Roles and permissions for Data Product Exchange
Review the roles and permissions that users need for working with data products on Data Product Exchange.
IAM and collaborator roles
Users of the Data Product Exchange require two types of roles:
- Roles assigned in IBM Cloud, which are called IAM roles
- Roles assigned in Data Product Exchange, which are called collaborator roles
As the IBM Cloud account owner or administrator, you assign IAM roles to individual users or to access groups on IBM Cloud on the Manage users and access feature.
IAM roles are for either Platform or Service level permissions. Any of the IAM Platform roles of Viewer, Editor, Operator, and Administrator can be assigned to work in Data Product Exchange. However, the minimum IAM Platform role for working in Data Product Exchange is Viewer.
The IAM Service level role Manager applies to the Data Product Exchange IAM Service. It is assigned to the person who initializes the Data Product Exchange by logging in for the first time.
Collaborator role assignment
Data Product Exchange requires that all users to have a collaborator role. Collaborator roles are assigned in Data Product Exchange by the Administrator on the Manage community page.
Collaborators have one of these roles that provide permissions:
- Viewer: Data product consumers who discover and order data products.
- Editor: Data product producers who author, publish, and manage data products. Editor role includes permissions for Viewer.
- Admin: Administrators who add users and assign roles and other configuration tasks. Admin role includes permissions for Viewer and Editor.
The following table shows the actions that you can complete depending on your collaborator role.
+ indicates that users need to be owners of an order or data product to perform the action.
| Action | Viewer | Editor | Admin |
|---|---|---|---|
| Log in to Data Product Exchange | ✓ | ✓ | ✓ |
| View Data Product Exchange dashboard | ✓ | ✓ | ✓ |
| Search for published data products | ✓ | ✓ | ✓ |
| Order a data product | ✓ | ✓ | ✓ |
| View orders | ✓+ | ✓+ | ✓+ |
| Create data product drafts | ✓ | ✓ | |
| Publish, edit, and delete data products | ✓+ | ✓+ | |
| Manage data products from My work page | ✓+ | ✓+ | |
| Create connections to data sources | ✓ | ✓ | |
| Add or delete users or groups | ✓ | ||
| Assign and modify roles | ✓ |
IAM Manager role for the Data Product Exchange service
The IAM Service level role Manager applies to the Data Product Exchange IAM Service. The Service level Manager role is reserved for the user who is going to be the first to log in to Data Product Exchange. The first login initializes the Data Product Exchange. Either the account administrator or the Manager can initialize the Data Product Exchange by logging in.
| Action | Service name | Role |
|---|---|---|
| Initialize Data Product Exchange | Data Product Exchange | Manager |
IAM Platform role assignment
| Action | Service name | IAM Platform role | IAM Service access roles |
|---|---|---|---|
| Set up Cloud Object Storage | IBM Cloud Object Storage | Administrator | Manager |
| Add users and assign roles in the IBM Cloud account | All Identity and Access enabled services | Administrator | Manager |
| All Account Management services | Editor | Service level roles are not applicable. |
Learn more
- IBM Cloud docs: IAM access
- IBM Cloud docs: What is IBM Cloud Identity and Access Management
- IBM Cloud docs: Setting up access groups
- Manage community
Parent topic: Overview for setting up IBM Data Product Exchange