Levels of user access roles in Cloud Pak for Data as a Service
Every user of Cloud Pak for Data as a Service has multiple levels of roles with the corresponding permissions, or actions. The permissions determine what actions a user can perform on the platform or within a service. Some roles are set in IBM Cloud, and others are set in Cloud Pak for Data as a Service.
The IBM Cloud account owner or administrator sets the Identity and Access (IAM) Platform and Service access roles in the IBM Cloud account. Workspace administrators in Cloud Pak for Data as a Service set the collaborator roles for workspaces, for example, projects, deployment spaces, catalogs, categories, and virtual views.
Familiarity with the IBM Cloud IAM feature, Access groups, Platform roles, and Service roles is required to configure user access for Cloud Pak for Data as a Service. See IBM Cloud docs: IAM access for a description of IBM Cloud IAM Platform and Service roles.
Rather than assigning each individual user a set of roles, you can create Access groups to consolidate actions for a groups of users. Access groups (also called user groups) contain roles and corresponding permissions that you want to assign to a group of users. Access groups expedite role assignments by organizing permissions for multiple users. See Working with IAM access groups.
This illustration shows the different levels of roles assigned to each user so that they can work in Cloud Pak for Data as a Service.
The levels of roles are:
- IAM Platform access roles determine your permissions for the IBM Cloud account. At least the Viewer role is required to work with services.
- IAM Service access roles determine your permissions within services.
- Workspace collaborator roles determine what actions you have permission to perform within workspaces in Cloud Pak for Data as a Service. The workspaces are projects, deployment spaces, catalogs, categories and virtual views.
IAM Platform access roles
The IAM Platform access roles are assigned and managed in the IBM Cloud account.
IAM Platform access roles provide permissions to manage the IBM Cloud account and to access services within Cloud Pak for Data as a Service. The Platform access roles are Viewer, Operator, Editor, and Administrator. The Platform roles are available to all services on IBM Cloud.
The Viewer role has minimal, view-only permissions. Users need at least Viewer role to see the services in Cloud Pak for Data as a Service. A Viewer can:
- View, but not modify, available service instances and assets
- Associate services with projects.
- Become collaborator in projects or catalogs.
- Create projects, deployment spaces, and catalogs if assigned appropriate permissions for Cloud Object Storage.
The Operator role has permissions to configure existing service instances. An Operator can:
- Configure and operate, but not provision, service instances of Watson Query.
- View service dashboards for Watson Query.
The Editor role provides access to these actions:
- All Viewer role permissions.
- Provision instances of services.
- Update plans for service instances.
The Administrator role provides the same permissions as the Owner role for the account. With Administrator role, you can:
- All Viewer, Operator, and Editor permissions.
- Perform all management actions for services.
- Add users to the IBM Cloud account and assign roles
- Perform administrative tasks in Cloud Pak for Data as a Service
- Manage services for Cloud Pak for Data as a Service
- Set up access groups
- Create custom service roles.
To understand IAM Platform access roles, see IBM Cloud docs: What is IBM Cloud Identity and Access Management?.
IAM Service access roles
Service roles apply to individual services and define actions permitted within the service. The IBM Cloud Pak for Data Service contains roles and permissions that apply to IBM Knowledge Catalog and watsonx.ai Studio. See User roles and permissions for IBM Knowledge Catalog and watsonx.ai Studio. IBM Cloud Object Storage has its own set of Service access roles. See Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service.
The following table shows the permissions for Service access roles for IBM Cloud Pak for Data for categories, catalogs, and projects:
Role | Categories | Catalogs | Projects |
---|---|---|---|
Manager | Manage | Manage | Manage |
CloudPak Data Steward | Access | Access | None |
CloudPak Data Engineer | Access | Access | None |
CloudPak Data Scientist | None | Access | None |
Reporting Administrator | None | Access | None |
CloudPak Data Quality Analyst | None | None | None |
For a full list of permissions and associated actions with these roles, see User roles and permissions for IBM Knowledge Catalog and watsonx.ai Studio.
The following table shows the permissions for IAM Service access roles for All Identity and Access enabled services for categories and catalogs:
Role | Categories | Catalogs |
---|---|---|
Manager | Manage | Manage |
Writer | None | Manage |
Reader | None | View |
Workspace collaborator roles
Your role in a specific workspace determines what actions you can perform in that workspace. Your IAM roles do not affect your role within a workspace. For example, you can be the Administrator of the Cloud account, but this does not automatically make you an administrator for a project or catalog. The Admin collaborator role for a project (or other workspace) must be explicitly assigned. Similarly, roles are specific to each project. You may have Admin role in a project, which gives you full control of the contents of that project, including managing collaborators and assets. But you can have the Viewer role in another project, which allows you to only view the contents of that project.
Most workspaces have these roles:
- Admin: Control assets, collaborators, and settings in the workspace.
- Editor: Control assets in the workspace.
- Viewer: View the workspace and its contents.
The exceptions are:
- Categories have the Owner and Reviewer roles that have slightly different permissions than Admin and Viewer.
- Watson Query has its own workspace roles.
Cloud Pak for Data as a Service includes the following types of workspaces:
- Categories for organizing governance artifacts.
- Catalogs for sharing assets across your organization.
- Projects for working with data.
- Deployment spaces for deploying assets.
- Virtual views for creating virtual tables from multiple data sources. Watson Query has four dedicated user roles related to virtual views. For more information, see Managing roles for users in Watson Query.
The permissions that are associated with each role are specific to the type of workspace:
Learn more
- IBM Cloud docs: What is IBM Cloud Identity and Access Management?
- IBM Cloud docs: IAM access
- IBM Cloud docs: Setting up access groups
- Setting up Cloud Pak for Data as a Service for your organization
- Managing Cloud Pak for Data as a Service
- Find your IBM Cloud account owner or administrator
- Determine your roles
- Managing roles for users in Watson Query
Parent topic: Adding users to the account