Watson Query Manager can give other users access to the service.
The Watson Query Manager is considered to be the manager of the Watson Query instance and assigns appropriate Watson Query roles to Cloud Pak for Data users.
Watson Query Engineer: Configures the data sources, virtualizes data, and manages access to virtual objects. Users with this role can create a virtual table or view and grant access to it to users with the Engineer or User role.
Data source administrators are expected to provide access to a user with a Watson Query Engineer or Manager role before that user can add a data source.
Watson Query User: Users with this role can create views of virtual tables to which they have access.
Watson Query Steward: Watson Query Stewards can access data in all user tables and views. Watson Query automatically grants Db2® SELECTIN authority to the Steward role on all schemas.

The following table summarizes the Watson Query menu functions that each of the Watson Query user roles is able to access.

Note: Users must have at least one Watson Query role (Manager, Engineer, Steward, or User) and at least one platform role (Platform administrator, Platform Operator, Platform Editor, or Platform Viewer). The Platform Viewer role is the minimum role that must be assigned along with each Watson Query role, unless otherwise indicated in the table.

Menu	Capabilities	Sub items	Manager	Engineer	Steward	User	Platform administrator	Platform operator	Platform editor
Virtualization	Data sources		✓	✓
	Virtualize		✓	✓
	Virtualized data		✓	✓	✓	✓
Monitor dashboard.	Summary		✓	✓^¹	✓^¹	✓^¹
	Database	Database partitions	✓	✓	✓	✓
		Database time spent	✓	✓	✓	✓
		Database usage	✓	✓	✓	✓
	Statement	Individual executions	✓^²
		In-flight executions	✓	✓	✓	✓
		Package cache	✓^²
		Stored procedures	✓
	Applications	Top consumers	✓^²
		Connections	✓	✓	✓	✓
	Throughput	Connection summary	✓^²
		Operating system time spent	✓^²
		Partition skew	✓^²
		Partition summary	✓^²
		WLM service class summary	✓^²
		WLM workload summary	✓^²
	I/O	Buffer pools	✓	✓	✓	✓
		Prefetchers	✓	✓	✓	✓
		Logging performance	✓	✓	✓	✓
	Storage	Storage	✓	✓	✓	✓
		Table performance	✓	✓	✓	✓
		Table space performance	✓	✓	✓	✓

Run SQL	Run SQL		✓	✓	✓	✓
Explorer	Tables		✓	✓	✓	✓
	Views		✓	✓	✓	✓
	Indexes		✓	✓	✓	✓
	Remote tables		✓	✓	✓	✓
	Aliases		✓	✓	✓	✓
	MQTs		✓
	Schemas		✓
	Sequences		✓	✓	✓	✓
	Application objects		✓	✓	✓	✓ Note: Users with the User role can only view the User-defined Types tab on the Application objects page.
	Authorization		✓
	Workload		✓
User management	User management		✓ Note: To access User management, a user must have both the Watson Query Manager role and the Platform administrator role.				✓
Configure connection			✓	✓	✓	✓
Settings	Event monitor profile		✓
	Monitoring profile		✓
	Service settings	General	✓	✓		✓
		Governance	✓^³	✓		✓
		Scaling	✓	✓		✓	✓	✓	✓
		History	✓	✓		✓	✓	✓	✓
		Access restriction					✓	✓	✓

Permissions of Watson Query roles

The following table describes the permissions that are associated with each Watson Query role.

Roles	Permissions
Watson Query Manager	Administer the service. Administer the database. Access data. Manage data sources. Manage users and assign Watson Query roles. Create and share any schema. Manage data caches. Manage data queries.
Watson Query Engineer	Access connection information. Manage data sources. Create virtual tables and views.
Watson Query User	Access connection information. Create virtual views over existing virtual tables and views.
Watson Query Steward	Access connection information. Access data. Create virtual views over existing virtual tables and views. Create and manage private schema.

Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object as shown in the following example.

GRANT CONTROL on object to ROLE DV_ENGINEER

For more information about the CONTROL privilege, see the Db2 product documentation.

Platform roles

There are also IAM Platform access roles that apply to the user's Platform access. IAM Platform access roles provide permissions to manage the IBM Cloud account and to access IBM Cloud Pak® for Data as a Service functions such as scaling and monitoring of Watson Query.

The Platform Operator and Editor can access the same set of common functions in Watson Query to configure and operate service instances. For more information, see Add users to the account.

An Operator can also perform the following tasks.

Configure and operate, but not provision, service instances of Watson Query.
View service dashboards for Watson Query.

The Editor role provides access to these permissions within Cloud Pak for Data as a Service.

All Viewer role permissions.
Permission to provision instances of services.
Permission to update plans for service instances.

For more information, see Identity and access management (IAM) on IBM Cloud®.

What to do next

¹ For Engineer, Steward, and User roles, only Responsiveness and Throughput widgets are available on the Summary page.

² Only the Manager role can access this item.

³ Only the Manager role can change the Governance setting.