Managing Cloud Pak for Data users

As an administrator, you are responsible for determining and implementing the best approach for authenticating and managing IBM Cloud Pak for Data users.

Best practices

Cloud Pak for Data user records are stored in an internal repository database. However, it is strongly recommended that you use an enterprise-grade password management solution, such as SAML SSO or an LDAP provider for password management.

You can use SAML SSO and LDAP together or individually.

If you plan to use SAML for single sign-on (SSO), it is strongly recommended that you complete the steps in Configuring single sign-on before you add users.

If you add users before you configure SSO, you will need to re-add the users with their SAML ID to enable them to use SSO.

You can use an enterprise-grade LDAP provider for password management.

For details, see Connecting to your identity provider.

Ensure that you grant Cloud Pak for Data administrator privileges to a user in your LDAP server.

After you grant an LDAP user administrator privileges, you can further secure your Cloud Pak for Data system by disabling the default administrator user account. For details, see Disabling the default platform administrator.

If you want to use both SAML SSO and LDAP, you must ensure that both configurations use the same attribute to identify users:
  • SAML SSO configuration: fieldToAuthenticate
  • LDAP: User search field

User management

A Cloud Pak for Data administrator can manage the permissions that users and groups have on the platform. However, users and groups might have additional permissions in services, catalogs, and projects. For example, a user could be a project administrator and be an editor on the Platform connections catalog.

A user or group can have multiple roles. Additionally, a user can have roles that are directly assigned to them and roles that they inherit from groups.

If a user has multiple roles, the user has all of the permissions from all of the roles that are assigned to them.

Tip: You can see all of the roles (and permissions) that a user has from the user's profile page, which you can access from the Access control > Users page.

For a summary of all the permissions that a user has, click View assigned permissions.


If you update a user's role or their group membership and the user is logged in, the user must log out and log back in for the changes to take effect. If the user does not log out, their session will be refreshed after the TOKEN_EXPIRY_TIME is reached. For details, see Setting the idle session timeout.

Before you add users to the platform, consider the following questions:
  • Are you using theIBM Cloud Pak foundational services Identity Management Service to manage users?
  • If you are not using the Identity Management Service:
    • Do you want to use an LDAP server to manage users' passwords?
    • Do you want to use an LDAP server to manage access to the platform?
    Deprecation notice: The LDAP integration provided by Cloud Pak for Data is deprecated and will be removed in a future release. If you want to use an LDAP server to manage users, you should Integrate with the Identity Management Service
  • Do you want to use user groups to manage users with similar access requirements?
  • Do you want to be able to add all of the users in an LDAP group to a user group?
  • Do the default roles meet my business requirements?

Jump to the appropriate topic for more information: