User roles and permissions for IBM Knowledge Catalog and Watson Studio
The IBM Cloud Pak for Data service access roles in IBM Cloud Identity and Access Management (IAM) determine the actions that users have permission to perform in IBM Knowledge Catalog and Watson Studio.
As an account administrator, you add users to the IBM Cloud account and give them access to IBM Knowledge Catalog and Watson Studio by assigning them IAM service access roles for the IBM Cloud Pak for Data service.
You can assign any of the predefined roles, or create custom roles and assign those.
Jump to the appropriate section for more information:
- Required permissions
-
To manage access, you must have one of the following user management roles:
-
- Editor
-
- Administrator
-
To create, update, or delete custom roles, you must have the following account role:
-
- Administrator
Predefined roles
A role defines the permissions that a user or an access group has.
You can create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Creating custom roles. You cannot edit the default roles.
Definitions for each permission are provided in Permissions. The predefined roles can include permissions that currently aren't used.
| Role | Permissions | Description |
|---|---|---|
| Manager | Access catalogs Manage catalogs Manage data protection rules Manage governance categories Manage glossary Manage projects Manage governance workflows Find a resource by using the Global Search and Tagging search API See IAM service access policies Administer governance artifacts Drill down to issue details Execute data quality rules Manage data quality assets Add catalog assets to projects Manage data lineage |
Assign this role to people who set up and administer IBM Knowledge Catalog or Watson Studio and perform the following tasks: • Watson Studio users with this role can join any project as an administrator and view all active projects in the account. • IBM Knowledge Catalog users with this role must make decisions about the organizations, workflow, and import of governance artifacts, which users can perform which tasks, and the catalogs to create. The Manager role includes all the permissions that are granted in the other roles, except for the following permission: • Manage reporting |
| Reporting Administrator | Manage reporting | Assign this role to people who need to generate reports about assets in catalogs. Note: Users with this role can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution. |
| CloudPak Data Steward | Access catalogs Access governance artifacts Manage data protection rules Add catalog assets to projects |
Assign this role to people who must perform the following tasks: • Implement the governance framework by creating governance artifacts. • Curate data by performing metadata import, metadata enrichment, data quality analysis, and publishing data assets to catalogs. |
| CloudPak Data Engineer | Access governance artifacts Manage data protection rules |
Assign this role to people who create connections and then prepare and publish data assets to catalogs. |
| CloudPak Data Scientist | Access catalogs Access governance artifacts Add catalog assets to projects |
Assign this role to people who need to perform the following tasks: • Find data assets in catalogs and then use the data to train models in projects. • Document and govern models in catalogs. |
| Governance Artifacts Administrator | Administer governance artifacts | Assign this role to people who need to perform the following tasks: • View and edit all governance artifacts in all categories • Edit categories, including changing collaborators and category permissions • Run all API calls for governance artifacts • Set rule conventions and rule settings |
| CloudPak Data Quality Analyst | Drill down to issue details Execute data quality rules Manage data quality assets |
Assign this role to people who need to set up and run data quality analysis and to evaluate the analysis results. |
| CloudPak Data Source Administrator | Create data source definitions and see a list of all connections across the account | Assign this role to people who need to create data source definitions. |
| CloudPak Data Source Creator | Create data source definitions | Assign this role to people who need to create data source definitions. |
| Policy decision operator | Evaluate policy decision | Assign this role to people who evaluate data access requests on behalf of other users. |
| Lineage Administrator | Access data lineage Manage data lineage Create data source definitions |
Assign this role to people who need to import lineage metadata and manage imported lineages. |
Permissions
The following table describes the actions that are associated with each permission.
