Roles and permissions

For accessing and completing actions with IBM Cloud Pak® for AIOps, users require specific roles and permissions. Review the different available roles, permissions, and the associated actions that users can complete with the roles and permissions. These roles and permissions help you get your users set up to begin day to day operations.

Predefined roles

A role defines the permissions that a user or group has. You can edit the roles that are available by default roles or create roles if the default set of permissions for a role does not align with your business needs.

The following roles are available by default:

  • Administrator
  • Automation Administrator
  • Automation Analyst
  • Automation Developer (AIOps Developer role)
  • Automation Operator
  • Service Administrator
  • User

Notes:

  • Service Administrator: Users with the Service Administrator role do not have permission to add or update a role, or view the details of a user's assign role. If a user with the Service Administrator role selects to view details about a role when viewing details about a user group, a 401 error page is instead displayed.

  • Automation Analyst and User: These predefined roles are available by default but do not include any permissions for completing actions within IBM Cloud Pak for AIOps.

    These default roles are used within the IBM® Automation family of offerings, which includes IBM Cloud Pak for AIOps, however, these roles are not used within IBM Cloud Pak for AIOps. If more IBM Cloud Paks are installed, these roles can have permissions for completing actions within tools for those other IBM Cloud Paks.

    As these roles do not include or provide any permissions within IBM Cloud Pak for AIOps, do not assign the roles to users within IBM Cloud Pak for AIOps.

  • Not all permissions are associated with a predefined role. A user with with a permission to manage roles, such as the Administer platform permission, can assign permissions to a role when needed.

Default user

The default user (admin) is automatically assigned the following roles when the roles are added to the platform:

  • Administrator

Creating a role

If the existing default roles are not sufficient for your needs, you can create a role for your users. In addition, when you are adding a user, you can choose to create a role for that user instead of assigning an existing role.

The settings for creating a role are the same regardless of the path you select to create the role.

To directly create a role, complete the following steps:

  1. Log in to the console as an administrator with permissions to manage users.

    Required permissions: To manage access to the Cloud Pak for AIOps console, you must have one of the following permissions:

    • Administer platform
    • Manage platform roles

  2. From the main navigation, click Administration > Access control.

  3. Select the Roles tab and click New role.

  4. Enter the details for the new role:

    • Name - Enter a distinctive and descriptive name for the role.

    • Description - Enter an optional description for the role to define the role, such as to identify the objective or responsibilities for users with the role.

  5. Click Next.

  6. Select the permissions for the role. You can use the Find permissions search field to find and filter the list of permissions.

  7. Click Next.

  8. Review the details for the role and click Create.

Permissions

The following table describes the actions that are associated with each permission.

AI models

Table: AI models permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage AI models (1) X X X
View AI models status (2) X X X X

  1. Manage AI models

    Users with this permission can complete the following actions:

    • Gather and prepare AI training data
    • Train AI models
    • Deploy AI models

  2. View AI models status

    Users with this permission can complete the following actions:

    • View AI model status

Resource management (Applications)

Table: Resource management permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage applications (1) X X X X
Manage resource group templates (2) X X X
Manage topology comments (3) X X X X X
View topologies (4) X X X X X

  1. Manage applications

    Users with this permission can manage applications and related settings. Users with this permission can complete the following actions:

    • View applications and resources
    • Create applications
    • Edit applications
    • Delete applications

  2. Manage resource group templates

    Users with this permission can manage templates that define how resources are organized into resource groups. Users with this permission can complete the following actions:

    • View resource group templates
    • Create resource group templates
    • Edit resource group templates
    • Delete resource group templates

  3. Manage topology comments

    Users with this permission can manage comments on resources included in a topology. Users with this permission can complete the following actions:

    • View topology comments
    • Create topology comments

  4. View topologies

    Users with this permission can view application topologies. Users with this permission can complete the following actions:

    • View topologies

Basic operations

Table: Basic operations permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
View operational data (1) X X X X X
Manage operational data (2) X X X X X
Use AIOps Insights (3) X X X X X

