0 / 0
User roles and permissions for IBM Knowledge Catalog and watsonx.ai Studio
Last updated: Nov 21, 2024
User roles and permissions for IBM Knowledge Catalog and watsonx.ai Studio

The IBM Cloud Pak for Data service access roles in IBM Cloud Identity and Access Management (IAM) determine the actions that users have permission to perform in IBM Knowledge Catalog and watsonx.ai Studio.

As an account administrator, you add users to the IBM Cloud account and give them access to IBM Knowledge Catalog and watsonx.ai Studio by assigning them IAM service access roles for the IBM Cloud Pak for Data service.

You can assign any of the predefined roles, or create custom roles and assign those.

Jump to the appropriate section for more information:

Required permissions

To manage access, you must have one of the following user management roles:

  • Editor
  • Administrator

To create, update, or delete custom roles, you must have the following account role:

  • Administrator

Predefined roles

A role defines the permissions that a user or an access group has.

You can create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Creating custom roles. You cannot edit the default roles.

Definitions for each permission are provided in Permissions. The predefined roles can include permissions that currently aren't used.

Table 1. Predefined roles for IBM Knowledge Catalog
Role Permissions Description
Manager Access catalogs
Manage catalogs
Manage data protection rules
Manage governance categories
Manage glossary
Manage projects
Manage governance workflows
Find a resource by using the Global Search and Tagging search API
See IAM service access policies
Administer governance artifacts
Drill down to issue details
Execute data quality rules
Manage data quality assets
Add catalog assets to projects
Manage data lineage
Assign this role to people who set up and administer IBM Knowledge Catalog or watsonx.ai Studio and perform the following tasks:
• watsonx.ai Studio users with this role can join any project as an administrator and view all active projects in the account.
• IBM Knowledge Catalog users with this role must make decisions about the organizations, workflow, and import of governance artifacts, which users can perform which tasks, and the catalogs to create.
The Manager role includes all the permissions that are granted in the other roles, except for the following permission:
• Manage reporting
Reporting Administrator Manage reporting Assign this role to people who need to generate reports about assets in catalogs.
Note: Users with this role can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution.
CloudPak Data Steward Access catalogs
Access governance artifacts
Manage data protection rules
Add catalog assets to projects
Assign this role to people who must perform the following tasks:
• Implement the governance framework by creating governance artifacts.
• Curate data by performing metadata import, metadata enrichment, data quality analysis, and publishing data assets to catalogs.
CloudPak Data Engineer Access governance artifacts
Manage data protection rules
Assign this role to people who create connections and then prepare and publish data assets to catalogs.
CloudPak Data Scientist Access catalogs
Access governance artifacts
Add catalog assets to projects
Assign this role to people who need to perform the following tasks:
• Find data assets in catalogs and then use the data to train models in projects.
• Document and govern models in catalogs.
Governance Artifacts Administrator Administer governance artifacts Assign this role to people who need to perform the following tasks:
• View and edit all governance artifacts in all categories
• Edit categories, including changing collaborators and category permissions
• Run all API calls for governance artifacts
• Set rule conventions and rule settings
CloudPak Data Quality Analyst Drill down to issue details
Execute data quality rules
Manage data quality assets
Assign this role to people who need to set up and run data quality analysis and to evaluate the analysis results.
CloudPak Data Source Administrator Create data source definitions and see a list of all connections across the account Assign this role to people who need to create data source definitions.
CloudPak Data Source Creator Create data source definitions Assign this role to people who need to create data source definitions.
Policy decision operator Evaluate policy decision Assign this role to people who evaluate data access requests on behalf of other users.
Lineage Administrator Access data lineage
Manage data lineage
Create data source definitions
Assign this role to people who need to import lineage metadata and manage imported lineages.

Permissions

The following table describes the actions that are associated with each permission.

