Adding users to IBM Master Data Management on IBM Software Hub

After you install the IBM Master Data Management service, you must give users access to the service.

Roles and permissions: Instance administrator To complete this task the first time, you must be the instance administrator who installed the IBM Master Data Management service. If you add other users as administrators for the service, they can also manage users.

Only the instance administrator who installs IBM Master Data Management is granted access to the service by default. To provide other users with access to the service, the administrator user must add them to the appropriate user groups. For example, to create and set up a master data configuration asset, users must belong to the DataEngineer group.

Tip: To mitigate the risk of IBM Master Data Management user credentials becoming compromised, it is good practice to connect to IBM Cloud Pak for Data through an identity provider that can provide authentication. For information about configuring IBM® Software Hub to connect to an identity provider, see Connecting to your identity provider.

About this task

A IBM Software Hub administrator can assign users to groups, allowing them to access IBM Master Data Management. To access IBM Master Data Management, a IBM Software Hub user must belong to one of the following groups:

DataEngineer: DataEngineer group members have full rights to configure a IBM Master Data Management service instance, onboard data sources, customize the data model, tune and customize the matching algorithm, run matching, view or create jobs, create pair review requests, and view or edit entities and records in the master data explorer. DataEngineer users can create and set up a master data configuration asset. DataEngineer users can also view and manage governed data.
DataSteward: Data Steward group members can onboard data sources, run matching, view the data model, view ongoing jobs, complete pair review tasks, and view or edit entities and records in the master data explorer.
PublisherUser: PublisherUser group members can publish data from an IBM InfoSphere® Master Data Management instance, through the MDM Publisher tool, into IBM Master Data Management. PublisherUser members can onboard data sources, customize the data model, and view or create jobs. PublisherUser users can also view and manage governed data.
EntityViewer: EntityViewer group members have read-only permission in an IBM Master Data Management instance. They can view the master data, the model, the results of matching, and ongoing jobs.

Table 1. IBM Master Data Management user groups and permissions
Groups	Entity maintenance tasks	Model tasks	Matching tasks	Jobs tasks	Configuration tasks	Pair review tasks
DataEngineer	read, write, manage	read, write, manage	read, write, manage	read, write, manage	read, write, manage	none
DataSteward	read, write	read	read, write	read	none	read, write
PublisherUser	read, write, manage	read, write, manage	none	read, write	none	none
EntityViewer	read	read	read	read	none	none

You must assign at least one of the four IBM Master Data Management roles to give a user access to the service. There are two methods of managing IBM Master Data Management user access:

By using the IBM Software Hub API
By using the IBM Software Hub web client

Using the IBM Software Hub API to give users access to IBM Master Data Management

Manage IBM Master Data Management user permissions by using the IBM Software Hub API and the mdm-assign-user-groups.sh sample script.

Before you begin: Download the sample scripts archive file to help you to manage users and groups through the API. The archive file contains the following sample scripts:

mdm-create-groups.sh
mdm-assign-user-groups.sh

In this procedure, you'll use the mdm-assign-user-groups.sh script to grant IBM Master Data Management permissions to users through the IBM Software Hub API.

To add users to the IBM Master Data Management user groups:

Log in to the IBM Software Hub cluster as an administrator user with sufficient permissions to perform this task.
```
oc login ${OCP_URL} --username ${OCP_USERNAME} --password ${OCP_PASSWORD}
```

Create a user and assign them to the IBM Master Data Management user groups that you created in the previous step. Run the following command:

./mdm-assign-user-groups.sh -u ADMIN-USER -p ADMIN-PASSWORD -n ${PROJECT_CPD_INST_OPERANDS} -m MDM-USER-NAME -w MDM-USER-PASSWORD -g MDM-USER-GROUP

Replace the following values:

Variable	Replace with
`ADMIN-USER`	The Cloud Pak for Data `admin` user.
`ADMIN-PASSWORD`	The password of the Cloud Pak for Data `admin` user.
`MDM-USER-NAME`	The user name of the IBM Master Data Management user. If the user does not exist in Cloud Pak for Data, the script will create a new user before assigning them to the IBM Master Data Management user group.
`MDM-USER-PASSWORD`	The password of the IBM Master Data Management user.
`MDM-USER-GROUP`	The IBM Master Data Management user group that you want to assign the user to. One of: DataEngineer DataSteward EntityViewer PublisherUser You can add a user to only one group at a time. If you wish to assign a user to more than one IBM Master Data Management user group, rerun the script for each user group you want to assign the user to.

Using the IBM Software Hub web client to give users access to IBM Master Data Management

By using the IBM Software Hub web client's access control tools, you can manage the users for the IBM Master Data Management service.

To grant access to additional IBM Master Data Management users, use the IBM Software Hub web client to add users and assign them to one of the IBM Master Data Management user groups:

DataEngineer
DataSteward
EntityViewer
PublisherUser

To create users and manage permissions by assigning groups in the web client, log in to IBM Software Hub. From the navigation menu, choose Administration > Access control. For more information, see Managing access to the platform.

What to do next

After you have assigned IBM Master Data Management access to users, they can begin using the service. For information about using IBM Master Data Management, see Managing master data.