Predefined roles and permissions in Cloud Pak for Data
The permissions and predefined roles that are available depend on the services that are installed on top of Cloud Pak for Data. When you add a user or group, you must specify the role that they have.
Jump to the appropriate section for more information:
Predefined roles
A role defines the permissions that a user or group has.
A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.
You can edit the default roles or create new roles if the default set of permissions in a role doesn't align with your business needs. For more information, see Managing roles in Cloud Pak for Data.
The roles that are available depend on the services that are installed on top of Cloud Pak for Data:
- Administrator
- The role is created by the Cloud Pak for Data control plane.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access governance artifacts Governance artifacts IBM® Knowledge Catalog Add vaults Vaults Cloud Pak for Data control plane Administer platform Platform administration Cloud Pak for Data control plane Create deployment spaces Deployments - DataStage®
- IBM Knowledge Catalog
- Watson™ Studio
Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane Drill down to issue details Data curation IBM Knowledge Catalog Manage asset discovery Data curation IBM Knowledge Catalog Manage catalogs Catalogs - DataStage
- IBM Knowledge Catalog
- Watson Studio
Manage configurations Platform administration Cloud Pak for Data control plane Manage data protection rules Governance artifacts IBM Knowledge Catalog Manage data quality assets Data curation IBM Knowledge Catalog (if the data quality feature is enabled) Manage data quality SLA rules Data curation IBM Knowledge Catalog Manage governance categories Governance artifacts IBM Knowledge Catalog Manage platform health Platform administration Cloud Pak for Data control plane Manage platform roles User administration Cloud Pak for Data control plane Manage service instances Service instances Cloud Pak for Data control plane Manage user groups User administration Cloud Pak for Data control plane Manage users User administration Cloud Pak for Data control plane Manage workflows Workflows IBM Knowledge Catalog Measure data quality Data curation IBM Knowledge Catalog (if the data quality feature is enabled) - Business Analyst
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs IBM Knowledge Catalog Create deployment spaces Deployments IBM Knowledge Catalog Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
- Data Engineer
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs IBM Knowledge Catalog Access governance artifacts Governance artifacts IBM Knowledge Catalog Create deployment spaces Deployments IBM Knowledge Catalog Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane Manage asset discovery Data curation IBM Knowledge Catalog Manage data protection rules Governance artifacts IBM Knowledge Catalog - Data Quality Analyst
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs IBM Knowledge Catalog Access governance artifacts Governance artifacts IBM Knowledge Catalog Create deployment spaces Deployments IBM Knowledge Catalog Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
Drill down to issue details Data curation IBM Knowledge Catalog Manage asset discovery Data curation IBM Knowledge Catalog Manage data protection rules Governance artifacts IBM Knowledge Catalog Manage data quality assets Data curation IBM Knowledge Catalog (if the data quality feature is enabled) Manage data quality SLA rules Data curation IBM Knowledge Catalog Measure data quality Data curation IBM Knowledge Catalog (if the data quality feature is enabled) - Data Scientist
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs - DataStage
- IBM Knowledge Catalog
- Watson Studio
Access governance artifacts Governance artifacts IBM Knowledge Catalog Create deployment spaces Deployments - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
- Data Steward
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs IBM Knowledge Catalog Access governance artifacts Governance artifacts IBM Knowledge Catalog Create deployment spaces Deployments IBM Knowledge Catalog Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
Manage asset discovery Data curation IBM Knowledge Catalog Manage data protection rules Governance artifacts IBM Knowledge Catalog - Developer
- The role is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Access catalogs Catalogs - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create deployment spaces Deployments - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create service instances Service instances Cloud Pak for Data control plane, but pulled in by: - DataStage
- IBM Knowledge Catalog
- Watson Studio
- Reporting administrator
- The role is created by IBM Knowledge Catalog
- User
- The role is created by the Cloud Pak for Data control plane.
By default, no permissions are associated with this role.
However, some services contribute permissions to this role. The following table specifies which permissions are associated with this role and which services contribute each permission.
Permission Category Services that contribute the permission Create deployment spaces Deployments - DataStage
- IBM Knowledge Catalog
- Watson Studio
Create projects Projects - DataStage
- IBM Knowledge Catalog
- Watson Studio
If you do not install any services that contribute permissions to this role, users who are assigned the User role can:- Sign in to Cloud Pak for Data
- Access any services or assets that do not require explicit permissions
In addition, the users who own or manage assets and services instances can give these users access to the assets or service instances.
