Roles

IBM webMethods Hybrid Integration provides different roles to control who can access your environments and what permissions they have there.

Note: The IBM SaaS Console refers to environments as service instances.
Add users and assign roles to those users in the IBM SaaS Console, or by using the Invite users wizard from the Key tasks section on the webMethods Hybrid Integration home page. When you add users, depending on your permissions, you grant access by assigning roles for Accounts, Subscriptions, or Services level resources.
Accounts level
Accounts-level roles are associated with a specific account in the IBM SaaS Console and provide permissions that relate to all subscriptions and service instances (environments) in that account.
Subscriptions level
Subscriptions-level roles are associated with a specific subscription to webMethods Hybrid Integration and provide permissions that relate to all service instances (environments) in that subscription.
Services level
Services-level roles are associated with a specific service instance (environment) in a specific webMethods Hybrid Integration subscription and provide permissions that relate to that environment.

When capabilities are added to an environment in webMethods Hybrid Integration, each tile in My capabilities on the home page displays your associated role. If you have multiple roles, select the + indicator to view the full list. For more information, see Adding and managing capabilities.

For information about how to manage user access to webMethods Hybrid Integration, see Administering access.

Full details of all roles are listed in the following tables.

Accounts-level roles

The following table contains the roles and permissions at the IBM SaaS Console account level.
Table 1. IBM SaaS Console account scope roles
Role Role description and permissions
Account owner The Account owner role is automatically assigned to the user who creates the account in the IBM SaaS Console.
This role provides the following permissions:
  • Create, update, and delete users, groups, and roles at the account level
  • Administer the identity providers for the account.
Account admin The Account admin role provides permissions to create, update, and delete users, groups, and roles at the account level.
Account viewer The Account viewer role provides read-only access to the account, subscription, and service instance (environment) details in the IBM SaaS Console.

Subscriptions-level roles

The following table contains the roles and permissions at the webMethods Hybrid Integration subscription level.
Table 2. webMethods Hybrid Integration subscription scope roles
Role Role description and permissions
Subscription owner The Subscription owner role is automatically assigned to the user who creates the subscription in the IBM SaaS Console.

This role provides permissions to create, update, and delete operations for users, groups, and roles at the subscription level and for all service instances (environments) in the subscription.

Subscription admin The Subscription admin role provides permissions to create, update, and delete operations for users, groups, and roles at the subscription level and for all service instances (environments) in the subscription.
Subscription viewer The Subscription view role provides read-only access to the subscription and service instances (environments).
iPaaS admin

The iPaaS admin role provides permissions for all actions on all assets in all capabilities across all service instances (environments) in the subscription.

This role includes the permission to add and remove capabilities, which consumes resource units in your subscription.

This role has no permissions at the API level.

Restriction: Some capabilities do not support the iPaaS admin role. To enable admin actions across all capabilities for a user, add the Service admin role to that user in each environment.
Usage analytics user The Usage analytics user role provides permissions to view the usage analytics dashboard in all service instances (environments) in the subscription.
E2E monitoring admin The E2E monitoring admin role provides permissions for all actions in end-to-end monitoring in all service instances (environments) in the subscription.
E2E monitoring user The E2E monitoring user role provides permissions for nonadministrative actions in end-to-end monitoring in all service instances (environments) in the subscription.
Fed API admin The Fed API admin role provides permissions for all actions on all assets within federated API management. This role is responsible for deploying and maintaining federated API management across all service instances (environments) in the subscription.
Fed API platform provider The Fed API platform provider role oversees the runtime registration, monitoring, and overall management of data planes, runtimes, and their associated APIs, across all service instances (environments) in the subscription.

This role also monitors key performance indicators (KPIs).

Fed API product manager
The Fed API product manager role oversees the following actions across regions and across all service instances (environments) in the subscription.
  • Deployment of APIs
  • Management of the API lifecycle
  • Monitoring of API status and API performance

This role also monitors key performance indicators (KPIs).