  1. View operational data

    Users with this permission have the following read-only access in IBM Cloud Pak® for AIOps:

    • View alerts
    • View incidents
    • View alert filters
    • View incident filters
    • View alert views
    • View incident views

  2. Manage operational data

    In addition to the View operational data permissions, users with this permission can perform the following actions:

    • Update alerts (Execute right-click actions)
    • Update incidents (Change priority, change state, assign, etc.)
    • Add/Edit/Delete alerts filters
    • Add/Edit/Delete alerts views
    • Add/Edit/Delete incidents filters
    • Add/Edit/Delete incidents views
    • Add/Edit/Delete right-click actions

  3. Use AIOps Insights

    Use the AIOps Insights dashboard to view productivity metrics such as mean time to restore, incident activity, noise reduction, and runbook usage.

    • Use AIOps Insights

Integrations

Table: Integrations permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage integrations (1) X X X
View integrations (2) X X X X

  1. Manage integrations

    Users with this permission can manage integrations to infrastructure, log, event, source code, and chat management tools. Users with this permission can complete the following actions:

    • View integrations
    • Create integrations
    • Edit integrations
    • Delete integrations

  2. View integrations

    Users with this permission can view integrations to infrastructure, log, event, source code, and chat management tools. Users with this permission can complete the following actions:

    • View integrations

Operational policies

This permission is required for viewing policy-related information that can be displayed within the details for an application incident.

Attention: To access Automations in the main navigation menu, the Use runbooks permission is required in conjunction with the Operational policy roles. For more information, see Runbook permissions.

Table: Operational policies permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Delete operational policies (1) X X X X
Edit operational policies (2) X X X X
View operational policies (3) X X X X X

  1. Delete operational policies

    Users with this permission can delete policies for promoting alerts to incidents. Users with this permission can complete the following actions:

    • Delete operational policies

  2. Edit operational policies

    Users with this permission can edit policies for promoting alerts to incidents. Users with this permission can complete the following actions:

    • Edit operational policies

  3. View operational policies

    Users with this permission can view policies for promoting alerts to incidents. User with this permission can complete the following actions:

    • View operational policies

Platform administration

Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.

Only the Administer platform permission is associated with a predefined role (Adminstrator). This permission includes all other platform administration permissions.

Table: Platform administration permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Administer platform (1) X
Manage configurations (2)
Manage platform health (3)
View platform health (4)

  1. Administer platform

    This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions. Users with this permission can complete the same actions as users that have the following permissions:

    • Manage configurations (Administer platform)
    • Manage platform health (Administer platform)
    • Manage platform roles (User administration)
    • Manage users (User administration)
    • Manage user groups (User administration)
    • Manage service instances (Service instances)

  2. Manage configurations

    Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page. Some actions require specific services to be installed. Users with this permission can complete the following actions:

    • Configure connection to SMTP server

      Note: Requires Watson Studio or Watson Knowledge Catalog. An SMTP connection enables the platform to send emails.

    • Configure integration with IBM Guardium appliances

      Note: Requires Watson Knowledge Catalog. Use IBM Guardium to audit access to sensitive data on remote databases.

    • Configure connections to Hadoop clusters

      Note: Requires Execution Engine for Apache Hadoop.

    • Customize branding

    • Enable and disable home page cards

    • Enable and disable default support links

    • Add and delete custom support links

    • Enable and disable guided tours

    • Import JDBC drivers

      Note: Requires the common core services. JDBC drivers enable users to connect to unsupported data sources.

  3. Manage platform health

    Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page. Users with this permission can complete the following actions:

    • Monitor workloads and resource use

      Note: Workloads include active runtimes and jobs. Resources include memory and vCPU use across services, instances, and environments.

    • Stop any runtime environment

      Note: Environments are hardware and software configurations defined for running analytical assets or jobs.

    • View pod status, details, and logs

      Note: Services are composed of Kubernetes pods. A pod is an instance of a process that runs on the cluster.