Roles assigned to the default platform administrator
- If you do not integrate the instance with the Identity Management Service, the administrator is called
admin
. - If you integrate the instance with eh Identity Management Service, the administrator is either called
admin
orcpadmin
.For more information on the name of the default administrative user, see Changing the cpadmin user to admin.
Role | Services that assign the role |
---|---|
Business Analyst | IBM Knowledge Catalog |
Data Engineer |
|
Data Quality Analyst | IBM Knowledge Catalog |
Data Scientist |
|
Data Steward | IBM Knowledge Catalog |
Developer |
|
Permissions
A permission describes the actions that a user can take.
The permissions are grouped into the following categories:
- Catalogs
- The category is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
A catalog is a collaborative workspace for sharing assets across your organization.
By default, only the creator and collaborators can see and access a catalog. Each catalog has its own internal access controls. However, all users have access to the Platform assets catalog.
The category includes the following permissions:
Permission Description Actions Access catalogs Users with this permission can be added as collaborators to catalogs. When a user is added as a collaborator, the user is assigned a role that determines their permissions on the catalog. There are no explicit actions associated with this permission. Manage catalogs Users with this permission can create catalogs. By default, the user who creates a catalog is the administrator for the catalog. Users with this permission can see a list of all catalogs on the Catalog management page. Users with this permission can delete a catalog if they have the Admin role in the catalog.
- Create catalogs
- View list of all catalogs on the Catalog management page
- Dashboards
- The category is created by Cognos® Dashboards.
A dashboard is an asset that you can use to build interactive visualizations of your data.
By default, users don't have permissions to create or view dashboards. You must assign these permissions to users.
The category includes the following permissions:
Permission Description Actions Create dashboards Users with this permission can create and view dashboards if they have the Admin role or Editor role on a project. However, if users have the Viewer role on a project, they can only view dashboards. Important: Your Cloud Pak for Data license limits the number of users who can create dashboards. If you exceed this limit, you must purchase a Cognos license. For details, see Licenses and entitlements and Tracking usage of Cognos Dashboards licenses.- Create, edit, and delete dashboards in projects
- View dashboards in projects
View dashboards Users with this permission can view dashboards in any projects that they are a member of. Important: Your Cloud Pak for Data license limits the number of users who can view dashboards. If you exceed this limit, you must purchase a Cognos license. For details, see Licenses and entitlements and Tracking usage of Cognos Dashboards licenses.- View dashboards in projects
- Data curation
- The category is created by IBM Knowledge Catalog.
Data curation is the process of managing metadata, discovering assets, and analyzing data quality.
The category includes the following permissions:
Permission Description Actions Drill down to issue details Users with this permission can drill down to view the data rows that cause data quality issues - View the data rows that cause data quality issues
Manage asset discovery Users with this permission create and run metadata imports to add technical or lineage metadata from several data sources to projects and catalogs. - Create and edit metadata imports
- Run metadata imports
- Delete metadata imports
Manage data quality assets Users with this permission can create and manage data quality definitions and rules. This permission is available only if the data quality feature is enabled. For more information, see Determining the optional features to enable.
- Create data quality definitions and rules in projects
- Edit data quality definitions and rules in projects
- Delete data quality definitions and rules in projects
Manage data quality SLA rules Users with this permission can create and manage data quality SLA rules. This permission must be combined with the Access governance artifacts permission. - Create data quality SLA rules
- Edit data quality SLA rules
- Delete data quality SLA rules
Measure data quality Users with this permission can run data quality rules. This permission is available only if the data quality feature is enabled. For more information, see Determining the optional features to enable.
- Run data quality rules
- Deployments
- The category is created by DataStage,
IBM Knowledge Catalog, or Watson Studio.
A deployment space is a collaborative workspace for managing model deployments.
By default, only the creator and collaborators can see and access a deployment space. Each deployment space has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Create deployment spaces Users with this permission can create deployment spaces. By default, the user who creates a deployment space is the administrator for the deployment space. - Create deployment spaces
Manage deployment spaces Users with this permission can see a list of all deployment spaces and view deployment activity for all spaces on the Deployments page. By default, only the creator and collaborators can see their deployment spaces. Users with this permission can join any deployment space as an administrator so that they can delete unused deployment spaces and ensure that active deployment spaces have at least one owner.
