System groups

Most of the user roles shown in the Access Management pages correspond to system groups in the cloud platform user registry. When you assign a role to a user, they are automatically added to the corresponding group in the user registry.

Note: To manage membership of system groups, use either the Access management > Users view or the Group Management REST API. You cannot use the Access management > Groups view for system group management.
The following tables list the user roles for each capability and how they map to the corresponding system groups in the cloud platform user registry. If roles map to non-system groups, the tables include information about how to manage membership of these groups.

Cloud platform groups

Table 1. Cloud platform groups
Role User group Description
Account Admin Administrators Members of this group can manage user and service accounts, manage groups, and create usage reports.
Operator Operators Members of this group can manage cloud environments through the System Operations page.
Note: This does not apply to IBM® Operational Decision Manager on Cloud.
Developer Developers Members of this group have access to the development environment. To create process apps, members must also have the Process App Creators role.
Tester Testers Members of this group have access to the test environment.
Runtime User Participants Members of this group have access to the production environment.

Global groups

Table 2. Global groups
Role User group User registry group Description
Salesforce Users ecmoc_salesforce_users Yes Members of this group use the IBM Salesforce Connector App to store Salesforce attachments as documents in the Content Services repository.

Business automations groups

Table 3. Business automations groups
Role User group User registry group Description
Studio Authors bas_env_authors

Where env is the dev, test, or run environment.

 Yes Members of this group have non-administrative access to the repository.
Studio Administrators bas_env_administrators

Where env is the dev, test, or run environment.

 Yes Members of this group have administrative access to the repository, for example, they can manage user and group permissions for accessing the repository.
Workflow Authors baw_env_authors

Where env is the dev, test, or run environment.

 Yes Members of this group have access to Workflow Designer in Studio, Workflow Process APIs, and the REST API tester.
Workflow Administrators baw_env_administrators

Where env is the dev, test, or run environment.

 Yes Members of this group have access to the Process Admin Console, the Case administration client, Workflow Process APIs, Workflow Operations APIs, and the REST API tester.
Workplace Administrators iaws_run_administrators Yes Members of this group assign administrator and supervisor roles to people within the organization.

Content groups

Table 4. Content groups
Role User group User registry group Description
Content Platform Engine Class Designer
  • ECMoC_Client_ACCE_Class_Designer

    The user group for the production environment.

  • ECMoC_Client_ACCE_Class_Designer_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group can create and update data models for an application or applications. They can also create classes used by multiple applications. For more information about this role, see Designer group access External link opens a new window or tab in the FileNet® P8 Platform documentation.
Content Platform Engine Application Designer
  • ECMoC_Client_ACCE_Application_Designer

    The user group for the production environment.

  • ECMoC_Client_ACCE_Application_Designer_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes In addition to Class Designer privileges, members of this group can create properties that affect a wider set of components. They are also responsible for the components that are needed to create a Content Platform Engine application. For more information about this role, see Designer group access External link opens a new window or tab in the FileNet P8 Platform documentation.
Content Platform Engine Administrator
  • ECMoC_Client_CPE_Administrator

    The user group for the production environment.

  • ECMoC_Client_CPE_Administrator_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes In addition to Application Designer privileges, members of this group can administer the object store provisioned for the cloud subscription. They also have access to the Content Platform Engine Administration Tools.
Content Platform Engine User
  • ECMoC_Client_CPE_User

    The user group for the production environment.

  • ECMoC_Client_CPE_Userenv

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group can use the object store in the production environment, for example, to create, modify, and delete objects.
Enterprise Records Administrator
  • ECMoC_Client_IER_RecordsAdministrator

    The user group for the production environment.

  • ECMoC_Client_IER_RecordsAdministrator_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group have the following privileges:
  • Assign permissions to different users and groups.
  • Define and modify security markings. Configure auditing.
  • Delete file plans, categories, and records. Import and export records.
  • Back up and restore file plan and records.
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
Enterprise Records Manager
  • ECMoC_Client_IER_RecordsManager

    The user group for the production environment.

  • ECMoC_Client_IER_RecordsManager_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group have the following privileges:
  • Create and modify file plans and levels of hierarchy, such as record categories, folders, and volumes.
  • Create other associated objects, such as naming patterns, record types, actions, phases, and holds.
  • Define and maintain disposition schedules to control the retention and destruction of entities.
  • Associate disposal schedules to record categories, record folders, and record types.
  • Perform records management activities, such as relocating categories and folders, setting vital records, and activating records.
  • Perform tasks assigned to any of the other IBM Enterprise Records roles.
Enterprise Records Privileged User
  • ECMoC_Client_IER_RecordsPrivilegedUser

    The user group for the production environment.

  • ECMoC_Client_IER_RecordsPrivilegedUser_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group have the following privileges:
  • Review entities that are due for disposition.
  • Perform basic record-related operations, such as file and copy record.
  • Search and display records, folders, and categories.
  • Declare records.
Enterprise Records User
  • ECMoC_Client_IER_RecordsUser

    The user group for the production environment.

  • ECMoC_Client_IER_RecordsUser_env

    The user groups for the development and test environments; where env is Dev or Test.

 Yes Members of this group have the following privileges:
  • File records.
  • Search and display records, folders, and categories.
  • Declare records.

Decisions groups

Table 5. Decisions groups
Role User group User registry group Description
Decision Center administrator odm_dev_dc_administrators Yes
  • Work with the Decision Center Business console.
  • Implement security on decision services.
  • Create groups, set the permissions, add users to the groups, and set the groups on decision services.
  • Can create deployment configurations in the Business console for any cloud environment.
  • Can deploy decision services from any cloud environment.
  • Can hold Decision Center Developer and Operator roles in the case of, for example, a small team.
Decision Center operator odm_dev_dc_operators Yes
  • Work mainly with the Decision Center Business console.
  • Can create deployment configurations in the Business console for any cloud environment.
  • Orchestrate® the lifecycle of a decision service, and be responsible for the deployment of a decision service release to production.
  • Follow a staged progression from development to production.
  • Create development branches or releases.
  • Define change and validation activities for developers.
  • Assign ownership for work, reviews, and approvals.
  • Can deploy a decision service to environments to validate changes (if permission defined by the Decision Center administrator).
Decision Center developer odm_dev_dc_developers Yes
  • Work with the Rule Designer and the Decision Center Business console.
  • Create the model of a decision service.
  • Use the Rule Designer component to convert the knowledge from the business domain into decision artifacts.
  • Make the initial version of the business rule artifacts, including action rules, decision tables, and rule flows.
  • Implement and maintains some or all of the business rule artifacts that are in a decision service.
  • Run functional tests and simulations in the development environment to validate the changes that are made for a release (if permission defined by the Decision Center administrator or operator).
  • Can deploy a decision service to environments to validate changes (if permission defined by the Decision Center administrator or operator).
  • Publish the decision service from Rule Designer to Decision Center (if permission defined by the Decision Center administrator).
  • Can participate in the review or approval process with other developers (if permission defined by the Decision Center operator).
  • Collaborate with the Decision Center operator.
Decision Server operator (per environment) odm_{env}_ds_operators where env is the dev, test, or run environment Yes
  • Work with Rule Execution Server.
  • Run the decision service locally or in the cloud development environment until achieving the expected results.
  • Can execute rule sets in the defined environment.
Decision Server analyst (per environment) odm_{env}_ds_analysts where env is the dev, test, or run environment Yes
  • