0 / 0
Managing roles for users and groups in Watson Query

Managing roles for users in Watson Query

Watson Query has four user roles, which are specific to Watson Query. You can grant these roles to existing IBM® Cloud account users.

To learn more, review the following information.

Restriction:

Watson Query access control is not applied when data masking or row-level filtering applies to the preview in Watson™ services (other than Watson Query). The Watson Query internal access controls, which are controlled by using Manage access in the Watson Query UI, do not apply to the preview from the other Watson services with masking or row-level filtering. You must define your rules to manage access to the catalogs, projects, data assets, or connections for access control in the other Watson services.

The preview is subject to the data protection rules and catalog or project access control only.

Even though a user does not have access to query an object from Watson Query, they might be able to preview it in a catalog or project if they have access to that catalog or project the data asset.

Watson Query roles

Watson Query supports four roles: Manager (service administrator), Engineer, Steward, and User. For a user to be able to access and use the Watson Query service, you must assign them one of the four Watson Query roles. The Watson Query roles control access within a particular Watson Query instance and determine what users can do inside that Watson Query instance. Each of these roles can take advantage of different capabilities.

For a user to have access to the Watson Query service, you must assign them one of the following Watson Query roles.
Note: Users that are added with a Watson Query Manager role or a Watson Query Engineer role must also be added as a collaborator to the Platform assets catalog before they can add or configure data sources.
Note:
  • You assign Watson Query roles within the Watson Query service, not as part of the Identity Management Service (IAM) on IBM Cloud.
  • You can assign Watson Query roles directly to individual users only. You cannot assign Watson Query roles to IAM access groups.
Watson Query Manager
The user who provisions the Watson Query service is automatically assigned the Watson Query Manager role. After the service is provisioned, the Watson Query Manager can give other users access to the service.

The Watson Query Manager is considered to be the manager of the Watson Query instance and assigns appropriate Watson Query roles to Cloud Pak for Data users.

Watson Query Engineer
Configures the data sources, virtualizes data, and manages access to virtual objects. Users with this role can create a virtual table or view and grant access to it to users with the Engineer or User role.

Data source administrators are expected to provide access to a user with a Watson Query Engineer or Manager role before that user can add a data source.

Watson Query User

Users with this role can create views of virtual tables to which they have access.

Watson Query Steward

Watson Query Stewards can access data in all user tables and views. Watson Query automatically grants Db2® SELECTIN authority to the Steward role on all schemas.

The following table summarizes the Watson Query menu functions that each of the Watson Query user roles is able to access.
Note: Users must have at least one Watson Query role (Manager, Engineer, Steward, or User) and at least one platform role (Platform administrator, Platform Operator, Platform Editor, or Platform Viewer). The Platform Viewer role is the minimum role that must be assigned along with each Watson Query role, unless otherwise indicated in the table.
Menu Capabilities Sub items Manager Engineer Steward User Platform administrator Platform operator Platform editor Platform viewer
Virtualization Data sources              
  Virtualize              
  Virtualized data          
Monitor dashboard. Summary   1 1 1        
  Database Database partitions        
    Database time spent        
    Database usage        
  Statement Individual executions 2              
    In-flight executions        
    Package cache 2            
    Stored procedures              
  Applications Top consumers 2              
    Connections        
  Throughput Connection summary 2            
    Operating system time spent 2              
    Partition skew 2              
    Partition summary 2              
    WLM service class summary 2              
    WLM workload summary 2              
  I/O Buffer pools      
    Prefetchers        
    Logging performance        
  Storage Storage        
    Table performance        
    Table space performance        
                     
Run SQL Run SQL          
Explorer Tables          
  Views          
  Indexes          
  Remote tables          
  Aliases          
  MQTs                
  Schemas                
  Sequences          
  Application objects          
  Authorization                
  Workload                
User management User management  
Note: To access User management, a user must have both the Watson Query Manager role and the Platform administrator role.
           
Configure connection            
Settings Event monitor profile                
  Monitoring profile                
  Service settings General          
    Governance 3          
    Scaling    
    History    
    Access restriction          

Permissions of Watson Query roles

The following table describes the permissions that are associated with each Watson Query role.
Roles Permissions
Watson Query Manager
  • Administer the service.
  • Administer the database.
  • Access data.
  • Manage data sources.
  • Manage users and assign Watson Query roles.
  • Create and share any schema.
Watson Query Engineer
  • Access connection information.
  • Manage data sources.
  • Create virtual tables and views.
Watson Query User
  • Access connection information.
  • Create virtual views over existing virtual tables and views.
Watson Query Steward
  • Access connection information.
  • Access data.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.
Important: To grant another user control on an object, including privileges to grant permissions to other users, and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object as shown in the following example.
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see the Db2 product documentation.

Platform roles

There are also IAM Platform access roles that apply to the user's Platform access. IAM Platform access roles provide permissions to manage the IBM Cloud account and to access IBM Cloud Pak® for Data as a Service functions such as scaling and monitoring of Watson Query.

The Platform Operator and Editor can access the same set of common functions in Watson Query to configure and operate service instances. For more information, see Add users to the account.

An Operator can also perform the following tasks.
  • Configure and operate, but not provision, service instances of Watson Query.
  • View service dashboards for Watson Query.
The Editor role provides access to these permissions within Cloud Pak for Data as a Service.
  • All Viewer role permissions.
  • Permission to provision instances of services.
  • Permission to update plans for service instances.

For more information, see Identity and access management (IAM) on IBM Cloud®.

What to do next

1 For Engineer, Steward, and User roles, only Responsiveness and Throughput widgets are available on the Summary page.
2 Only the Manager role can access this item.
3 Only the Manager role can change the Governance setting.
Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more