- Create deployment spaces
- View list of all deployment spaces
- Join any deployment space as an Admin
- View deployment activity across all spaces
Monitor deployment activities Users with this permission can see all active jobs and deployments across all spaces from the Activity tab on the Deployments page. By default, only collaborators can see a deployment space. - View list of all deployment spaces
- View deployment activity across all spaces
- Governance artifacts
- The category is created by IBM Knowledge Catalog.
A governance artifact is an object used to govern the data that is in a catalog. Governance artifacts include business terms, rules, policies, data classes, reference data, and classifications.
A governance category is a collaborative workspace for organizing governance artifacts. By default, only the creator and collaborators can see and access a category. Each category has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Access governance artifacts Users with this permission can be added as collaborators to governance categories. By default, users with this permission have view access to all categories. However, they can be added as a collaborator and assigned a role that gives them additional permissions and responsibilities to complete assigned tasks in workflows for the category. There are no explicit actions associated with this permission. Administer governance artifacts Users with this permission can view and edit all governance artifacts in all categories, regardless of whether the users are collaborators in those categories. They can also edit categories, including changing collaborators and category permissions, and perform any actions on governance artifacts, including categories, using API calls. This permission is not granted with any predefined role.
- View and edit all governance artifacts in all categories
- Edit all categories, including collaborators and category permissions
- Run all API calls for governance artifacts
Manage data protection rules Users with this permission can create and manage data protection rules. - Create data protection rules
- Edit data protections rules
- Delete data protection rules
Manage glossary Users with this permission can import and export governance artifacts in a ZIP file, and create and manage custom attribute definitions. They can also create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers. - Import and export governance artifacts in a ZIP file
- Create and manage custom attribute definitions
- Create top-level categories
Manage governance categories Users with this permission can create top-level governance categories to organize catalog artifacts. By default, the user who creates a category is the owner of the category and any users with the Manage governance categories or Access governance artifacts permission are viewers. - Create top-level categories
- Platform administration
- The category is created by the Cloud Pak for Data control plane.
Permissions in this category enable an administrator to configure, customize, monitor, and manage the platform.
The category includes the following permissions:
Permission Description Actions Administer platform This permission offers the most comprehensive set of actions for managing and monitoring the platform. Users with this permission have elevated privileges and can grant or revoke all permissions, including other administrative permissions.
See the actions listed in the following permissions: Evaluate policy decision Permission required for an integration user to be allowed to evaluate data access requests on behalf of registered platform users. - For an integration user, to evaluate data access requests on behalf of registered platform users.
An integration user is, for example, the user that IBM Security Guardium® Data Protection uses to connect to IBM Knowledge Catalog.
Manage configurations Users with this permission can customize the platform, integrate the platform with other applications, and enable connections to unsupported data sources. Users with this permission can access the Customizations page, the Configurations page, and the JDBC drivers tab on the Platform connections page.
Some actions require specific services to be installed.
- Configure connection to SMTP server
- Configure integration with IBM Guardium appliances
- Configure connections to Hadoop clusters
- Customize branding
- Enable and disable home page cards
- Enable and disable default support links
- Add and delete custom support links
- Enable and disable guided tours
- Import JDBC drivers
Manage platform health Users with this permission can monitor resource use, set quotas and alerts, manage workloads to maintain the health of the platform, and gather diagnostic data when problems occur. Users with this permission can access the Monitoring page and the Diagnostics page.
- Monitor workloads and resource use
- Stop any runtime environment
- View pod status, details, and logs
- Restart pods
- View platform quotas and service quotas
- View event history and alerts
- Set and edit platform resource quotas
- Set and edit individual service resource quotas
- Create and run diagnostics jobs
- Delete diagnostics jobs
Manage reporting Users with this permission can configure the reporting for IBM Knowledge Catalog data, start the reporting and edit it. Note: Users with this permission can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. Assign this privileged role with caution.- Set up reporting for IBM Knowledge Catalog data
View platform health Users with this permission can monitor resource use and workloads across the platform to gauge the health of the platform. Users with this permission have read-only access to the Monitoring page.
- Monitor workloads and resource use
- View pod status, details, and logs
- View platform quotas and service quotas
- View event history and alerts
- Projects
- The category is created by DataStage,
IBM Knowledge Catalog or Watson Studio.
