Roles and permissions for Infrastructure Automation

For accessing and completing actions with IBM Cloud Pak® for AIOps Infrastructure Automation, users require specific roles and permissions. Review the different available roles, permissions, and the associated actions that users can complete with the roles and permissions. These roles and permissions help you get your users set up to begin day to day operations.

Predefined roles

A role defines the permissions that a user or group has. You can edit the default roles or create new roles if the default set of permissions in a role does not align with your business needs. For more information, see Managing roles.

The following roles are available by default:

  • Administrator
  • Automation Administrator
  • Automation Analyst
  • Automation Developer (AIOps Developer role)
  • Automation Operator
  • User

Notes:

  • The User predefined role is listed as available by default but this role does not include any permissions for completing actions within IBM Cloud Pak for AIOps. This default role is used within the IBM® Automation family of offerings, which includes IBM Cloud Pak for AIOps, however, this roles is not used within IBM Cloud Pak for AIOps.

    As this role does not include or provide any permissions within IBM Cloud Pak for AIOps, do not assign the role to users within IBM Cloud Pak for AIOps. If more IBM Cloud Paks are installed, this roles can have permissions for completing actions within tools for those other IBM Cloud Paks.

  • Not all permissions are associated with a predefined role. A user with with a permission to manage roles, such as the Administer platform permission, can assign permissions to a role when needed.

Default user

The default user (admin) is automatically assigned the following roles when the roles are added to the platform:

  • Administrator

Creating a role

When adding a user, you can choose to create a role instead of assigning an existing role. You can also choose to directly create a role. The options for creating a role are the same regardless of the path you select to create the role.

To directly create a role, complete the following steps:

  1. Log in to the console as an administrator with permissions to manage users.

  2. From the main navigation, click Administration > Access control.

  3. Select the Roles tab and click New role.

  4. Enter the details for the new role:

    • Name - Enter a distinctive and descriptive name for the role.

    • Description - Enter an optional description for the role to define the role, such as to identify the objective or responsibilities for users with the role.

  5. Click Next.

  6. Select the permissions for the role. You can use the Find permissions search field to find and filter the list of permissions.

  7. Click Next.

  8. Review the details for the role and click Create.

Permissions

The following table describes the actions that are associated with each permission.

Infrastructure Automation

Table: User administration permissions
Permissions Actions Automation Developer Automation Operator Automation Analyst Automation Administrator Administrator
View Kubernetes resources (1) X
Edit Kubernetes resources (2) X
Manage Kubernetes resources (3) X
Administer Kubernetes resources (4) X
Administer Kubernetes namespace (5) X

  1. View Kubernetes resources in the Cloud Pak namespaces.

    • View resources

  2. Edit Kubernetes resources in the Cloud Pak namespaces.

    • View resources
    • Edit resources

  3. Manage Kubernetes resources in the Cloud Pak namespaces.

    • View resources
    • Edit resources
    • Create resources

  4. Administer Kubernetes resources in the Cloud Pak namespaces.

    • View resources
    • Edit resources
    • Create resources
    • Delete resources

  5. Administer Kubernetes namespace

    • Administer Kubernetes namespace (administrator ClusterRole)
    • Access Administration Hub
    • Manage identity providers
    • Manage teams
    • Manage service IDs

Platform administration

Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.

Only the Administer platform permission is associated with a predefined role (Adminstrator). This permission includes all other platform administration permissions.

Table: Platform administration permissions
Permissions Actions Automation Developer Automation Operator Automation Administrator Administrator
Administer platform (1) X
Manage configurations (2)
Manage platform health (3)
View platform health (4)

  1. Administer platform

    This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions. Users with this permission can complete the same actions as users that have the following permissions:

    • Manage configurations (Administer platform)
    • Manage platform health (Administer platform)
    • Manage platform roles (User administration)
    • Manage users (User administration)
    • Manage user groups (User administration)
    • Manage service instances (Service instances)

  2. Manage configurations

    Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page. Some actions require specific services to be installed. Users with this permission can complete the following actions:

    • Configure connection to SMTP server

      Note: Requires Watson Studio or Watson Knowledge Catalog. An SMTP connection enables the platform to send emails.

