Example IAM access groups
The example access groups provide a basic configuration for a data fabric implementation that includes watsonx.ai Studio, watsonx.ai Runtime, IBM Knowledge Catalog, Watson Query, DataStage, and IBM Match 360 services. You can modify the examples to grant the necessary permissions for your provisioned services.
After creating an IAM access group, a user group is also created. User groups make it easier to manage a large number of users with similar access requirements.
- You can assign Viewer, Editor or Admin roles to user groups when you add collaborators to projects and spaces.
- If a member of the group leaves, the IBM Cloud account administrator can remove the user from the group rather than looking at all of the assets the user has access to.
Access groups overview
The example IAM access groups, their purpose, and typical tasks are:
Access group | Purpose | Typical tasks |
---|---|---|
Account-Administrator | Created by the account Owner to delegate full account administration to one or more people. Members of the Account-Administrator group have full control over the account and services except for account ownership. | • Provision service instances in Cloud Pak for Data as a Service • Provision secondary services, for example, Cloud Object Storage • Create IAM access groups and invite users to groups. • Assign individual permissions to users. |
CPD-Administrator | Similar to the Account-Administrator group but with less scope. Members manage Cloud Pak for Data as a Service and related services but cannot provision services. | • Manage users and groups including permissions but cannot manage other aspects of the IBM Cloud account. • Manage data governance artifacts. • Manage catalogs, categories, and projects. • Join any project as an administrator and view all active projects in the account. |
CPD-Cat-Proj | Provides appropriate access to Cloud Object Storage for users to create projects and catalogs when Storage Delegation is disabled. | Create projects, deployment spaces, and catalogs. |
CPD-COS-Admin | Provides appropriate access to Cloud Object Storage for users who create projects and catalogs. Not needed if Storage Delegation is enabled. | Create projects and catalogs. |
CPD-Common-User | Provides permissions common to all users and contains all users as Members. You can assign CPD-Common-User to all users and then also assign the appropriate IBM Cloud Pak for Data access group to each user, such as, CPD-Data-Scientist, CPD-Data-Engineer, and CPD-Data-Steward. | • View, but not modify, available service instances and assets • Become collaborator in projects or catalogs. • Create projects, deployment spaces, and catalogs if member of CPD-Cat-Proj group. • Allows access to the Support Center to log help tickets. |
CPD-Data-Scientist | Provides permissions for users working in IBM Knowledge Catalog. | Finds assets in catalogs. |
CPD-Data-Engineer | Provides permissions for users working in IBM Knowledge Catalog. | Integrates data. |
CPD-Data-Steward | Provides permissions for users working in IBM Knowledge Catalog. | • Create, review, and approve governance artifacts. • Curate data |
CPD-Data-Virtualization | Provide access to Watson Query. | Work with views and virtualized data. |
CPD-DataGovernance-Admin | Provide enhanced access for data governance. | • Manage data governance artifacts. • Manage catalogs, categories, and projects. • Join any project as an administrator and view all active projects in the account. |
CPD-DataStage | Required basic access for all DataStage users. | View DataStage pipelines on the dashboard. |
CPD-Machine-Learning | Provide access to watsonx.ai Runtime. | • Create deployment spaces • Create and view watsonx.ai Runtime instances |
CPD-Match360 | Provide manager permissions for IBM Match 360 with Watson | Create, edit, and manage access to Match 360 features such as Matching, Models, Configurator, and Pair Analysis |
Public Access | Default group that includes all users and all service IDs. | All group members, including unauthenticated users, are given public access to any resources that are defined in the policies for the group. |
Role assignments for the example access groups
The suggested Service and Platform role assignments for the example access groups are:
Access group | Service names | Service roles | Platform role | Watson Query role[1] |
---|---|---|---|---|
Account-Administrator | • All Identity and Access enabled services • All Account Management services |
• Manager • Not applicable |
•Administrator • Editor |
Not applicable |
CPD-Administrator | IBM Cloud Pak for Data | Manager | Administrator | Not applicable |
CPD-Cat-Proj | Cloud Object Storage | Manager | Administrator | Not applicable |
CPD-COS-Admin | Cloud Object Storage | Manager | Administrator | Not applicable |
CPD-Common-User | • All Identity and Access enabled services • Support Center |
• Reader • Not applicable |
• Viewer • Editor |
Not applicable |
CPD-Data-Scientist | IBM Cloud Pak for Data | CloudPak Data Scientist | Editor | Watson Query User (assign to each user) |
CPD-Data-Engineer | IBM Cloud Pak for Data | CloudPak Data Engineer | Editor | Watson Query Engineer (assign to each user) |
CPD-Data-Steward | IBM Cloud Pak for Data | CloudPak Data Steward | Editor | Watson Query Steward (assign to each user) |
CPD-Data-virtualization | Watson Query | Not applicable | Editor | Watson Query Manager (assign to each user) |
CPD-DataGovernance-Admin | IBM Cloud Pak for Data | • Manager • Reporting Administrator |
Administrator | N/A |
CPD-DataStage | DataStage | Reader | Editor | N/A |
CPD-Machine-Learning | • watsonx.ai Runtime • Cloud Object Storage |
• Writer • Manager |
•Administrator •Administrator |
N/A |
CPD-Match360 | Match 360 | Manager | Administrator | N/A |
Roles for collaborating in Cloud Pak for Data as a Service workspaces
Access control extends beyond the IAM access groups to the workspaces within Cloud Pak for Data as a Service. Workspaces include Projects, Catalogs, Categories, and Deployment spaces. to work in Cloud Pak for Data as a Service, users must create workspaces or be assigned collaborator roles to the workspaces. Collaborator roles provide levels of access such as Viewer, Editor, or Administrator. See the following topics for information about collaborator roles for each type of workspace:
Learn more
- Roles in Cloud Pak for Data as a Service
- Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service
- IBM Cloud docs: IAM access
- IBM Cloud docs: What is IBM Cloud Identity and Access Management
- IBM Cloud docs: Setting up access groups
- IBM Cloud docs: Best practices for organizing resources and assigning access
Parent topic: Working with IAM access groups
-
The Watson Query roles are assigned directly to individual users within the Watson Query application. These roles are not assigned in IBM Cloud IAM. Watson Query does not support access groups. See Managing roles for users in Watson Query. ↩︎