A project is a collaborative workspace for working with data and other assets. By default, only the creator and collaborators can see and access a project. Each project has its own internal access controls.
The category includes the following permissions:
Permission Description Actions Create projects Users with this permission can create projects. By default, the user who creates a project is the administrator for the project. - Create projects
Manage projects Users with this permission can see a list of all projects and all active runtimes on the All projects page and the Active runtimes page, respectively. By default, only the creator and collaborators can see their projects. Users with this permission can join any project as an administrator so that they can delete unused projects and ensure that active projects have at least one owner.
- Create projects
- View list of all projects
- Join any project as an Admin
- View all active runtimes across all projects
Monitor project workloads Users with this permission can see all active runtimes for all projects from the Active runtimes page. By default, only project collaborators can see the runtimes that are associated with a project. Users with this permission can see all jobs for all projects from the Jobs page. By default, only project collaborators can see the jobs that are associated with a project.
- View all active runtimes across all projects
- See jobs across all projects
- Service instances
- The category is created by the Cloud Pak for Data control plane.
A service instance is a specific deployment of a service. Some services can be deployed more than once.
Some service instances have their own access controls.
The category includes the following permissions:
Permission Description Actions Create service instances Users with this permission can create service instances and storage volumes. The types of service instances depend on the services that are installed.
- Create service instances
Manage service instances Users with this permission can manage access to any service instance or delete any service instance from the Instances page. - Create service instances
- View all service instances
- Add users to any service instance
- Assign an instance role to instance users
- Remove users from a service instance
- Delete any service instance
- User administration
- The category is created by the Cloud Pak for Data control plane.
Permissions in this category enable an administrator to manage users, groups, and roles.
The permissions in this category apply to the platform. Service instances and workspaces such as projects, catalogs, and deployment spaces have their own access controls.
The category includes the following permissions:
Permission Description Actions Manage platform roles Users with this permission can modify platform roles or create custom roles. Roles determine the permissions that a user or user group has. Users with this permission can access the Roles tab on the Access control page.
This permission does not apply to service instances or assets, such as projects, catalogs, and deployment spaces.
- Create platform roles
- Edit platform roles
- Delete platform roles
Manage user groups Users with this permission can create and edit user groups. User groups make it easy to manage the roles (and permissions) of users with similar access requirements. Users with this permission can access the User groups tab on the Access control page.
- Create user groups
- Edit user groups
- Delete user groups
- Assign roles to user groups
- Remove roles from user groups
Manage users Users with this permission can onboard users to the platform, edit user profiles, and assign platform roles to users. Users with this permission can access the Users tab on the Access control page.
- Add users
- Edit user profiles
- Assign roles to users
- Remove roles from users
- Remove users
- Vaults
-
Secrets contain sensitive data, such as credentials or API keys. A vault is a secure place to store and manage secrets.
Users can add secrets to the internal vault or connect to an external vault to use existing secrets. By default, only the user who added the secret can use the secret.
The category includes the following permissions:
Permission Description Actions Add vaults Users with this permission can connect to external vaults and add secrets from their connected vaults. - Add a connection to external vaults
- Add secrets from their connected vaults
Manage vaults and secrets Users with this permission can see a list of all of the external vaults that users connected to and the list of secrets in each vault. However, users with this permission cannot see detailed information about the vaults or access the secrets in the vaults. Users with this permission can remove secrets from any vault and remove connections to any external vault.
- View list of all connected vaults
- View list of all secrets in each vault
- Remove external vaults
- Remove secrets added from an external vault
- Delete secrets from the internal vault
Share secrets Users with this permission can give other users access to secrets that they add. Users with this permission cannot share secrets that are shared with them. - Share owned secrets
- Revoke access to shared secrets
- Workflows
- The category is created by IBM Knowledge Catalog.
A workflow defines the sequence of steps that must be completed and the decisions that must be made to support a specific business process.
Users can use the predefined governance workflows from IBM Knowledge Catalog or create custom process definitions.
The category includes the following permissions:
Permission Description Actions Manage workflows Users with this permission can import custom process definitions and edit workflow configurations from the Workflow management page. Users with this permission can also monitor active workflow tasks to ensure that work is completed in a timely manner.
- Create workflow types
- Edit workflow types
- Delete workflow types
- Upload workflow templates
- Create workflow configurations
- Edit workflow configurations
- Delete workflow configurations
- Assign workflow tasks to users
- Monitor the status of workflow tasks