Roles in Watson

Every user of Watson services has multiple roles. Each user has a role for the IBM Cloud account, can have a different role for each project and catalog, and can have a role for the Watson Knowledge Catalog service.

This illustration shows the different roles, which subordinate roles they can be assigned to, and a summary of the permissions for each role. The Watson Knowledge Catalog service roles have no effect on Watson Studio usage. Roles for Watson services

IBM Cloud account roles

The IBM Cloud roles you need depend on the service and the type of plan you have:

  • If you have the Watson Studio Lite plan and don’t plan to use the Watson Knowledge Catalog service, you can create unrestricted projects and invite any user as a collaborator. Your collaborators must sign up for IBM Cloud and the Watson Studio Lite plan. Every user is the owner of their own IBM Cloud account.

  • If you have any Watson Knowledge Catalog plan, your catalog and restricted project collaborators must be members of your IBM Cloud account, or, if your company set up SAML federation on IBM Cloud, users in your company. You can create unrestricted projects in Watson Knowledge Catalog, but you will not be able to share assets between catalogs and unrestricted projects. To access the projects or catalogs, all collaborators must have activated Watson services.

  • If you have the Watson Studio Enterprise plan, the IBM Cloud account owner or administrator must add enterprise users to the IBM Cloud account.

For enterprise IBM Cloud accounts, IBM Cloud account owner can add users who don’t need administrative access. Non-administrative users need both these sets of minimum roles to use the Watson and associated services:

  • To use services that use Cloud Foundry access control, give users the Auditor organization role and the Developer space role.
  • To use services that use Identity and Access (IAM) policies, give users the Editor platform access role and the Writer service access role.

The IBM Cloud account owner can optionally assign selected users the account administrator IAM role.

The IBM Cloud account owner and administrators control the IBM Cloud account, and only they have access to the Watson services administration pages. They have these responsibilities for the Watson services:

  • Manage the Watson services plans and resources: for example, authorizing more capacity and users, or upgrading the plans.
  • Add users to an account so that they can use the services.
  • Assign the Watson Knowledge Catalog service administrator role.
  • Manage IBM Cloud Object Storage and other services that are associated with Watson Studio.
  • Enable users who aren’t account administrators to create projects and catalogs.

Watson Knowledge Catalog service roles

The Watson Knowledge Catalog service has two roles:

  • Admin: These users can create or delete catalogs, projects, governance artifacts, and view the data dashboard.
  • Viewer: These users can create or delete projects, access the catalogs that they are members of, view policies, and view the business glossary.

By default, the IBM Cloud account owners and administrators have the Watson Knowledge Catalog service Admin role and can assign the Admin role to other users.

Catalog roles

Within a catalog, collaborators have these roles:

  • Admin: has full control in the catalog, assets, and collaborators.
  • Editor: can add and use assets.
  • Viewer: can view assets.

Watson Knowledge Catalog service Admins have the Admin role in the catalogs that they create. They can have any role as collaborators in catalogs that are created by other Watson Knowledge Catalog service Admins.

Watson Knowledge Catalog service Viewers can have any role as collaborators in catalogs.

See Catalog collaborator permissions.

Project roles

Within a project, collaborators have these roles:

  • Admin: has full control of the project, assets, and collaborators.
  • Editor: can add and use assets.
  • Viewer: can view assets.

Any user in the IBM Cloud account can create projects and can be collaborators with any role in projects created by other users.

See Project collaborator permissions.

Required IBM Cloud and Watson Knowledge Catalog roles by task

This table shows the required roles or membership to perform each task.

Task Required role or membership
Add users to the account IBM Cloud account owner or administrator
Assign the Watson Knowledge Catalog role IBM Cloud account owner or administrator
Manage Watson plans and resources IBM Cloud account owner or administrator
Manage IBM Cloud Object Storage and other services IBM Cloud account owner or administrator
Create a catalog Watson Knowledge Catalog service Admin
Manage policies Watson Knowledge Catalog service Admin
Manage a business glossary Watson Knowledge Catalog service Admin
View the data dashboard Watson Knowledge Catalog service Admin
Join a catalog Member of the IBM Cloud account or user in the company through SAML federation
View policies Watson Knowledge Catalog service Admin or Viewer
View business glossary Watson Knowledge Catalog service Admin or Viewer
Create a project Member of the IBM Cloud account or user in the company through SAML federation
Join a restricted project Member of the IBM Cloud account or user in the company through SAML federation
Join an unrestricted project Any user with Watson services

Learn more