User Roles

IBM Digital Asset Haven provides different user roles depending on the deployment model. The SaaS deployment includes subscription-level and instance-level roles. The hybrid deployment includes system-level administrative roles.

IBM Digital Asset Haven for SaaS

The roles described in this topic are the default user roles provided with IBM Digital Asset Haven. These roles represent common administrative and operational responsibilities across subscription-level and instance-level scopes. You can define additional custom roles or tailor role assignments for their instance to meet organizational security, compliance, and operational requirements.
IBM Digital Asset Haven for SaaS supports two primary categories of user roles:
Subscription owner
The subscription owner has access to the SaaS console and can perform platform-level tasks. These tasks include:
  • Provision and deprovision new service instances
  • Managing billing and subscription details
  • Grant custom user access to SaaS console account, subscription, and associated service instances
Instance-level roles
Each service instance supports the following roles:
Administrator:
  • Has complete administrative control over the instance
  • Can configure settings and manage all users
  • Can attach and manage policies
  • Create custom roles
The default role name for the Administrator role is ManagedFullAdminAccess, as displayed in the Permissions view. This role provides full administrative access for managing instance configuration, security settings, and system integrations.
Default end user :
  • Has access to the instance features as permitted by policies
  • Cannot perform administrative configuration tasks
The default role name for the default end user role is ManagedDefaultEndUserAccess, as displayed in the Permissions view. This role provides standard access for users to perform day-to-day operational tasks within an instance, based on the permissions assigned.
Note: For further information about granting access to subscriptions and service instances, refer to Getting started with the IBM SaaS Console with accounts in IBM SaaS Console.

IBM Digital Asset Haven for Hybrid

The hybrid deployment includes the following role:
System administrator
The system administrator is responsible for:
  • Configuring IBM Offline Signing Orchestrator
  • Installing and configuring the IBM Digital Asset Haven plug-in
This role configures cryptographic services used by IBM Digital Asset Haven, including integration with IBM Hyper Protect Offline Signing Orchestrator. When HSM Signer is deployed as a standalone component, this role is responsible for installing, configuring, and maintaining the HSM Signer environment. Standalone HSM Signer deployment and configuration are separate from OSO integration and require independent planning and execution.