Review the roles and permissions that users need for working with Data Product Hub.
IAM roles and collaborator roles
Data Product Hub users require two types of roles:
- Roles assigned in IBM Cloud, which are called IAM roles
- Roles assigned in Data Product Hub, which are called collaborator roles
As the IBM Cloud account owner or administrator, you assign IAM roles to individual users or to access groups on IBM Cloud using Manage users and access.
The IAM role assignments provide Platform or Service level permissions for IBM Cloud. Any of the IAM Platform roles of Viewer, Editor, Operator, and Administrator can be assigned to most users who work with Data Product Hub. The minimum IAM Platform role for working in Data Product Hub is Viewer for the users who will be consumers or producers. The exception is the Data Product Hub Manager, who must be assigned the IAM Platform Administrator role.
The account administrator can delegate a Data Product Hub Manager to initialize Data Product Hub by logging in for the first time. The Manager also requires other roles, as described in Delegate a Data Product Hub Manager.
Assigning IAM roles
Assign IAM roles in IBM Cloud by navigating to Manage>Access(IAM). You can assign roles to individual users, or create access groups to expedite the assignment of roles to groups of users who require the same permissions.
Creating access groups
Access groups allow you to assign the same roles and permissions to a group of users, rather than making assignments to individual users. IAM access groups are created and managed entirely on IBM Cloud. You can modify an access group after you create it. You can add and delete members, add and delete policies, and make other modifications as needed. When you modify the policies of an access group, the new policies are immediately applied to all members of the group. When you add a user to an access group, they are assigned the permissions of the group.
Access groups save time when assigning collaborator roles in Data Product Hub. For example, you can create an access group for consumers and one for producers. Then you assign the Viewer role to the Consumers group. Assign the Editor role to the Producers group. When you add a new user, add them to the appropriate access group.
For instructions on creating access groups in IBM Cloud, see Setting up access groups.
Delegate a Data Product Hub Manager
Either the IBM Cloud account administrator or their delegate must be the first user to log in to Data Product Hub to initialize it. The IAM Service role of Manager can be assigned to the delegated user who is going to log in to initialize Data Product Hub.
The account administrator assigns the Manager and other roles to delegate a user who can initialize Data Product Hub. The required roles are described in the following table:
| Service | Role level | Role | Action |
|---|---|---|---|
| Data Product Hub | Service | Manager | Initialize Data Product Hub upon initial log in |
| Data Product Hub | Platform | Administrator | Initialize Data Product Hub upon initial log in |
| All Account Management services | Platform | Administrator | Initialize Data Product Hub upon initial log in |
| Cloud Object Storage | Service | Manager | Configure a bucket for storing data contracts |
| Cloud Object Storage | Platform | Administrator | Configure a bucket for storing data contracts |
After logging in to initialize Data Product Hub, the Data Product Hub Manager performs the following next steps:
- Creates a Cloud Object Storage bucket for storing data contracts. See Managing storage.
- Adds the account administrator to the community with the Admin role. See Managing the Data Product Hub community.
- Adds members to the community with appropriate roles. See Managing the Data Product Hub community.
Assigning collaborator roles
Data Product Hub requires that all users have a collaborator role. Collaborator roles are assigned by the Data Product Hub Administrator from the Administration>Configurations and settings>Manage community page.
Collaborators have one of these roles that provide permissions:
- Viewer: Data product consumers who discover and subscribe to data products.
- Editor: Data product producers who author, publish, and manage data products. Editor role includes permissions for Viewer.
- Admin: Administrators who add users and assign roles and other configuration tasks. Admin role includes permissions for Viewer and Editor.
The following table shows the actions that you can complete depending on your collaborator role.
+ indicates that users need to be owners of a subscription or data product to perform the action.
| Action | Viewer | Editor | Admin |
|---|---|---|---|
| Log in to Data Product Hub | ✓ | ✓ | ✓ |
| View the Data Product Hub home page | ✓ | ✓ | ✓ |
| Search for published data products | ✓ | ✓ | ✓ |
| Subscribe to a data product | ✓ | ✓ | ✓ |
| Send and receive notifying comments | ✓ | ✓ | ✓ |
| View subscriptions | ✓+ | ✓+ | ✓+ |
| Publish, edit, and delete data products | ✓+ | ✓+ | |
| Manage data products from My work page | ✓+ | ✓+ | |
| Create data product drafts and versions | ✓ | ✓ | |
| Add custom properties to a data product | ✓ | ✓ | |
| Accept or reject requests for new data products | ✓ | ✓ | |
| Approve access to data products | ✓ | ✓ | |
| Create a list of preapproved users | ✓ | ✓ | |
| Create connections to data sources | ✓ | ✓ | |
| Edit credentials for a shared connection | ✓ | ✓ | |
| View the insights dashboard | ✓ | ✓ | |
| Add or delete users or groups | ✓ | ||
| Assign and modify roles | ✓ | ||
| Create and delete business domains | ✓ | ||
| Create custom properties | ✓ |
Learn more
- IBM Cloud docs: IAM access
- IBM Cloud docs: What is IBM Cloud Identity and Access Management
- IBM Cloud docs: Setting up access groups
- Managing the Data Product Hub community
Parent topic: Setting up and administering Data Product Hub