0 / 0
Giving users access to IBM Match 360

Giving users access to IBM Match 360

To give other users access to your IBM Match 360 service instance, you must add them as collaborators in your IBM Cloud Pak for Data as a Service project, and then assign them to the appropriate service access levels to control their permissions.

Required permissions
You must have the following account management roles to manage access:
  • Account owner
  • Editor
  • Administrator

Only the Cloud Pak for Data account owner or administrator who created the service is granted access to the IBM Match 360 service by default.

To enable users to access the service, you must define each user's individual access policy or add them to the appropriate access group. For example, to configure and set up a master data configuration asset, users must have an access policy that gives them the Data Engineer service access role.

From within your Cloud Pak for Data as a Service account, you can:

  • Add collaborators
  • Add service IDs
  • Change collaborator permissions
  • Remove a collaborator

For more information about completing these tasks, see Project collaborators.

Jump to the appropriate section for more information:

IBM Match 360 with Watson service access and permissions

Access policies and access groups determine which actions users have permission to perform within IBM Match 360 with Watson. A Cloud Pak for Data administrator can assign access to users, enabling them to use the features of IBM Match 360.

To access IBM Match 360, a Cloud Pak for Data user must be assigned one of the following IBM Match 360 service access roles, either through an access policy or an access group:

IBM Match 360 user permissions
Service access Entity maintenance tasks Model tasks Matching tasks Jobs tasks Configuration tasks Pair review tasks
Data Engineer read, write, manage read, write, manage read, write, manage read, write, manage read, write, manage none
DataSteward read, write read none read none read, write
Publisher User read, write, manage read, write, manage none read, write none none
Entity Viewer read read read read none none
Data Engineer (required to set up your master data instance)
Data Engineer users have full rights to configure a IBM Match 360 service instance, onboard data sources, customize the data model, tune and customize the matching algorithm, run matching, view or create jobs, create pair review requests, and view or edit entities and records in the master data workspace. Data Engineer users can create and set up a master data configuration asset. Data engineers can also view and manage governed data.
DataSteward
Data Steward users can onboard data sources, view the data model, view ongoing jobs, complete pair review tasks, and view or edit entities and records in the master data workspace.
Publisher User
The Publisher User role is used primarily to publish data from an IBM InfoSphere Master Data Management instance, through the MDM Publisher tool, into IBM Match 360. Publisher User members can onboard data sources, customize the data model, and view or create jobs. Publisher users can also view and manage governed data.
Entity Viewer
Entity Viewer users have read-only permission in an IBM Match 360 instance. They can view master data, the model, the results of matching, and ongoing jobs.

There are other service access roles within the IBM Match 360 category that you can select. All available roles are included within one or more the four main roles: Data Engineer, DataSteward, Publisher User, and Entity Viewer.

Setting up access groups

You can create access groups to make it simpler to administer user access to IBM Match 360. By assigning users to an access group, you can control the permissions that each member of the group has within the service.

Depending on how you plan to use IBM Match 360 and how many distinct users you plan to invite as collaborators, you might want to create access groups that correspond to each of the four main service access roles described in the previous section.

For information about setting up access groups on IBM Cloud, see Working with IAM access groups.

Assigning access

You can invite one or multiple users in a single invitation. If you invite multiple users at once, the same access is assigned to each user. However, you can also invite users to your account with no access, and assign them access later.

  1. Go to Administration > Access (IAM). Then, select Users in the IBM Cloud console.
  2. Click Invite users.
  3. Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
  4. Expand the Assign users additional access section.
  5. Select IAM services, and then select IBM Match 360 with Watson as the type of access.
  6. Select all user groups that apply. To view what actions are mapped to each group, click the number next to the role name.
  7. Click Add to save the access assignment to the invitation.
  8. After you add all the necessary access assignments, click Invite.

Managing access for existing users and access groups

You might want to assign additional access to a user, or an access group, or edit the existing access to ensure that all members of your account have the correct level of access.

To assign access, see Step 2: Assign roles to users and access groups.

To edit an existing policy:

  1. Click the entry in the role column.
  2. Select that you want to add or deselect those that you want to remove from the policy.
  3. Save your changes.

You can also remove access by deleting an access policy.

Learn more

Parent topic: Managing master data by using IBM Match 360 with Watson

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more