Assigning roles and permissions

A cloud subscription includes environments for developing, testing, and running automation applications. If you have the Account Administrator role, you specify which environments a user can access and the role, if any, the user has in each environment.

About this task

Each subscription provides the tools users need to accomplish their tasks, such as developing business processes and applications. Depending on how your subscription was set up, users can be automatically assigned to one or more environments when you invite them to the subscription. However, you can assign them the permissions and roles that they need at any time. If you'd like to take advantage of automatic assignment, submit a request through the IBM® Support External link opens a new window or tab site.

For information about the roles you can assign, see User roles.

Procedure

  1. Log in to the cloud subscription.
  2. Navigate to the Access management view.
    • Click All environments > Administer subscription > Access management.
    • Click Admin > Access Management.
  3. Open the Users page and assign or remove access to environments for each user ID.
    For example, to author processes and process applications using Process Designer, users must have access to the development environment.

     Content:  When you grant a user access to an environment, you also grant the user access to the object store in that environment

  4. Assign users to or remove them from roles by clicking the Edit roles action.
    The user is added to or removed from the corresponding group in the user registry in the cloud platform. For example, to enable users to author process applications in Process Designer, give them access to the development environment and assign them the Process App Creators role. If you also assign the users the Process Administrators role, they can manage workflow user groups too. Your changes are automatically saved as you make them.
  5. Optional: Assign a user, or users, to the cloud operations roles.

What to do next

Remove users
You can remove users who no longer need to access the cloud subscription. Remove a user by clicking the Remove user action for the corresponding user. By default the user's personal data is removed from the user registry in the cloud platform and all user repositories in the workflow server environments the user has access to. However, you can choose to keep the user's personal data, for example, if you need to reactivate the user later.
Important: The Process App Creators and Process Administrators roles are administrative security roles specific to Business Automation Workflow on Cloud. If you add groups to these roles by using the Process Admin Console and then delete a user from one of the roles by using the Edit roles in the Users window, the user might still appear in the role if the user is still a member of one of the role's nested groups. To completely remove the user from a role, you must delete the user from the group definition of the nested group too.