0 / 0
Go back to the English version of the documentation
Roles in Cloud Pak for Data as a Service
Roles in Cloud Pak for Data as a Service

Roles in Cloud Pak for Data as a Service

Every user of Cloud Pak for Data as a Service has multiple levels of roles. The Identity and Access (IAM) platform access roles and service access roles are set by the IBM Cloud account owner or administrator on the IBM Cloud account. Collaborator roles for workspaces, such as projects, deployment spaces, catalogs, categories and virtual views are set in each workspace by workspace administrators.

Rather than assigning each individual user a set of roles, you can create access groups. Access groups contain roles that you want to assign to a group of users. Members of access groups have the same permissions. Access groups expedite role assignments by organizing permissions for multiple users. See Working with access groups.

This illustration shows the different types of roles that each user can have.

Each user can have IAM platform access roles, IAM service access roles, and collaborator roles.

  • IAM platform access roles determine your permissions in the IBM Cloud account. At least the Viewer role is required to work with services.
  • IAM service access roles determine your permissions within services, such as for workspace access for Cloud Pak for Data as a Service.
  • Collaborator roles for workspaces determine what actions you have permission to perform within a specific workspace. Examples of workspaces are projects, deployment spaces, catalogs, categories and virtual views.

IAM platform access roles

The IAM platform access roles are assigned and managed on the IBM Cloud account. At least the Viewer role is required to see the list of services for the account. If you have the IAM platform access role of Owner or Administrator, you control the IBM Cloud account. The Owner role is automatically assigned to the creator of the account. The Owner or Administrator has these responsibilities for Cloud Pak for Data as a Service:

If you have the IAM platform access role of at least Viewer, your permissions within Cloud Pak for Data as a Service depend on your Cloud Pak for Data as a Service service access roles (Manager, Reporting Administrator, CloudPak Data Steward, CloudPak Data Engineer, or CloudPak Data Scientist).

To understand IAM platform access roles, see IBM Cloud docs: What is IBM Cloud Identity and Access Management?.

IAM Service access roles

The predefined IAM service access roles for Cloud Pak for Data as a Service determine the types of workspaces that you can access or manage and whether you can perform various other actions.

For workspaces, the IAM service access roles provide these main permissions:

  • Access permission: You can be added as a collaborator to that type of workspace.
  • Manage permission: You can create, delete, and manage the collaborators and other contents of that type of workspace.

The service access roles depend on which option the account owner or administrator selects from the services list:

  • IBM Cloud Pak for Data provides the Service access roles of Manager, Reporting Administrator, CloudPak Data Steward, CloudPak Data Engineer, and CloudPak Data Scientist.
  • All Identity and Access enabled services provides the Service access roles of Manager, Writer, and Reader.

Following is a comparison of the IBM Cloud Pak for Data and All Identity and Access enabled services roles:

  • The Manager role is the same for both options.
  • The Writer and CloudPak Data Scientist roles are equivalent.

Cloud Pak for Data as a Service includes the following types of workspaces:

The following table shows the permissions for IAM Service access roles for Cloud Pak for Data as a Service for most types of workspaces:

IAM service access roles for Cloud Pak for Data as a Service
Role Categories Catalogs Projects Deployment spaces
Manager Manage Manage Manage Manage
CloudPak Data Steward Access Access Manage Manage
CloudPak Data Engineer Access Access Manage Manage
CloudPak Data Scientist None Access Manage Manage
Reporting Administrator None Access Manage Manage
Viewer None View View View

For a full list of permissions and associated actions for these roles, see User roles and permissions.

The following table shows the permissions for IAM Service access roles for All Identity and Access enabled services for most types of workspaces:

IAM service access roles for All Identity and Access enabled services
Role Categories Catalogs Projects Deployment spaces
Manager Manage Manage Manage Manage
Writer None Access Manage Manage
Reader None View View View

Collaborator roles within workspaces

Your role in a specific workspace determines what actions you can perform in that workspace. Your IAM roles do not affect your role within a workspace. For example, you can be the Administrator of the Cloud account, but this does not automatically make you an Admin for a specific project. The Admin collaborator role for a project (or other workspace) must be explicitly assigned. Similarly, roles are specific to each project. You may have Admin role in a project, which gives you full control of the contents of that project, including managing collaborators and assets. But you can have the Viewer role in another project, which allows you to only view the contents of that project.

Most workspaces have these roles:

  • Admin: Control assets, collaborators, and settings in the workspace.
  • Editor: Control assets in the workspace.
  • Viewer: View the workspace and its contents.

Categories also have the Owner and Reviewer roles that have slightly different permissions than Admin and Viewer. Watson Query has its own set of workspace roles.

The permissions that are associated with each role are specific to the type of workspace:

Learn more

Parent topic: Adding users to the account