Predefined roles and permissions in Cloud Pak for Data

Predefined roles

A role defines the permissions that a user or group has.

A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.

You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles in Cloud Pak for Data.

The roles that are available depend on the services that are installed on top of Cloud Pak for Data:

Administrator

The role is created by the Cloud Pak for Data control plane.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access governance artifacts	Governance artifacts	Watson™ Knowledge Catalog
Add vaults	Vaults	Cloud Pak for Data control plane
Administer platform	Platform administration	Cloud Pak for Data control plane
Create deployment spaces	Deployments	DataStage® Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog
Manage governance categories	Governance artifacts	Watson Knowledge Catalog
Manage service instances	Service instances	Cloud Pak for Data control plane
Manage workflows	Workflows	Watson Knowledge Catalog

Business Analyst

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio

Data Engineer

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog

Data Quality Analyst

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access data quality asset types	Data curation	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog

Data Scientist

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio

Data Steward

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog

Developer

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane, but pulled in by: DataStage Watson Knowledge Catalog Watson Studio

Reporting administrator

The role is created by Watson Knowledge Catalog

Note: Users with this role can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Manage reporting	Platform administration	Watson Knowledge Catalog
Monitor project workloads	Projects	Watson Knowledge Catalog

User

The role is created by the Cloud Pak for Data control plane.

By default, no permissions are associated with this role.

However, some services contribute permissions to this role. The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio

If you do not install any services that contribute permissions to this role, users who are assigned the User role can:

• Sign in to Cloud Pak for Data
• Access any services or assets that do not require explicit permissions

In addition, the users who own or manage assets and services instances can give these users access to the assets or service instances.

Roles assigned to the default platform administrator

Permissions

A permission describes the actions that a user can take.

The permissions are grouped into the following categories:

Catalogs

The category is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

A catalog is a collaborative workspace for sharing assets across your organization.

By default, only the creator and collaborators can see and access a catalog. Each catalog has its own internal access controls. However, all users have access to the Platform assets catalog.

The category includes the following permissions:

Permission	Description	Actions
Access catalogs	Users with this permission can be added as collaborators to catalogs. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the catalog.	There are no explicit actions associated with this permission.
Create catalogs	Available only when Watson Knowledge Catalog is installed. Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog.	Create catalogs
Manage catalogs	Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog. Users with this permission can see a list of all catalogs on the Catalog management page. Users with this permission can delete a catalog if they have the admin role in the catalog.	Create catalogs View list of all catalogs on the Catalog management page

Dashboards

The category is created by Cognos® Dashboards.

A dashboard is an asset that you can use to build interactive visualizations of your data.

By default, users don't have permissions to create or view dashboards. You must assign these permissions to users.

The category includes the following permissions:

Permission	Description	Actions
Create dashboards	Users with this permission can create and view dashboards if they have the Admin role or Editor role on a project. However, if users have the Viewer role on a project, they can only view dashboards. Important: Your Cloud Pak for Data license limits the number of users who can create dashboards. If you exceed this limit, you must purchase a Cognos license. For details, see Licenses and entitlements and Tracking usage of Cognos Dashboards licenses.	Create, edit, and delete dashboards in projects View dashboards in projects
View dashboards	Users with this permission can view dashboards in any projects that they are a member of. Important: Your Cloud Pak for Data license limits the number of users who can view dashboards. If you exceed this limit, you must purchase a Cognos license. For details, see Licenses and entitlements and Tracking usage of Cognos Dashboards licenses.	View dashboards in projects

Data curation

The category is created by Watson Knowledge Catalog.

Data curation is the process of managing metadata, discovering assets, and analyzing data quality.

