Setting up data permissions

Data permissions (or permissions) are a data access control that administrators can apply to users of Business Performance Center. Administrators determine what data business professionals can view.

Before you begin

When the parameter business_performance_center.all_users_access is set to true, all users are granted access to all data in the dashboards:
  • When using an enterprise pattern deployment, the parameter is set to false in the custom resource.
  • When using an evaluation pattern deployment, the parameter is set to true in the custom resource.
For more information, see Business Performance Center parameters.

To manage permissions you must be a Business Performance Center administrator.

After installation, all the users who belong to the User Management Service team specified in the business_performance_center.admin_group field of the custom resource have administrator rights. If this field is not specified, only the user defined in the Business Performance Center secret has administrator rights. For more information about secrets , see Configuring custom secrets.

For 21.0.1, you must manually set up a Business Performance Center administrators team in User Management Service after installation, and then update the business_performance_center.admin_team field in the custom resource by providing the UUID of the team that you want to be the admin team.

About this task

As an administrator for Business Performance Center, you must grant and restrict team access to data. You grant permissions by associating teams with relevant monitoring sources.

A monitoring source (or, source) is a list of data that a team can view and interact with in charts, dashboards, and goals. A monitoring source consists of data kinds and domains. A data kind represents the available software in IBM Cloud Pak® for Business Automation, such as IBM Business Automation Workflow and IBM Operational Decision Manager. A data domain is a specific subset of data within a kind, such as a process in IBM Business Automation Workflow or a ruleset in IBM Operational Decision Manager.

You can grant permissions from one of two tabs: Teams and Sources. From the Teams tab, you associate all of the relevant monitoring sources to a team. From the Sources tab, you associate all of the relevant teams to a monitoring source. Changes to one tab are reflected in the other, so you can set permissions from whichever tab is convenient for you.

Procedure

  1. Go to the Team permissions tab: data permissions icon
  2. Select Set data permissions.
    The data permissions modal opens.
  3. Assign data permissions, according to the tab you are in:
    • From the Teams tab: Select a team and the relevant monitoring sources.
    • From the Sources tab: Select a monitoring source and the relevant teams.
      Remember: A team corresponds to a User Management Service Teams, which in turn corresponds to roles that you have in your company. A monitoring source represents the data kinds and domains that are available in Business Performance Center.
    The drop-down menu filters the teams or the monitoring sources by displaying only the teams or monitoring sources that are not yet assigned.
  4. Select Set permissions to save data permissions to the team.
    The team can now view and interact with the data relevant to its roles.

Results

After you set data permissions for all the available teams, the Set data permissions button is disabled in the Teams tab. Similarly, if you assign all of the available monitoring sources, the Set data permissions button is disabled from the Sources tab.

You can edit or delete data permissions by selecting the overflow menu pie chart of a team or monitoring source.