Roles
IBM webMethods Hybrid Integration provides different roles to control who can access your environments and what permissions they have there.
- Accounts level
- Accounts-level roles are associated with a specific account in the IBM SaaS Console and provide permissions that relate to all subscriptions and service instances (environments) in that account.
- Subscriptions level
- Subscriptions-level roles are associated with a specific subscription to webMethods Hybrid Integration and provide permissions that relate to all service instances (environments) in that subscription.
- Services level
- Services-level roles are associated with a specific service instance (environment) in a specific webMethods Hybrid Integration subscription and provide permissions that relate to that environment.
When capabilities are added to an environment in webMethods Hybrid Integration, each tile in My capabilities on the home page displays your associated role. If you have multiple roles, select the + indicator to view the full list. For more information, see Adding and managing capabilities.
For information about how to manage user access to webMethods Hybrid Integration, see Administering access.
Full details of all roles are listed in the following tables.
Accounts-level roles
| Role | Role description and permissions |
|---|---|
| Account owner | The Account owner role is automatically assigned to the user who creates the account in the
IBM SaaS Console. This role provides the following permissions:
|
| Account admin | The Account admin role provides permissions to create, update, and delete users, groups, and roles at the account level. |
| Account viewer | The Account viewer role provides read-only access to the account, subscription, and service instance (environment) details in the IBM SaaS Console. |
Subscriptions-level roles
| Role | Role description and permissions |
|---|---|
| Subscription owner | The Subscription owner role is automatically assigned to the user who creates the
subscription in the IBM SaaS Console. This role provides permissions to create, update, and delete operations for users, groups, and roles at the subscription level and for all service instances (environments) in the subscription. |
| Subscription admin | The Subscription admin role provides permissions to create, update, and delete operations for users, groups, and roles at the subscription level and for all service instances (environments) in the subscription. |
| Subscription viewer | The Subscription view role provides read-only access to the subscription and service instances (environments). |
| iPaaS admin |
The iPaaS admin role provides permissions for all actions on all assets in all capabilities across all service instances (environments) in the subscription. This role includes the permission to add and remove capabilities, which consumes resource units in your subscription. This role has no permissions at the API level. Restriction: Some capabilities do not support the iPaaS admin role. To enable admin
actions across all capabilities for a user, add the Service admin role to that user in each
environment.
|
| Usage analytics user | The Usage analytics user role provides permissions to view the usage analytics dashboard in all service instances (environments) in the subscription. |
| E2E monitoring admin | The E2E monitoring admin role provides permissions for all actions in end-to-end monitoring in all service instances (environments) in the subscription. |
| E2E monitoring user | The E2E monitoring user role provides permissions for nonadministrative actions in end-to-end monitoring in all service instances (environments) in the subscription. |
| Fed API admin | The Fed API admin role provides permissions for all actions on all assets within federated API management. This role is responsible for deploying and maintaining federated API management across all service instances (environments) in the subscription. |
| Fed API platform provider | The Fed API platform provider role oversees the runtime registration, monitoring, and overall
management of data planes, runtimes, and their associated APIs, across all service instances
(environments) in the subscription. This role also monitors key performance indicators (KPIs). |
| Fed API product manager |
The Fed API product manager role oversees the following actions across regions and across all
service instances (environments) in the subscription.
This role also monitors key performance indicators (KPIs). |
Services-level roles
| Role | Role description and permissions |
|---|---|
| Service owner | The Service owner role is automatically assigned to the user who creates the service instance
(environment) in the IBM SaaS Console. This role provide permissions for all actions on all assets in all capabilities in the service instance. This role includes the permission to add and remove capabilities, which consumes resource units in your subscription. This role also provides admin privileges for APIs at the service level. |
| Service admin |
The Service admin role provides permissions for all actions on all assets in all capabilities in the service instance (environment). This role includes the permission to add and remove capabilities, which consumes resource units in your subscription. This role also provides admin privileges for APIs at the service level. |
| Service user | The Service user role provides permissions for nonadministrative actions on all assets in all capabilities in the service instance (environment). |
| API management admin | The API management admin role provides permissions for all actions on all assets within the
API Connect, webMethods API Gateway, and webMethods Developer Portal capabilities in a service instance (environment). This role maps to the Administrator role in webMethods Developer Portal. |
| API management user | The API management user role provides permissions for nonadministrative actions on all assets
within the API Connect and webMethods API Gateway capabilities in a service instance (environment). This role maps to the Provider role in webMethods Developer Portal. Providers can manage assets such as APIs, packages, applications, and communities, and view API economy and usage dashboards. Providers can also view other providers, partners, and consumers. |
| API management viewer | The API management viewer role provides read-only access to all resources within the API Connect and webMethods API Gateway
capabilities in a service instance (environment). This role doesn't map to any role in webMethods Developer Portal and users cannot access the capability. |
| API management partner | The API management partner role provides access for partner organizations to a webMethods Developer Portal capability in a service instance (environment). This role
provides the following permissions.
|
| App Connect admin | The App Connect admin role provides permissions for all actions on all assets within an App Connect capability in a service instance (environment). This role also has access to instance-level settings. |
| App Connect user | The App Connect user role provides permissions for nonadministrative actions on all assets within an App Connect capability in a service instance (environment). |
| App Connect viewer | The App Connect viewer role provides read-only access to all resources within an App Connect capability in a service instance (environment). |
| B2B admin | The B2B admin role provides permissions for all actions on all assets within a webMethods B2B Integration capability in a service instance (environment). |
| B2B user | The B2B user role provides permissions for nonadministrative actions on all assets within a webMethods B2B Integration capability in a service instance (environment). |
| B2B viewer | The B2B viewer role provides read-only access to all resources within a webMethods B2B Integration capability. This role also provides read-only access to shared applications within B2B workspace in a service instance (environment). |
| B2B workspace user | The B2B workspace user role provides read-only access to the applications shared within B2B workspace in a service instance (environment). |
| Events admin | The Events admin role provides permissions to view and manage Event Gateways and organization-level CA certificates for mTLS controls within an Event Endpoint Management capability in a service instance (environment). |
| Events user | The Events user role provides permissions to create and share their own resources in the Event Endpoint Management UI in a service instance (environment), and read-only access to shared resources. |
| Events viewer | The Events viewer role provides read-only access to the Event Endpoint Management UI and shared resources in a service instance (environment). |
| GraphQL admin | The GraphQL admin role provides permissions for all actions on all assets within an API Connect for GraphQL capability in a service instance (environment). |
| GraphQL user | The GraphQL user role provides permissions for nonadministrative actions on all assets within an API Connect for GraphQL capability in a service instance (environment). |
| Integration admin | The Integration admin role provides permissions for all actions on all assets within a webMethods Integration capability in a service instance (environment). |
| Integration user | The Integration user role provides permissions for nonadministrative actions on all assets within a webMethods Integration capability in a service instance (environment). |
| MFT admin | The MFT admin role provides permissions for all actions on all assets within a webMethods Managed File Transfer capability in a service instance (environment). |
| MFT user | The MFT user role provides permissions for nonadministrative actions on all assets within a webMethods Managed File Transfer capability in a service instance (environment). |