Predefined roles and permissions

Predefined roles

A role defines the permissions that a user or group has.

A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.

You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles.

The roles that are available depend on the services that are installed on top of Cloud Pak for Data:

Administrator

The role is created by the Cloud Pak for Data control plane.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access governance artifacts	Governance artifacts	Watson™ Knowledge Catalog
Administer platform	Platform administration	Cloud Pak for Data control plane
Create deployment spaces	Deployments	DataStage® Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog
Manage data quality	Data curation	Watson Knowledge Catalog
Manage governance categories	Governance artifacts	Watson Knowledge Catalog
Manage information assets	Catalogs	Watson Knowledge Catalog
Manage metadata	Data curation	Watson Knowledge Catalog
Manage service instances	Service instances	Cloud Pak for Data control plane, but pulled in by: DataStage
Manage workflows	Workflows	Watson Knowledge Catalog

Business Analyst

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access data quality	Data curation	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
View information assets	Catalogs	Watson Knowledge Catalog

Data Engineer

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access data quality	Data curation	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog
Manage data quality	Data curation	Watson Knowledge Catalog
Manage information assets	Catalogs	Watson Knowledge Catalog
Manage metadata	Data curation	Watson Knowledge Catalog

Data Quality Analyst

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog
Manage data quality	Data curation	Watson Knowledge Catalog
Manage information assets	Catalogs	Watson Knowledge Catalog
Manage metadata	Data curation	Watson Knowledge Catalog

Data Scientist

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio

Data Steward

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	Watson Knowledge Catalog
Access data quality	Data curation	Watson Knowledge Catalog
Access governance artifacts	Governance artifacts	Watson Knowledge Catalog
Create deployment spaces	Deployments	Watson Knowledge Catalog
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Manage asset discovery	Data curation	Watson Knowledge Catalog
Manage data protection rules	Governance artifacts	Watson Knowledge Catalog
Manage information assets	Catalogs	Watson Knowledge Catalog
Manage metadata	Data curation	Watson Knowledge Catalog

Developer

The role is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Access catalogs	Catalogs	DataStage Watson Knowledge Catalog Watson Studio
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio
Create service instances	Service instances	Cloud Pak for Data control plane, but pulled in by: DataStage Watson Knowledge Catalog Watson Studio

Reporting administrator

The role is created by Watson Knowledge Catalog

The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Manage reporting	Platform administration	Watson Knowledge Catalog
Monitor project workloads	Projects	Watson Knowledge Catalog

User

The role is created by the Cloud Pak for Data control plane.

By default, no permissions are associated with this role.

However, some services contribute permissions to this role. The following table specifies which permissions are associated with this role and which services contribute each permission.

Permission	Category	Services that contribute the permission
Create deployment spaces	Deployments	DataStage Watson Knowledge Catalog Watson Studio
Create projects	Projects	DataStage Watson Knowledge Catalog Watson Studio

If you do not install any services that contribute permissions to this role, users who are assigned the User role can:

• Sign in to Cloud Pak for Data
• Access any services or assets that do not require explicit permissions

In addition, the users who own or manage assets and services instances can give these users access to the assets or service instances.

Roles assigned to the admin user

Permissions

A permission describes the actions that a user can take.

The permissions are grouped into the following categories:

Catalogs

The category is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

A catalog is a collaborative workspace for sharing assets across your organization.

By default, only the creator and collaborators can see and access a catalog. Each catalog has its own internal access controls. However, all users have access to the platform assets catalog.

The category includes the following permissions:

Permission	Description	Actions
Access advanced governance	Available only when Watson Knowledge Catalog is installed. This permission must be combined with other permissions. When the permissions are combined, users can complete advanced governance tasks.	Advanced governance tasks require additional permissions. Import metadata This task requires both the Access advanced governance permission and the Manage metadata permission. Configure information asset lineage reports This task requires both the Access advanced governance permission and the Manage information assets permission. Create custom information asset display profiles This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission. Define custom attributes for information assets This task requires the Access advanced governance permission, the Manage information assets permission, and the Administer platform permission.
Access advanced mapping	Available only when Watson Knowledge Catalog is installed. Users with this permission can create mappings that track the flow of data outside of the catalog.	Create extension mappings Import extension mappings Import extended data sources
Access catalogs	Users with this permission can be added as collaborators to catalogs. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the catalog.	There are no explicit actions associated with this permission.
Create catalogs	Available only when Watson Knowledge Catalog is installed. Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog.	Create catalogs
Manage catalogs	Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog. Users with this permission can also see a list of all catalogs on the Catalogs page in the Administration section in the navigation. By default, only collaborators can see their catalogs.	Create catalogs View list of all catalogs Reconfigure the default catalog
Manage information assets	Available only when Watson Knowledge Catalog is installed. Users with this permission can create artifact relationships and view information about assets in the default catalog. Users have full access to the Information assets page.	Browse and view information assets View data lineage reports View business lineage reports Add information assets Edit information assets Delete information assets Manage lineage reports
View information assets	Available only when Watson Knowledge Catalog is installed. Users with this permission can browse and view information assets, explore asset and artifact relationships, and see lineage reports from the Information assets page. Users have read-only access to the page.	Browse and view information assets Explore asset and artifact relationships View data lineage reports View business lineage reports

Data curation

The category is created by Watson Knowledge Catalog.

