Roles in Cloud Pak for Data as a Service
Every user of Cloud Pak for Data as a Service has multiple levels of roles. The Identity and Access (IAM) platform access roles and service access roles are set by the IBM Cloud account owner or administrator on the IBM Cloud account. Collaborator roles for workspaces, such as projects, deployment spaces, catalogs, categories and virtual views are set in each workspace by workspace administrators.
Rather than assigning each individual user a set of roles, you can create access groups. Access groups contain roles that you want to assign to a group of users. Members of access groups have the same permissions. Access groups expedite role assignments by organizing permissions for multiple users. See Working with access groups.
This illustration shows the different types of roles that each user can have.
- IAM platform access roles determine your permissions in the IBM Cloud account. At least the Viewer role is required to work with services.
- IAM service access roles determine your permissions within services, such as for workspace access for Cloud Pak for Data as a Service.
- Collaborator roles for workspaces determine what actions you have permission to perform within a specific workspace. Examples of workspaces are projects, deployment spaces, catalogs, categories and virtual views.
IAM platform access roles
The IAM platform access roles are assigned and managed on the IBM Cloud account. At least the Viewer role is required to see the list of services for the account. If you have the IAM platform access role of Owner or Administrator, you control the IBM Cloud account. The Owner role is automatically assigned to the creator of the account. The Owner or Administrator has these responsibilities for Cloud Pak for Data as a Service:
- Manage services for Cloud Pak for Data as a Service
- Add users to the IBM Cloud account and give them access to Cloud Pak for Data as a Service
- Create custom IAM service access roles. See User roles and permissions.
If you have the IAM platform access role of at least Viewer, your permissions within Cloud Pak for Data as a Service depend on your Cloud Pak for Data as a Service service access roles (Manager, Reporting Administrator, CloudPak Data Steward, CloudPak Data Engineer, or CloudPak Data Scientist).
To understand IAM platform access roles, see IBM Cloud docs: What is IBM Cloud Identity and Access Management?.
IAM Service access roles
The predefined IAM service access roles for Cloud Pak for Data as a Service determine the types of workspaces that you can access or manage and whether you can perform various other actions.
For workspaces, the IAM service access roles provide these main permissions:
- Access permission: You can be added as a collaborator to that type of workspace.
- Manage permission: You can create, delete, and manage the collaborators and other contents of that type of workspace.
The service access roles depend on which option the account owner or administrator selects from the services list:
- IBM Cloud Pak for Data provides the Service access roles of Manager, Reporting Administrator, CloudPak Data Steward, CloudPak Data Engineer, and CloudPak Data Scientist.
- All Identity and Access enabled services provides the Service access roles of Manager, Writer, and Reader.
Following is a comparison of the IBM Cloud Pak for Data and All Identity and Access enabled services roles:
- The Manager role is the same for both options.
- The Writer and CloudPak Data Scientist roles are equivalent.
Cloud Pak for Data as a Service includes the following types of workspaces:
- Categories for organizing governance artifacts.
- Catalogs for sharing assets across your organization.
- Projects for working with data.
- Deployment spaces for deploying assets.
- Virtual views for creating virtual tables from multiple data sources. Watson Query has four dedicated user roles related to virtual views. For more information, see Managing roles for users in Watson Query.
The following table shows the permissions for IAM Service access roles for Cloud Pak for Data as a Service for most types of workspaces:
|CloudPak Data Steward||Access||Access||Manage||Manage|
|CloudPak Data Engineer||Access||Access||Manage||Manage|
|CloudPak Data Scientist||None||Access||Manage||Manage|
For a full list of permissions and associated actions for these roles, see User roles and permissions.
The following table shows the permissions for IAM Service access roles for All Identity and Access enabled services for most types of workspaces:
Collaborator roles within workspaces
Your role in a specific workspace determines what actions you can perform in that workspace. Your IAM roles do not affect your role within a workspace. For example, you can be the Administrator of the Cloud account, but this does not automatically make you an Admin for a specific project. The Admin collaborator role for a project (or other workspace) must be explicitly assigned. Similarly, roles are specific to each project. You may have Admin role in a project, which gives you full control of the contents of that project, including managing collaborators and assets. But you can have the Viewer role in another project, which allows you to only view the contents of that project.
Most workspaces have these roles:
- Admin: Control assets, collaborators, and settings in the workspace.
- Editor: Control assets in the workspace.
- Viewer: View the workspace and its contents.
Categories also have the Owner and Reviewer roles that have slightly different permissions than Admin and Viewer. Watson Query has its own set of workspace roles.
The permissions that are associated with each role are specific to the type of workspace:
- Category collaborator permissions
- Catalog collaborator permissions
- Project collaborator permissions
- Deployment space collaborator permissions
- Watson Query permissions
- IBM Cloud docs: What is IBM Cloud Identity and Access Management?
- IBM Cloud docs: IAM access
- IBM Cloud docs: Setting up access groups
- Setting up Cloud Pak for Data as a Service for your organization
- Manage Cloud Pak for Data as a Service and core services
- Find your IBM Cloud account owner or administrator
- Determine your roles
- Managing roles for users in Watson Query
Parent topic: Adding users to the account