    • Configure integration with IBM Guardium appliances

      Note: Requires Watson Knowledge Catalog. Use IBM Guardium to audit access to sensitive data on remote databases.

    • Configure connections to Hadoop clusters

      Note: Requires Execution Engine for Apache Hadoop.

    • Customize branding

    • Enable and disable home page cards

    • Enable and disable default support links

    • Add and delete custom support links

    • Enable and disable guided tours

    • Import JDBC drivers

      Note: Requires the common core services. JDBC drivers enable users to connect to unsupported data sources.

  3. Manage platform health

    Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page. Users with this permission can complete the following actions:

    • Monitor workloads and resource use

      Note: Workloads include active runtimes and jobs. Resources include memory and vCPU use across services, instances, and environments.

    • Stop any runtime environment

      Note: Environments are hardware and software configurations defined for running analytical assets or jobs.

    • View pod status, details, and logs

      Note: Services are composed of Kubernetes pods. A pod is an instance of a process that runs on the cluster.

    • Restart pods

    • View platform quotas and service quotas

      Note: A quota specifies the maximum amount of memory or vCPU that the platform or a service should use.

    • View event history and alerts

    • Set and edit platform resource quotas

    • Set and edit individual service resource quotas

    • Create and run diagnostics jobs

      Note: A diagnostic job gathers information that can be used for troubleshooting problems.

    • Delete diagnostics jobs

  4. View platform health

    Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page. Users with this permission can complete the following actions:

    • Monitor workloads and resource use

      Note: Workloads include active runtimes and jobs. Resources include memory and vCPU use across services, instances, and environments.

    • View pod status, details, and logs

      Note: Services are composed of Kubernetes pods. A pod is an instance of a process that runs on the cluster.

    • View platform quotas and service quotas

      Note: A quota specifies the maximum amount of memory or vCPU that the platform or a service should use.

    • View event history and alerts

Service instances

A service instance is a specific deployment of a service. Some services can be deployed more than once. Some service instances have their own access controls.

Table: Service instances permissions
Permissions Actions Automation Developer Automation Operator Automation Administrator Administrator
Create service instances (1) X
Manage service instances (2)

  1. Create service instances

    Users with this permission can create service instances and storage volumes. The types of service instances depend on the services that are installed. Users with this permission can complete the following actions:

    • Create service instances

      Note: If an instance has access controls, the user who creates the instance is an instance administrator.

  2. Manage service instances

    Users with this permission can manage access to any service instance or delete any service instance from the Instances page. Users with this permission can complete the following actions:

    • Create service instances
    • View all service instances
    • Add users to any service instance
    • Assign an instance role to instance users
    • Remove users from a service instance
    • Delete any service instance

What permissions do I have?

You can see what permissions you have from your profile. Your permissions are determined by the roles that are assigned to you.

To see what roles are assigned to you:

  1. Log in to the IBM Cloud Pak for AIOps console and click your avatar in the upper right of the toolbar.
  2. Click Profile and settings.
  3. Click the Roles tab.

The permissions that are associated with your role (or roles) are listed in the Enabled permissions column.

Adding users

To add users, you need to have an external LDAP server set up for creating user profiles and authentication. When a user record is included within the LDAP server, you can add the user account within the IBM Cloud Pak for AIOps console. You can add a user directly or as part of an LDAP group. For more information, see Adding users.

Assigning roles and permissions

When you add a user or group, you must specify the role and permissions that they have. These roles and permissions can be granted to users through a combination of the IBM Cloud Pak for AIOps console and an external LDAP server for managing user authentication.

Red Hat OpenShift Container Platform roles

To add and manage users and roles for accessing and using the Red Hat OpenShift Container Platform web console, you need to use the Red Hat role-based access control (RBAC). For more information, see the Red Hat OpenShift topic Using RBAC to define and apply permissions Opens in a new tab.