Table 2: Actions for each permission
Permission Action
Access catalogs
(cp4d.catalog.access)
• Become a collaborator in a catalog
• View assets in the catalogs they have access to
• Complete other actions in the catalog, depending on the catalog collaborator role
• Create or join projects
Add catalog assets to projects
(cp4d.catalog-assets-to-projects.add)
• Add assets from a catalog to a project
Access governance artifacts
(cp4d.governance-artifacts.access)
• Become a collaborator in a category
• View categories they can access
• View published governance artifacts in categories they can access
• Complete other actions in the category, depending on the category collaborator role:
    • Add, edit, delete, import, or export categories
    • Manage collaborators in categories
    • View draft governance artifacts
    • Add, edit, delete, import, or export governance artifacts
Administer governance artifacts
(cp4d.glossary.admin)
• View and edit all governance artifacts in all categories
• Edit categories, including changing collaborators and category permissions
• Run all API calls for governance artifacts
Create data source definitions
(cp4d.data-source-definitions.create)
• Create data source definitions
Create data source definitions and see a list of all connections across the account
(cp4d.data-source-definitions.manage)
• Create data source definitions and see a list of all connections across the account
Drill down to issue details
(cp4d.data-quality.drill-down)
• Access output tables of data quality rules from the run history or the Data quality page to view the data rows that cause data quality issues
Evaluate policy decision
(cp4d.governance-policy-decision.evaluate)
• For an integration user, to evaluate data access requests on behalf of registered platform users.
Execute data quality rules
(cp4d.data-quality.measure)
• Run data quality rules
Manage catalogs
(cp4d.catalog.manage)
• Create catalogs and view the list of all catalogs on the Catalog management page
•Users with this permission can delete a catalog if they have the admin role in the catalog
Manage data protection rules
(cp4d.data-protection-rules.manage)
• Create, edit, and delete data protection rules
Manage data quality assets
(cp4d.data-quality-asset-types.access)
• Create, edit, and delete data quality definitions and rules
Manage governance categories
(cp4d.governance-categories.manage)
• Create top-level categories
• Perform all tasks listed under Access governance artifacts
Manage glossary
(cp4d.glossary.manage)
• Create top-level categories
• Perform all tasks listed under Access governance artifacts
• Import and export governance artifacts in a ZIP file
Manage governance workflows
(cp4d.governance-workflow.manage)
• View all user tasks
• Unassign user tasks
• Assign workflow tasks to users
• Create, edit, and delete governance workflow configurations
Manage projects
(cp4d.project.manage)
• View all projects in the account
• Join any project as admin<
Manage reporting
(cp4d.wkc.reporting.manage)
• Set up reporting for IBM Knowledge Catalog data
Note: Users with this role can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution.
Manage data lineage
(cp4d.data-lineage.manage)
• Run metadata import jobs
• Publish assets from metadata jobs to projects or catalogs
• View monitor and manage page
• Delete lineage from monitor and manage page
• View lineage repository page
• View lineage graphs for all assets in the repository
• Add or delete external agents
• Update alias mappings and filesystem mappings
• Select Cloud Object Storage to enable lineage
Access data lineage
(cp4d.data-lineage.access)
• View lineage repository
• View lineage graphs for all assets in the repository

Assigning access

You can invite one or multiple users in a single invite. If you invite multiple users in one invitation, the same access is assigned to each user. However, you can invite users to your account with no access, and assign them access later.

  1. Go to Administration > Access (IAM). Then, select Users in the IBM Cloud console.
  2. Click Invite users.
  3. Specify the email addresses of the users. If you are inviting more than one user with a single invitation, they are all assigned the same access.
  4. Expand the Assign users additional access section.
  5. Select IAM services, and then select IBM Cloud Pak for Data as the type of access.
  6. Select all roles that apply. To view what actions are mapped to each role, click the number next to the role name.
  7. Click Add to save the access assignment to the invitation.
  8. After you add all the necessary access assignments, click Invite.

Managing access for existing users and access groups

You might want to assign more access to a user, or an access group, or edit the existing access to ensure that all members of your account have the correct level of access.

To assign access, see Step 2: Assign IBM Knowledge Catalog roles to users and access groups.

To edit an existing policy:

  1. Click the entry in the role column.
  2. Select that you want to add or deselect those that you want to remove from the policy.
  3. Save your changes.

You can also remove access by deleting an access policy.

Learn more

Parent topic: Setting up IBM Knowledge Catalog

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more