Managing user permissions

You can manage the permissions of your users for Operational Decision Manager in IBM Cloud Pak Platform UI (Zen). These permissions are used to access Decision Center and Decision Server consoles, or to control access to decision runtime and management REST API endpoints.

Before you begin

You must sign in to the Zen console as an administrator.

For more information about managing users in the Zen console, see Managing users in the IBM Cloud Pak Platform UI documentation.

About this task

A role is a container of permissions. You create a role and add permissions to the role, and then assign the role to users or user groups.

The Operational Decision Manager capability comes with four predefined Zen roles.

Table 1. Operational Decision Manager predefined Zen roles
ODM Zen roles ODM Zen permissions Description
ODM Administrator
  • ODM - Administer Decision Center
  • ODM - Administer database for Decision Center
  • ODM - Administer Decision Server
  • ODM - Execute decision services in Decision Server
Gives a user full administrator rights to Decision Center and Decision Server.
ODM Business User ODM - Manage decision services in Decision Center Gives standard access to Decision Center.
ODM Runtime administrator ODM - Administer Decision Server Gives all the rights to administer Decision Server.
ODM Runtime user ODM - Execute decision services in Decision Server Gives rights to only execute decision services.
Table 2. Mapping between Operational Decision Manager Zen permissions and Operational Decision Manager Liberty roles
ODM Zen permissions ODM Liberty roles Description
ODM - Administer Decision Center rtsAdministrators Gives all the rights of the regular user and the configuration manager user, and can, for example, enforce security on decision services.
ODM - Administer database for Decision Center rtsInstallers Needed to manage some Business console DBAdmin REST API endpoints.
ODM - Manage decision services and deployment in Decision Center rtsConfigManagers Gives all the rights of the regular user, and can, for example, create and edit configurations.
ODM - Manage decision services in Decision Center rtsUsers Regular Decision Center business user.
ODM - Administer Decision Server resAdministrators Gives full control in the Decision Server console and on deployed resources.
ODM - Execute decision services in Decision Server resExecutors Can execute decision services. Must be used in conjunction with another role if you want to execute decision services from the Decision Server console.
ODM - Monitor and deploy decision services in Decision Server resDeployers In addition to monitoring rights, can, for example, deploy decision services.
ODM - Monitor decision services in Decision Server resMonitors Can monitor (read-only) decision services in the Decision Server console.

If the predefined ODM Zen roles do not fit your needs, you can disable them by setting the following parameter in the custom resource (CR) file:

odm_configuration: 
   create_default_zen_roles: false

Procedure

Note: The following steps take place after an installation of Operational Decision Manager.

To create your own roles, go to the Zen console and follow this procedure.

  1. Create a role and add permissions to it.
    1. Click Manage users in the administrator's UI.
    2. In the Roles tab on the Access control page, click New role.
    3. In the Details section, enter a name of the role and its description. Click Next.
    4. In the Permissions section, expand IBM Cloud Pak for Business Automation and select ODM permissions to add to the role. Click Next.
    5. Verify the information in the Summary section, and then click Create.
  2. Assign the role to users or user groups.
    For example, to assign the role to a user:
    1. In the Users tab on the Access control page, select a user.
    2. Click Assign roles on the user's page.
    3. Select the role that you want to assign on the Assign roles page, and then click Assign 1 role.
      Now the new role is assigned to a user. You can click View assigned permissions to check a list of permissions that the user has.