Working with IAM access groups
Every Cloud Pak for Data as a Service user requires a set of roles that includes IAM roles on IBM Cloud and collaborator roles for workspaces on Cloud Pak for Data as a Service. You can expedite the assignment of IAM roles to users by creating IAM access groups on IBM Cloud, assigning roles to the groups, and then adding users to the groups.
By assigning users to one or more access groups, you are granting them the permissions they need to work with the services in Cloud Pak for Data as a Service. You can assign users to more than one access group to provide the appropriate access.
Access groups provide permissions for Service access and Platform access on IBM Cloud. Since Cloud Pak for Data as a Service runs on IBM Cloud, users must be assigned both Service and Platform permissions. Service permissions apply to individual services and define operations permitted within the service. Platform permissions define operations on the cloud platform such as provisioning or deletion of services.
You can also assign roles to individual users, but remember that individually-assigned roles are not updated when access groups are updated. When you assign roles to individual users, you must update each user individually to make changes.
Access groups are more efficient than assigning individual users when assigning collaborators to catalogs and categories. For billable Watson Knowledge Catalog plans, you can assign an access group as a collaborator to a catalog and assign an access group as a collaborator to a category.
- Required roles
- To manage or create IAM access groups, you must have one of the following roles in the IBM Cloud account:
- Account Owner
- Administrator or Editor for All Identity and Access enabled services
- Administrator or Editor on the IAM Access Groups account management service in the account
- Administrator or Editor for the All Account Management services
Public access group
Every IBM Cloud account contains the default Public Access group. The Public Access group contains all users and Service IDs in an account. In Watson Knowledge Catalog,the predefined Public access user group is automatically added as a collaborator with the Viewer role to top-level categories. See Categories for governance artifacts (Watson Knowledge Catalog).
IBM Cloud IAM limits
IBM Cloud IAM places limits on the number of access groups per account and per user, as well as other limits. If a limit is exceeded, you receive an exception and cannot create any new access groups beyond that limit. For a list of all IAM limits, see IBM Cloud docs: IBM Cloud IAM limits.
Example access groups
The example IAM access groups provide a starting point for providing basic access to Cloud Pak for Data as a Service services. You can edit the example access groups as needed for your implementation. For a description of the example access groups and suggested roles, see Using the example access groups.
- Setting up access groups
- Using the example access groups
- IBM Cloud docs: Assigning access to resources by using access groups
Parent topic: Setting up the platform