| Permission | Action |
|---|---|
| Access catalogs (cp4d.catalog.access) |
• Become a collaborator in a catalog • View assets in the catalogs they have access to • Complete other actions in the catalog, depending on the catalog collaborator role • Create or join projects |
| Add catalog assets to projects (cp4d.catalog-assets-to-projects.add) |
• Add assets from a catalog to a project |
| Access governance artifacts (cp4d.governance-artifacts.access) |
• Become a collaborator in a category • View categories they can access • View published governance artifacts in categories they can access • Complete other actions in the category, depending on the category collaborator role: • Add, edit, delete, import, or export categories • Manage collaborators in categories • View draft governance artifacts • Add, edit, delete, import, or export governance artifacts |
| Administer governance artifacts (cp4d.glossary.admin) |
• View and edit all governance artifacts in all categories • Edit categories, including changing collaborators and category permissions • Run all API calls for governance artifacts |
| Create data source definitions (cp4d.data-source-definitions.create) |
• Create data source definitions |
| Create data source definitions and see a list of all connections across the account (cp4d.data-source-definitions.manage) |
• Create data source definitions and see a list of all connections across the account |
| Drill down to issue details (cp4d.data-quality.drill-down) |
• Access output tables of data quality rules from the run history or the Data quality page to view the data rows that cause data quality issues |
| Evaluate policy decision (cp4d.governance-policy-decision.evaluate) |
• For an integration user, to evaluate data access requests on behalf of registered platform users. |
| Execute data quality rules (cp4d.data-quality.measure) |
• Run data quality rules |
| Manage catalogs (cp4d.catalog.manage) |
• Create catalogs and view the list of all catalogs on the Catalog management page •Users with this permission can delete a catalog if they have the admin role in the catalog |
| Manage data protection rules (cp4d.data-protection-rules.manage) |
• Create, edit, and delete data protection rules |
| Manage data quality assets (cp4d.data-quality-asset-types.access) |
• Create, edit, and delete data quality definitions and rules |
| Manage governance categories (cp4d.governance-categories.manage) |
• Create top-level categories • Perform all tasks listed under Access governance artifacts |
| Manage glossary (cp4d.glossary.manage) |
• Create top-level categories • Perform all tasks listed under Access governance artifacts • Import and export governance artifacts in a ZIP file |
| Manage governance workflows (cp4d.governance-workflow.manage) |
• View all user tasks • Unassign user tasks • Assign workflow tasks to users • Create, edit, and delete governance workflow configurations |
| Manage projects (cp4d.project.manage) |
• View all projects in the account • Join any project as admin< |
| Manage reporting (cp4d.wkc.reporting.manage) |
• Set up reporting for IBM Knowledge Catalog data Note: Users with this role can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution. |
| Manage data lineage (cp4d.data-lineage.manage) |
• Run metadata import jobs • Publish assets from metadata jobs to projects or catalogs • View monitor and manage page • Delete lineage from monitor and manage page • View lineage repository page • View lineage graphs for all assets in the repository • Add or delete external agents • Update alias mappings and filesystem mappings • Select Cloud Object Storage to enable lineage |
| Access data lineage (cp4d.data-lineage.access) |
• View lineage repository • View lineage graphs for all assets in the repository |
Assigning access
You can invite one or multiple users in a single invite. If you invite multiple users in one invitation, the same access is assigned to each user. However, you can invite users to your account with no access, and assign them access later.
- Go to Administration > Access (IAM). Then, select Users in the IBM Cloud console.
- Click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Expand the Assign users additional access section.
- Select IAM services, and then select IBM Cloud Pak for Data as the type of access.
- Select all roles that apply. To view what actions are mapped to each role, click the number next to the role name.
- Click Add to save the access assignment to the invitation.
- After you add all the necessary access assignments, click Invite.
Managing access for existing users and access groups
You might want to assign more access to a user, or an access group, or edit the existing access to ensure that all members of your account have the correct level of access.
To assign access, see Step 2: Assign IBM Knowledge Catalog roles to users and access groups.
To edit an existing policy:
- Click the entry in the role column.
- Select that you want to add or deselect those that you want to remove from the policy.
- Save your changes.
You can also remove access by deleting an access policy.
Learn more
- Catalog collaborator permissions
- Category collaborator role
- Project collaborator role
- Creating custom user access roles
Parent topic: Setting up IBM Knowledge Catalog