Data curation is the process of managing metadata, discovering assets, and analyzing data quality.

The category includes the following permissions:

Permission	Description	Actions
Access data quality	Users with this permission can be added as collaborators to data quality projects. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the data quality project.	There are no explicit actions associated with this permission.
Manage asset discovery	Users with this permission can run discovery jobs to understand the quality and content of tables and files in data sources. Users with this permission can access the Data discovery page	Run data asset discovery when creating or editing a connection Create and run quick scan asset discovery jobs Create and run automated asset discovery jobs Rerun discovery jobs Delete asset discovery jobs
Manage data quality	Users with this permission can run data quality analysis and manage data quality rules. Users with this permission can access the Data quality page and the Automation rules page.	Create data quality rules Edit data quality rules Delete data quality rules Create automation rules Edit automation rules Delete automation rules Configure data quality analysis settings Run data quality analysis
Manage metadata	Requires the Access advanced governance permission. Users with this permission can enhance catalog assets by adding metadata, such as glossary terms and document requirements. Users with these permissions can access the Metadata import page.	Manage metadata repository Manage metadata interchange servers Configure metadata import settings

Deployments

The category is created by DataStage, Watson Knowledge Catalog, or Watson Studio.

A deployment space is a collaborative workspace for managing model deployments.

By default, only the creator and collaborators can see and access a deployment space. Each deployment space has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Create deployment spaces	Users with this permission can create deployment spaces. By default, the user who creates a deployment space is the administrator for the deployment space.	Create deployment spaces
Manage deployment spaces	Users with this permission can see a list of all deployment spaces and view deployment activity for all spaces on the Deployments page. By default, only the creator and collaborators can see their deployment spaces. Users with this permission can join any deployment space as an administrator so that they can delete unused deployment spaces and ensure that active deployment spaces have at least one owner.	Create deployment spaces View list of all deployment spaces Join any deployment space as an Admin View deployment activity across all spaces
Monitor deployment activities	Users with this permission can see all active jobs and deployments across all spaces from the Activity tab on the Deployments page. By default, only collaborators can see a deployment space.	View list of all deployment spaces View deployment activity across all spaces

Governance artifacts

The category is created by Watson Knowledge Catalog.

A governance artifact is an object used to govern the data that is in a catalog. Governance artifacts include business terms, rules, policies, data classes, reference data, and classifications.

A governance category is a collaborative workspace for organizing governance artifacts. By default, only the creator and collaborators can see and access a category. Each category has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Access governance artifacts	Users with this permission can be added as collaborators to governance categories. By default, users with this permission have view access to all categories. However, they can be added as a collaborator and assigned a role that gives them additional permissions and responsibilities to complete assigned tasks in workflows for the category.	There are no explicit actions associated with this permission.
Manage data protection rules	Users with this permission can create and manage data protection rules.	Create data protection rules Edit data protections rules Delete data protection rules
Manage governance categories	Users with this permission can create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers.	Create top-level categories
Manage glossary	Users with this permission can import and export governance artifacts in a ZIP file, and create and manage custom attribute definitions. They can also create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers.	Import and export governance artifacts in a ZIP file Create and manage custom attribute definitions Create top-level categories

Platform administration

The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.

The category includes the following permissions:

Permission	Description	Actions
Administer platform	This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions.	See the actions listed in the following permissions: Manage configurations Manage platform health Manage platform roles Manage user profiles Manage user groups Manage service instances
Manage configurations	Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page. Some actions require specific services to be installed.	Configure connection to SMTP server Configure integration with IBM Guardium appliances Configure connections to Hadoop clusters Customize branding Enable and disable home page cards Enable and disable default support links Add and delete custom support links Enable and disable guided tours Import JDBC drivers
Manage platform health	Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page.	Monitor workloads and resource use Stop any runtime environment View pod status, details, and logs Restart pods View platform quotas and service quotas View event history and alerts Set and edit platform resource quotas Set and edit individual service resource quotas Create and run diagnostics jobs Delete diagnostics jobs
Manage reporting	Users with this permission can configure the reporting for Watson Knowledge Catalog data, start the reporting and edit it.	Set up reporting for Watson Knowledge Catalog data
View platform health	Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page.	Monitor workloads and resource use View pod status, details, and logs View platform quotas and service quotas View event history and alerts

Projects

The category is created by DataStage, Watson Knowledge Catalog or Watson Studio.