The category includes the following permissions:

Permission	Description	Actions
Access data quality asset types	Users with this permission can access data quality definition and data quality rule assets in projects.	Create, edit, and delete data quality definitions in projects Create, edit, delete, and run data quality rules in projects
Manage asset discovery	Users with this permission create and run metadata imports to add technical or lineage metadata from several data sources to projects and catalogs.	Create and edit metadata imports Run metadata imports Delete metadata imports

Deployments

The category is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

A deployment space is a collaborative workspace for managing model deployments.

By default, only the creator and collaborators can see and access a deployment space. Each deployment space has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Create deployment spaces	Users with this permission can create deployment spaces. By default, the user who creates a deployment space is the administrator for the deployment space.	Create deployment spaces
Manage deployment spaces	Users with this permission can see a list of all deployment spaces and view deployment activity for all spaces on the Deployments page. By default, only the creator and collaborators can see their deployment spaces. Users with this permission can join any deployment space as an administrator so that they can delete unused deployment spaces and ensure that active deployment spaces have at least one owner.	Create deployment spaces View list of all deployment spaces Join any deployment space as an Admin View deployment activity across all spaces
Monitor deployment activities	Users with this permission can see all active jobs and deployments across all spaces from the Activity tab on the Deployments page. By default, only collaborators can see a deployment space.	View list of all deployment spaces View deployment activity across all spaces

Governance artifacts

The category is created by Watson Knowledge Catalog.

A governance artifact is an object used to govern the data that is in a catalog. Governance artifacts include business terms, rules, policies, data classes, reference data, and classifications.

A governance category is a collaborative workspace for organizing governance artifacts. By default, only the creator and collaborators can see and access a category. Each category has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Access governance artifacts	Users with this permission can be added as collaborators to governance categories. By default, users with this permission have view access to all categories. However, they can be added as a collaborator and assigned a role that gives them additional permissions and responsibilities to complete assigned tasks in workflows for the category.	There are no explicit actions associated with this permission.
Manage data protection rules	Users with this permission can create and manage data protection rules.	Create data protection rules Edit data protections rules Delete data protection rules
Administer governance artifacts	Users with this permission can view and edit all governance artifacts in all categories, regardless of whether the users are collaborators in those categories. They can also edit categories, including changing collaborators and category permissions, and perform any actions on governance artifacts, including categories, using API calls. This permission is not granted with any predefined role.	View and edit all governance artifacts in all categories Edit all categories, including collaborators and category permissions Run all API calls for governance artifacts
Manage governance categories	Users with this permission can create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers.	Create top-level categories
Manage glossary	Users with this permission can import and export governance artifacts in a ZIP file, and create and manage custom attribute definitions. They can also create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers.	Import and export governance artifacts in a ZIP file Create and manage custom attribute definitions Create top-level categories

Platform administration

The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.

The category includes the following permissions:

Permission	Description	Actions
Administer platform	This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions.	See the actions listed in the following permissions: Manage configurations Manage platform health Manage platform roles Manage user profiles Manage user groups Manage service instances
Manage configurations	Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page. Some actions require specific services to be installed.	Configure connection to SMTP server Configure integration with IBM Guardium appliances Configure connections to Hadoop clusters Customize branding Enable and disable home page cards Enable and disable default support links Add and delete custom support links Enable and disable guided tours Import JDBC drivers
Manage platform health	Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page.	Monitor workloads and resource use Stop any runtime environment View pod status, details, and logs Restart pods View platform quotas and service quotas View event history and alerts Set and edit platform resource quotas Set and edit individual service resource quotas Create and run diagnostics jobs Delete diagnostics jobs
Manage reporting	Users with this permission can configure the reporting for Watson Knowledge Catalog data, start the reporting and edit it. Note: Users with this permission can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution.	Set up reporting for Watson Knowledge Catalog data
View platform health	Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page.	Monitor workloads and resource use View pod status, details, and logs View platform quotas and service quotas View event history and alerts

Projects

The category is created by DataStage, Watson Knowledge Catalog or Watson Studio.