    • Restart pods

    • View platform quotas and service quotas

      Note: A quota specifies the maximum amount of memory or vCPU that the platform or a service should use.

    • View event history and alerts

    • Set and edit platform resource quotas

    • Set and edit individual service resource quotas

    • Create and run diagnostics jobs

      Note: A diagnostic job gathers information that can be used for troubleshooting problems.

    • Delete diagnostics jobs

  4. View platform health

    Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page. Users with this permission can complete the following actions:

    • Monitor workloads and resource use

      Note: Workloads include active runtimes and jobs. Resources include memory and vCPU use across services, instances, and environments.

    • View pod status, details, and logs

      Note: Services are composed of Kubernetes pods. A pod is an instance of a process that runs on the cluster.

    • View platform quotas and service quotas

      Note: A quota specifies the maximum amount of memory or vCPU that the platform or a service should use.

    • View event history and alerts

Profiles

Table: Profiles permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage profiles (1) X

  1. Manage profiles.

    Users with this permission can complete the following actions using filtering and redacting:

    • Limit the access a user/group has to see alerts
    • Limit the access a user/group has to see incidents
    • Limit the access a user/group has to see topology/inventory

Runbooks

Table: Runbooks permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Administer runbooks and runbook application (1) X X X
Author and manage runbooks (2) X X X
Author runbooks (3) X X X X
Use runbooks (4) X X X X X
View runbooks (5) X X X X X

  1. Administer runbooks and runbook application

    Users with this permission can complete the following actions:

    • View draft and published runbooks
    • Run draft and published runbooks
    • Create draft runbooks
    • Edit draft runbooks
    • Approve draft runbooks
    • Delete draft and published runbooks
    • Edit integrations
    • Edit global settings
    • Edit group ownership

  2. Author and manage runbooks

    Users with this permission can complete the following actions:

    • View draft and published runbooks
    • Run draft and published runbooks
    • Create draft runbooks
    • Edit draft runbooks
    • Approve draft runbooks
    • Delete draft and published runbooks

  3. Author runbooks

    Users with this permission can complete the following actions:

    • View draft and published runbooks
    • Run draft and published runbooks
    • Create draft runbooks
    • Edit draft runbooks

  4. Use runbooks

    Users with this permission can complete the following actions:

    • View published runbooks
    • Run published runbooks

  5. View runbooks

    Users with this permission can complete the following actions:

    • View published runbooks

Secure tunnel

Table: Secure tunnel permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Install tunnel connectors (1) X X X
Manage tunnel applications (2) X X X
Manage tunnel connections (3) X X X
Manage tunnel templates (4) X X X
Renew certificates (5) X X X
View tunnel audit logs (6) X X X

  1. Install tunnel connectors

    Users with this permission can install tunnel connectors on remote clusters or hosts. Users with this permission can complete the following actions:

    • Install tunnel connectors

  2. Manage tunnel applications

    Users with this permission can manage application traffic at the address or port level. Users with this permission can complete the following actions:

    • View application mappings
    • Create application mappings
    • Edit application mappings
    • Delete application mappings

  3. Manage tunnel connections

    Users with this permission can manage connections to remote clusters or hosts. Users with this permission can complete the following actions:

    • View tunnel connections
    • Create tunnel connections
    • Edit tunnel connections
    • Delete tunnel connections

  4. Manage tunnel templates

    Users with this permission can manage templates that simplify the creation of tunnel connections. Users with this permission can complete the following actions:

    • View tunnel templates
    • Create tunnel templates
    • Edit tunnel templates
    • Delete tunnel templates

  5. Renew certificates

    Users with this permission can renew certificates for tunnel connections. Users with this permission can complete the following actions:

    • Renew certificates for tunnel connections.