A project is a collaborative workspace for working with data and other assets. By default, only the creator and collaborators can see and access a project. Each project has its own internal access controls.

The category includes the following permissions:

Permission	Description	Actions
Create projects	Users with this permission can create projects. By default, the user who creates a project is the administrator for the project.	Create projects
Manage projects	Users with this permission can see all active runtimes on the Active runtimes page. By default, only the creator and collaborators can see their projects.	Create projects View all active runtimes across all projects
Monitor project workloads	Users with this permission can see all active runtimes for all projects from the Active runtimes page. By default, only project collaborators can see the runtimes that are associated with a project. Users with this permission can see all jobs for all projects from the Jobs page. By default, only project collaborators can see the jobs that are associated with a project.	View all active runtimes across all projects See jobs across all projects

Service instances

The category is created by the Cloud Pak for Data control plane.

A service instance is a specific deployment of a service. Some services can be deployed more than once.

Some service instances have their own access controls.

The category includes the following permissions:

Permission	Description	Actions
Create service instances	Users with this permission can create service instances and storage volumes. The types of service instances depend on the services that are installed.	Create service instances
Manage service instances	Users with this permission can manage access to any service instance or delete any service instance from the Instances page.	Create service instances View all service instances Add users to any service instance Assign an instance role to instance users Remove users from a service instance Delete any service instance

User administration

The category is created by the Cloud Pak for Data control plane.

Permissions in this category enable an administrator to manage users, groups, and roles.

The permissions in this category apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.

The category includes the following permissions:

Permission	Description	Actions
Add vault	Users with this permission can: Add integrations to external vaults. Add references to secrets in the external vaults to which they have access.	Add vault
Manage platform roles	Users with this permission can modify platform roles or create custom roles. Roles determine the permissions that a user or user group has. Users with this permission can access the Roles tab on the Access control page. This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces.	Create platform roles Edit platform roles Delete platform roles
Manage secrets and vaults	Users with this permission can: See a list of all of the external vaults that users are connected to (but not the details of the vaults). See a list of the secrets in each vault (but not the details of the secrets). Remove references to secrets from any vault. Remove integrations to any external vault. Remove secrets from the internal vault.	Manage secrets and vaults
Manage user groups	Users with this permission can create and edit user groups. User groups make it easy to manage the roles (and permissions) of users with similar access requirements. Users with this permission can access the User groups tab on the Access control page.	Create user groups Edit user groups Delete user groups Assign roles to user groups Remove roles from user groups
Manage users	Users with this permission can onboard users to the platform, edit user profiles, and assign platform roles to users. Users with this permission can access the Users tab on the Access control page.	Add users Edit user profiles Assign roles to users Remove roles from users Remove users
Share secrets	Users with this permission can: Share secrets that they own (but not secrets that are shared with them). Remove access to secrets that they shared.	Share secrets

Vaults

The category is created when you enable the vaults interface.

Note: The permissions are not associated with any roles by default.

Secrets are sensitive data, such as credentials or API keys. A vault is a secure place to store and manage secrets.

Users can add secrets to the internal vault or connect to an external vault to use existing secrets. By default, only the user who added the secret can use the secret.

The category includes the following permissions:

Permission	Description	Actions
Add vaults	Users with this permission can connect to external vaults and add secrets from their connected vaults.	Add a connection to external vaults Add secrets from their connected vaults
Manage vaults and secrets	Users with this permission can see a list of all of the external vaults that users connected to and the list of secrets in each vault. However, users with this permission cannot see detailed information about the vaults or access the secrets in the vaults. Users with this permission can remove secrets from any vault and remove connections to any external vault.	View list of all connected vaults View list of all secrets in each vault Remove external vaults Remove secrets added from an external vault Delete secrets from the internal vault
Share secrets	Users with this permission can give other users access to secrets that they add. Users with this permission cannot share secrets that are shared with them.	Share owned secrets Revoke access to shared secrets

Workflows

The category is created by Watson Knowledge Catalog.

A workflow defines the sequence of steps that must be completed and the decisions that must be made to support a specific business process.

Users can use the predefined governance workflows from Watson Knowledge Catalog or create custom process definitions.

The category includes the following permissions:

Permission	Description	Actions
Manage workflows	Users with this permission can import custom process definitions and edit workflow configurations from the Workflow management page. Users with this permission can also monitor active workflow tasks to ensure that work is completed in a timely manner.	Create workflow types Edit workflow types Delete workflow types Upload workflow templates Create workflow configurations Edit workflow configurations Delete workflow configurations Assign workflow tasks to users Monitor the status of workflow tasks