Cloud Pak for Data as a Service provides attribute-based access control to protect workspaces such as projects and catalogs. You control access to workspaces by assigning roles and by restricting collaborators.
| Mechanism | Purpose | Responsibility | Configured on |
|---|---|---|---|
| Project restriction | Restrict who can be a collaborator on projects | Customer | Cloud Pak for Data as a Service |
| Collaborator roles | Assign roles to control access to workspaces | Customer | Cloud Pak for Data as a Service |
Project restriction
When a project is created, you can restrict collaborators to people who are internal to your organization. Eligible collaborators must be members of your IBM Cloud account, or, if your company has SAML federation set up in IBM Cloud, employees of your company. This setting is permanent. See Creating a project.
Collaborator roles
Everyone working in Cloud Pak for Data as a Service is assigned a role that determines the workspaces that they can access and the tasks that they can perform. Collaborator roles control access to projects, deployment spaces, catalogs, and categories using permissions specific to the role. Roles are assigned in Cloud Pak for Data as a Service to provide Admin, Editor, or Viewer permissions. Categories have additional Owner and Reviewer roles with slightly different permissions than Admin, Editor and Viewer.
Users also have an IAM Platform access role for the Cloud account and they may also have an IAM Service access role for workspaces. To understand how the roles provide secure access, see Roles in Cloud Pak for Data as a Service.
To understand the permissions for each collaborator role, see Project collaborator roles.
Parent topic: Security