  6. View tunnel audit logs

    Users with this permission can view a history of user-driven operations and tunnel connection events. Users with this permission can complete the following actions:

    • View tunnel audit logs

Service instances

The service instance permissions are included through the underlying IBM Cloud Pak foundational services that is installed with IBM Cloud Pak for AIOps. These permissions are not used within IBM Cloud Pak® for AIOps:

  • Create service instances
  • Manage service instances

If more IBM Cloud Paks are installed, these permissions can be required for completing actions within tools for those other IBM Cloud Paks.

As these permissions are not used within IBM Cloud Pak for AIOps, do not assign the permissions to any roles that you create unless they are required for use with another installed IBM Cloud Pak.

Topology administration

Table: Topology administration permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage advanced topology settings (1) X X X
Manage topology presentation (2) X X X
Manage topology rules (3) X X X
Manage topology tools (4) X X X

  1. Manage advanced topology settings

    Users with this permission can define global preferences for creating and using topologies. Users with this permission can complete the following actions:

    • View advanced topology settings
    • Edit advanced topology settings

  2. Manage topology presentation

    Users with this permission can define how topologies are presented to end users. Users with this permission can complete the following actions:

    • View topology presentation settings
    • Create topology presentation settings
    • Edit topology presentation settings
    • Delete topology presentation settings

  3. Manage topology rules

    Users with this permission can define how resources are processed to enable event correlation, tagging of resources, and the creation of end-to-end topologies. Users with this permission can complete the following actions:

    • View topology rules
    • Create topology rules
    • Edit topology rules
    • Delete topology rules

  4. Manage topology tools

    Users with this permission can define custom actions for resources that are included within topologies. Users with this permission can complete the following actions:

    • View topology tools
    • Create topology tools
    • Edit topology tools
    • Delete topology tools

User administration

User administration permissions enable an administrator to manage users, groups, and roles. These permissions apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.

Table: User administration permissions
Permissions Actions Automation Developer Automation Operator Service Administrator Automation Administrator Administrator
Manage platform roles (1)
Manage user groups (2) X
Manage users (3) X

  1. Manage platform roles

    Users with the Manage platform roles permission can access the Roles tab on the Access control page to modify platform roles or create custom roles. Roles determine the permissions that a user or user group has. This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces. Users with this permission can complete the following actions:

    • Create platform roles
    • Edit platform roles
    • Delete platform roles

  2. Manage user groups

    Users with the Manager user groups permission can access the User groups tab on the Access control page to manage user groups. User groups make it easier to manage the roles (and permissions) of users with similar access requirements. Users with this permission can complete the following actions:

    • Create user groups
    • Edit user groups
    • Delete user groups
    • Assign roles to user groups
    • Remove roles from user groups

  3. Manage users

    Users with the Manager users permission can access the Users tab on the Access control page, and can onboard users to the platform. Users with this permission can complete the following actions:

    • Add users
    • Edit user profiles
    • Assign roles to users
    • Remove roles from users
    • Remove users

What permissions do I have?

You can see what permissions you have from your profile. Your permissions are determined by the roles that are assigned to you.

To see what roles are assigned to you:

  1. Log in to the IBM Cloud Pak for AIOps console and click your avatar in the upper right of the toolbar.
  2. Click Profile and settings.
  3. Click the Roles tab.

The permissions that are associated with your role (or roles) are listed in the Enabled permissions column.

Adding users

To add users, you need to have an external LDAP server set up for creating user profiles and authentication. When a user record is included within the LDAP server, you can add the user account within the IBM Cloud Pak for AIOps console. You can add a user directly or as part of an LDAP group. For more information, see Adding users.

Assigning roles and permissions

When you add a user or group, you must specify the role and permissions that they have. These roles and permissions can be granted to users through a combination of the Cloud Pak for AIOps console and an external LDAP server for managing user authentication.

Red Hat OpenShift Container Platform roles

To add and manage users and roles for accessing and using the Red Hat OpenShift Container Platform web console, you need to use the Red Hat role-based access control (RBAC). For more information, see the Red Hat OpenShift topic Using RBAC to define and apply permissions Opens in a new tab.