Giving users access to IBM Match 360
To give other users access to your IBM Match 360 with Watson service instance, you must add them as collaborators in your IBM Cloud Pak for Data as a Service project, and then assign them to the appropriate service access levels to control their permissions.
- Required permissions
- You must have the following account management roles to manage access:
-
- Account owner
-
- Editor
-
- Administrator
Only the Cloud Pak for Data account owner or administrator who created the service is granted access to the IBM Match 360 service by default.
To enable users to access the service, you must define each user's individual access policy or add them to the appropriate access group. For example, to configure and set up a master data configuration asset, users must have an access policy that gives them the Data Engineer service access role.
From within your Cloud Pak for Data as a Service account, you can:
- Add collaborators
- Add service IDs
- Change collaborator permissions
- Remove a collaborator
For more information about completing these tasks, see Project collaborators.
Jump to the appropriate section for more information:
IBM Match 360 with Watson service access and permissions
Access policies and access groups determine which actions users have permission to perform within IBM Match 360 with Watson. A Cloud Pak for Data administrator can assign access to users, enabling them to use the features of IBM Match 360.
To access IBM Match 360, a Cloud Pak for Data user must be assigned one of the following IBM Match 360 service access roles, either through an access policy or an access group:
Service access | Entity maintenance tasks | Model tasks | Matching tasks | Jobs tasks | Configuration tasks | Pair review tasks |
---|---|---|---|---|---|---|
Data Engineer | read, write, manage | read, write, manage | read, write, manage | read, write, manage | read, write, manage | none |
DataSteward | read, write | read | none | read | none | read, write |
Publisher User | read, write, manage | read, write, manage | none | read, write | none | none |
Entity Viewer | read | read | read | read | none | none |
- Data Engineer (required to set up your master data instance)
- Data Engineer users have full rights to configure a IBM Match 360 service instance, onboard data sources, customize the data model, tune and customize the matching algorithm, run matching, view or create jobs, create pair review requests, and view or edit entities and records in the master data explorer. Data Engineer users can create and set up a master data configuration asset. Data engineers can also view and manage governed data.
- DataSteward
- Data Steward users can onboard data sources, run matching, view the data model, view ongoing jobs, complete pair review tasks, and view or edit entities and records in the master data explorer.
- Publisher User
- The Publisher User role is used primarily to publish data from an IBM InfoSphere Master Data Management instance, through the MDM Publisher tool, into IBM Match 360. Publisher User members can onboard data sources, customize the data model, and view or create jobs. Publisher users can also view and manage governed data.
- Entity Viewer
- Entity Viewer users have read-only permission in an IBM Match 360 instance. They can view master data, the model, the results of matching, and ongoing jobs.
There are other service access roles within the IBM Match 360 category that you can select. All available roles are included within one or more the four main roles: Data Engineer, DataSteward, Publisher User, and Entity Viewer.
Setting up access groups
You can create access groups to make it simpler to administer user access to IBM Match 360. By assigning users to an access group, you can control the permissions that each member of the group has within the service.
Depending on how you plan to use IBM Match 360 and how many distinct users you plan to invite as collaborators, you might want to create access groups that correspond to each of the four main service access roles described in the previous section.
For information about setting up access groups on IBM Cloud, see Working with IAM access groups.
Assigning access
You can invite one or multiple users in a single invitation. If you invite multiple users at once, the same access is assigned to each user. However, you can also invite users to your account with no access, and assign them access later.
- Go to Administration > Access (IAM). Then, select Users in the IBM Cloud console.
- Click Invite users.
- Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
- Expand the Assign users additional access section.
- Select IAM services, and then select IBM Match 360 with Watson as the type of access.
- Select all user groups that apply. To view what actions are mapped to each group, click the number next to the role name.
- Click Add to save the access assignment to the invitation.
- After you add all the necessary access assignments, click Invite.
Managing access for existing users and access groups
You might want to assign additional access to a user, or an access group, or edit the existing access to ensure that all members of your account have the correct level of access.
To assign access, see Step 2: Assign roles to users and access groups.
To edit an existing policy:
- Click the entry in the role column.
- Select that you want to add or deselect those that you want to remove from the policy.
- Save your changes.
You can also remove access by deleting an access policy.
Learn more
- Project collaborators
- User roles and permissions
- Working with IAM access groups
- Master Data Management tutorial: Configure a 360-degree view
Parent topic: Managing master data by using IBM Match 360 with Watson