A project is a collaborative workspace for working with data and other assets. By default, only the creator and collaborators can see and access a project. Each project has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Create projects	Users with this permission can create projects. By default, the user who creates a project is the administrator for the project.	Create projects
Manage projects	Users with this permission can see a list of all projects and all active runtimes on the All projects page and the Active runtimes page, respectively. By default, only the creator and collaborators can see their projects. Users with this permission can join any project as an administrator so that they can delete unused projects and ensure that active projects have at least one owner.	Create projects View list of all projects Join any project as an Admin View all active runtimes across all projects
Monitor project workloads	Users with this permission can see all active runtimes for all projects from the Active runtimes page. By default, only project collaborators can see the runtimes that are associated with a project. Users with this permission can see all jobs for all projects from the Jobs page. By default, only project collaborators can see the jobs that are associated with a project.	View all active runtimes across all projects See jobs across all projects

Service instances

The category is created by the Cloud Pak for Data control plane.

A service instance is a specific deployment of a service. Some services can be deployed more than once.

Some service instances have their own access controls.

The category includes the following permissions:

Permission	Description	Actions
Create service instances	Users with this permission can create service instances and storage volumes. The types of service instances depend on the services that are installed.	Create service instances
Manage service instances	Users with this permission can manage access to any service instance or delete any service instance from the Instances page.	Create service instances View all service instances Add users to any service instance Assign an instance role to instance users Remove users from a service instance Delete any service instance

User administration

The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to manage users, groups, and roles.

The permissions in this category apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.

The category includes the following permissions:

Permission	Description	Actions
Manage platform roles	Users with this permission can modify platform roles or create custom roles. Roles determine the permissions that a user or user group has. Users with this permission can access the Roles tab on the Access control page. This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces.	Create platform roles Edit platform roles Delete platform roles
Manage user groups	Users with this permission can create and edit user groups. User groups make it easy to manage the roles (and permissions) of users with similar access requirements. Users with this permission can access the User groups tab on the Access control page.	Create user groups Edit user groups Delete user groups Assign roles to user groups Remove roles from user groups
Manage users	Users with this permission can onboard users to the platform, edit user profiles, and assign platform roles to users. Users with this permission can access the Users tab on the Access control page.	Add users Edit user profiles Assign roles to users Remove roles from users Remove users

Vaults

Secrets contain sensitive data, such as credentials or API keys. A vault is a secure place to store and manage secrets.

Users can add secrets to the internal vault or connect to an external vault to use existing secrets. By default, only the user who added the secret can use the secret.

The category includes the following permissions:

Permission	Description	Actions
Add vaults	Users with this permission can connect to external vaults and add secrets from their connected vaults.	Add a connection to external vaults Add secrets from their connected vaults
Manage vaults and secrets	Users with this permission can see a list of all of the external vaults that users connected to and the list of secrets in each vault. However, users with this permission cannot see detailed information about the vaults or access the secrets in the vaults. Users with this permission can remove secrets from any vault and remove connections to any external vault.	View list of all connected vaults View list of all secrets in each vault Remove external vaults Remove secrets added from an external vault Delete secrets from the internal vault
Share secrets	Users with this permission can give other users access to secrets that they add. Users with this permission cannot share secrets that are shared with them.	Share owned secrets Revoke access to shared secrets

Workflows

The category is created by Watson Knowledge Catalog.

A workflow defines the sequence of steps that must be completed and the decisions that must be made to support a specific business process.

Users can use the predefined governance workflows from Watson Knowledge Catalog or create custom process definitions.

The category includes the following permissions:

Permission	Description	Actions
Manage workflows	Users with this permission can import custom process definitions and edit workflow configurations from the Workflow management page. Users with this permission can also monitor active workflow tasks to ensure that work is completed in a timely manner.	Create workflow types Edit workflow types Delete workflow types Upload workflow templates Create workflow configurations Edit workflow configurations Delete workflow configurations Assign workflow tasks to users Monitor the status of workflow tasks