Roles in IBM Watson

Every user of IBM Watson apps has multiple roles. Each user has a role for the IBM Cloud account, can have a different role for each project and catalog, and can have a role for the Watson Knowledge Catalog app.

This illustration shows the different roles, which subordinate roles they can be assigned to, and a summary of the permissions for each role. The Watson Knowledge Catalog app roles have no effect on Watson Studio usage. Roles for IBM Watson apps

IBM Cloud account roles

The IBM Cloud roles you need depend on the app and the type of plan you have:

  • If you have the Watson Studio Lite plan and don’t plan to use the Watson Knowledge Catalog app, you can create unrestricted projects and invite any user as a collaborator. Your collaborators must sign up for IBM Cloud and the Watson Studio Lite plan. Every user is the owner of their own IBM Cloud account.

  • If you have any Watson Knowledge Catalog plan, your catalog and restricted project collaborators must be members of your IBM Cloud account, or, if your company set up SAML federation on IBM Cloud, users in your company. You can create unrestricted projects in Watson Knowledge Catalog, but you will not be able to share assets between catalogs and unrestricted projects. To access the projects or catalogs, all collaborators must have activated IBM Watson apps.

  • If you have the Watson Studio Enterprise plan, the IBM Cloud account owner or administrator must add enterprise users to the IBM Cloud account.

For enterprise IBM Cloud accounts, IBM Cloud account owner can add users who don’t need administrative access. Non-administrative users need both these sets of minimum roles to use the IBM Watson and associated services:

  • To use services that use Cloud Foundry access control, give users the Auditor organization role and the Developer space role.
  • To use services that use Identity and Access (IAM) policies, give users the Editor platform access role and the Writer service access role.

The IBM Cloud account owner can optionally assign selected users the account administrator IAM role.

The IBM Cloud account owner and administrators control the IBM Cloud account, and only they have access to the Watson apps administration pages. They have these responsibilities for the IBM Watson apps:

  • Manage the IBM Watson apps plans and resources: for example, authorizing more capacity and users, or upgrading the plans.
  • Add users to an account so that they can use the apps.
  • Assign the Watson Knowledge Catalog app administrator role.
  • Manage IBM Cloud Object Storage and other services that are associated with Watson Studio.
  • Enable users who aren’t account administrators to create projects and catalogs.

Watson Knowledge Catalog app roles

The Watson Knowledge Catalog app has two roles:

  • Admin: These users can create or delete catalogs, projects, governance artifacts, and view the data dashboard.
  • Viewer: These users can create or delete projects, access the catalogs that they are members of, view policies, and view the business glossary.

By default, the IBM Cloud account owners and administrators have the Watson Knowledge Catalog app Admin role and can assign the Admin role to other users.

Catalog roles

Within a catalog, collaborators have these roles:

  • Admin: has full control in the catalog, assets, and collaborators.
  • Editor: can add and use assets.
  • Viewer: can view assets.

Watson Knowledge Catalog app Admins have the Admin role in the catalogs that they create. They can have any role as collaborators in catalogs that are created by other Watson Knowledge Catalog app Admins.

Watson Knowledge Catalog app Viewers can have any role as collaborators in catalogs.

See Catalog collaborator permissions.

Project roles

Within a project, collaborators have these roles:

  • Admin: has full control of the project, assets, and collaborators.
  • Editor: can add and use assets.
  • Viewer: can view assets.

Any user in the IBM Cloud account can create projects and can be collaborators with any role in projects created by other users.

See Project collaborator permissions.

Required IBM Cloud and Watson Knowledge Catalog roles by task

This table shows the required roles or membership to perform each task.

Task Required role or membership
Add users to the account IBM Cloud account owner or administrator
Assign the Watson Knowledge Catalog role IBM Cloud account owner or administrator
Manage IBM Watson plans and resources IBM Cloud account owner or administrator
Manage IBM Cloud Object Storage and other services IBM Cloud account owner or administrator
Create a catalog Watson Knowledge Catalog app Admin
Manage policies Watson Knowledge Catalog app Admin
Manage a business glossary Watson Knowledge Catalog app Admin
View the data dashboard Watson Knowledge Catalog app Admin
Join a catalog Member of the IBM Cloud account or user in the company through SAML federation
View policies Watson Knowledge Catalog app Admin or Viewer
View business glossary Watson Knowledge Catalog app Admin or Viewer
Create a project Member of the IBM Cloud account or user in the company through SAML federation
Join a restricted project Member of the IBM Cloud account or user in the company through SAML federation
Join an unrestricted project Any user with IBM Watson apps

Learn more