0 / 0
Levels of user access roles in Cloud Pak for Data as a Service

Levels of user access roles in Cloud Pak for Data as a Service

Every user of Cloud Pak for Data as a Service has multiple levels of roles with the corresponding permissions, or actions. The permissions determine what actions a user can perform on the platform or within a service. Some roles are set in IBM Cloud, and others are set in Cloud Pak for Data as a Service.

The IBM Cloud account owner or administrator sets the Identity and Access (IAM) Platform and Service access roles in the IBM Cloud account. Workspace administrators in Cloud Pak for Data as a Service set the collaborator roles for workspaces, for example, projects, deployment spaces, catalogs, categories, and virtual views.

Familiarity with the IBM Cloud IAM feature, Access groups, Platform roles, and Service roles is required to configure user access for Cloud Pak for Data as a Service. See IBM Cloud docs: IAM access for a description of IBM Cloud IAM Platform and Service roles.

Rather than assigning each individual user a set of roles, you can create Access groups to consolidate actions for a groups of users. Access groups (also called user groups) contain roles and corresponding permissions that you want to assign to a group of users. Access groups expedite role assignments by organizing permissions for multiple users. See Working with IAM access groups.

This illustration shows the different levels of roles assigned to each user so that they can work in Cloud Pak for Data as a Service.

Levels of roles in Cloud Pak for Data as a Service
Levels of roles in Cloud Pak for Data as a Service

The levels of roles are:

  • IAM Platform access roles determine your permissions for the IBM Cloud account. At least the Viewer role is required to work with services.
  • IAM Service access roles determine your permissions within services.
  • Workspace collaborator roles determine what actions you have permission to perform within workspaces in Cloud Pak for Data as a Service. The workspaces are projects, deployment spaces, catalogs, categories and virtual views.

IAM Platform access roles

The IAM Platform access roles are assigned and managed in the IBM Cloud account.

IAM Platform access roles provide permissions to manage the IBM Cloud account and to access services within Cloud Pak for Data as a Service. The Platform access roles are Viewer, Operator, Editor, and Administrator. The Platform roles are available to all services on IBM Cloud.

The Viewer role has minimal, view-only permissions. Users need at least Viewer role to see the services in Cloud Pak for Data as a Service. A Viewer can:

  • View, but not modify, available service instances and assets
  • Associate services with projects.
  • Become collaborator in projects or catalogs.
  • Create projects, deployment spaces, and catalogs if assigned appropriate permissions for Cloud Object Storage.

The Operator role has permissions to configure existing service instances. An Operator can:

  • Configure and operate, but not provision, service instances of Watson Query.
  • View service dashboards for Watson Query.

The Editor role provides access to these actions:

  • All Viewer role permissions.
  • Provision instances of services.
  • Update plans for service instances.

The Administrator role provides the same permissions as the Owner role for the account. With Administrator role, you can:

To understand IAM Platform access roles, see IBM Cloud docs: What is IBM Cloud Identity and Access Management?.

IAM Service access roles

Service roles apply to individual services and define actions permitted within the service. The IBM Cloud Pak for Data Service contains roles and permissions that apply to IBM Knowledge Catalog and Watson Studio. See User roles and permissions for IBM Knowledge Catalog and Watson Studio. IBM Cloud Object Storage has its own set of Service access roles. See Setting up IBM Cloud Object Storage for use with Cloud Pak for Data as a Service.

The following table shows the permissions for Service access roles for IBM Cloud Pak for Data for categories, catalogs, and projects:

Table 1. IAM Service access roles for IBM Cloud Pak for Data
Role Categories Catalogs Projects
Manager Manage Manage Manage
CloudPak Data Steward Access Access None
CloudPak Data Engineer Access Access None
CloudPak Data Scientist None Access None
Reporting Administrator None Access None
CloudPak Data Quality Analyst None None None

For a full list of permissions and associated actions with these roles, see User roles and permissions for IBM Knowledge Catalog and Watson Studio.

The following table shows the permissions for IAM Service access roles for All Identity and Access enabled services for categories and catalogs:

Table 2. IAM Service access roles for All Identity and Access enabled services
Role Categories Catalogs
Manager Manage Manage
Writer None Manage
Reader None View

Workspace collaborator roles

Your role in a specific workspace determines what actions you can perform in that workspace. Your IAM roles do not affect your role within a workspace. For example, you can be the Administrator of the Cloud account, but this does not automatically make you an administrator for a project or catalog. The Admin collaborator role for a project (or other workspace) must be explicitly assigned. Similarly, roles are specific to each project. You may have Admin role in a project, which gives you full control of the contents of that project, including managing collaborators and assets. But you can have the Viewer role in another project, which allows you to only view the contents of that project.

Most workspaces have these roles:

  • Admin: Control assets, collaborators, and settings in the workspace.
  • Editor: Control assets in the workspace.
  • Viewer: View the workspace and its contents.

The exceptions are:

  • Categories have the Owner and Reviewer roles that have slightly different permissions than Admin and Viewer.
  • Watson Query has its own workspace roles.

Cloud Pak for Data as a Service includes the following types of workspaces:

The permissions that are associated with each role are specific to the type of workspace:

Learn more

Parent topic: Adding users to the account

Generative AI search and answer
These answers are generated by a large language model in watsonx.ai based on content from the product documentation. Learn more