Managing roles for users and groups in Watson Query

Watson Query has four user roles, which are specific to Watson Query. You can grant these roles to existing Cloud Pak for Data users or groups.

To learn more, review the following information.

Restriction:

To avoid double masking when you preview in Watson™ services other than Watson Query, access control in Watson Query is not applied when you preview, download, or refine a data asset (table or view) that comes from Watson Query. This happens only when data masking or row-level filtering applies to the preview in the other Watson services. Watson Query internal access controls, which are controlled by using Manage access in the Watson Query UI, do not apply in this circumstance.

The preview is subject to the data protection rules and catalog or project access control only.

Even though a user does not have access to query an object from Watson Query, they might be able to preview it in a catalog or project if they have access to that catalog or project the data asset.

Tech preview This is a technology preview and is not supported for use in production environments.

Watson Query roles

For a user or group to have access to the Watson Query service, you must assign them one of the Watson Query roles.

Important: When you revoke user access from Watson Query or Cloud Pak for Data, object-level authorizations remain for the username in Watson Query. If a user with that username is later granted access to Watson Query, the user inherits the object-level authorizations that previously were granted to that username. As a best practice, do not reuse usernames for different users in your organization.
Watson Query Admin
The user who provisions the Watson Query service is automatically assigned the Watson Query Admin role. After the service is provisioned, the Watson Query Admin can give other users or groups access to the service.

The Watson Query Admin is considered to be the manager of the Watson Query instance and assigns appropriate Watson Query roles to Cloud Pak for Data users or groups.

Watson Query Engineer
Configures the data sources, virtualizes data, and manages access to virtual objects. Users or groups with this role can create a virtual table or view and grant access to it to users or groups with any Watson Query role. By default, every virtual object that is created in Watson Query is private. This privacy means that in order for a virtual object to be accessed by a user or group other than its creator, access to the virtual object must be granted.

Data source administrators are expected to provide access to a user or group with a Watson Query Engineer role before that user or group can add a data source. Users or groups with this role service and fulfill data requests from Watson Query users.

Watson Query User

Watson Query users can request access to virtualized data or data in general by initiating a data request. Users with this role can create views of virtual tables to which they have access.

Watson Query Steward

Watson Query Stewards can access data in all user tables and views. Watson Query automatically grants Db2® SELECTIN authority to the Steward role on all schemas.

The following table summarizes the menu functions that each of the Watson Query user roles is able to access.

Watson Query features Admin Engineer User Steward
Provision Watson Query      
User management      
Data sources    
Virtualize    
Virtualized data
Configure connection
Service settings*
Run SQL
Required role: * To modify the service settings, you must have the Watson Query Admin role.

Permissions of Watson Query roles

The following table describes the permissions that are associated with each Watson Query role.
Roles Permissions
Watson Query Admin
  • Administer the service.
  • Administer the database.
  • Access data.
  • Manage data sources.
  • Manage users and assign Watson Query roles.
  • Create and share any schema.
  • Manage data caches.
  • Manage data queries.
Watson Query Engineer
  • Access connection information.
  • Manage data sources.
  • Create virtual tables and views.
  • Create and manage private schema.
Watson Query User
  • Access connection information.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.
Watson Query Steward
  • Access connection information.
  • Access data.
  • Create virtual views over existing virtual tables and views.
  • Create and manage private schema.
Important: To grant another user control on an object, including privileges to grant permissions to other users and to remove a virtual object, the target user or role must be granted the CONTROL privilege on that object as shown in the following example.
GRANT CONTROL on object to ROLE DV_ENGINEER
For more information about the CONTROL privilege, see the Db2 product documentation.

What to do next