Services-level roles

The following table contains the roles and permissions at the webMethods Hybrid Integration service instance (environment) level.
Table 3. webMethods Hybrid Integration capability scope roles
Role Role description and permissions
Service owner The Service owner role is automatically assigned to the user who creates the service instance (environment) in the IBM SaaS Console.

This role provide permissions for all actions on all assets in all capabilities in the service instance.

This role includes the permission to add and remove capabilities, which consumes resource units in your subscription.

This role also provides admin privileges for APIs at the service level.

Service admin

The Service admin role provides permissions for all actions on all assets in all capabilities in the service instance (environment).

This role includes the permission to add and remove capabilities, which consumes resource units in your subscription.

This role also provides admin privileges for APIs at the service level.

Service user The Service user role provides permissions for nonadministrative actions on all assets in all capabilities in the service instance (environment).
API management admin The API management admin role provides permissions for all actions on all assets within the API Connect, webMethods API Gateway, and webMethods Developer Portal capabilities in a service instance (environment).

This role maps to the Administrator role in webMethods Developer Portal.

API management user The API management user role provides permissions for nonadministrative actions on all assets within the API Connect and webMethods API Gateway capabilities in a service instance (environment).

This role maps to the Provider role in webMethods Developer Portal. Providers can manage assets such as APIs, packages, applications, and communities, and view API economy and usage dashboards. Providers can also view other providers, partners, and consumers.

API management viewer The API management viewer role provides read-only access to all resources within the API Connect and webMethods API Gateway capabilities in a service instance (environment).

This role doesn't map to any role in webMethods Developer Portal and users cannot access the capability.

API management partner The API management partner role provides access for partner organizations to a webMethods Developer Portal capability in a service instance (environment). This role provides the following permissions.
  • Manage APIs and communities
  • Publish APIs to private communities, and assign owners to APIs
  • View other partners and consumers
App Connect admin The App Connect admin role provides permissions for all actions on all assets within an App Connect capability in a service instance (environment).

This role also has access to instance-level settings.

App Connect user The App Connect user role provides permissions for nonadministrative actions on all assets within an App Connect capability in a service instance (environment).
App Connect viewer The App Connect viewer role provides read-only access to all resources within an App Connect capability in a service instance (environment).
B2B admin The B2B admin role provides permissions for all actions on all assets within a webMethods B2B Integration capability in a service instance (environment).
B2B user The B2B user role provides permissions for nonadministrative actions on all assets within a webMethods B2B Integration capability in a service instance (environment).
B2B viewer The B2B viewer role provides read-only access to all resources within a webMethods B2B Integration capability. This role also provides read-only access to shared applications within B2B workspace in a service instance (environment).
B2B workspace user The B2B workspace user role provides read-only access to the applications shared within B2B workspace in a service instance (environment).
Events admin The Events admin role provides permissions to view and manage Event Gateways and organization-level CA certificates for mTLS controls within an Event Endpoint Management capability in a service instance (environment).
Events user The Events user role provides permissions to create and share their own resources in the Event Endpoint Management UI in a service instance (environment), and read-only access to shared resources.
Events viewer The Events viewer role provides read-only access to the Event Endpoint Management UI and shared resources in a service instance (environment).
GraphQL admin The GraphQL admin role provides permissions for all actions on all assets within an API Connect for GraphQL capability in a service instance (environment).
GraphQL user The GraphQL user role provides permissions for nonadministrative actions on all assets within an API Connect for GraphQL capability in a service instance (environment).
Integration admin The Integration admin role provides permissions for all actions on all assets within a webMethods Integration capability in a service instance (environment).
Integration user The Integration user role provides permissions for nonadministrative actions on all assets within a webMethods Integration capability in a service instance (environment).
MFT admin The MFT admin role provides permissions for all actions on all assets within a webMethods Managed File Transfer capability in a service instance (environment).
MFT user The MFT user role provides permissions for nonadministrative actions on all assets within a webMethods Managed File Transfer capability in a service instance (environment).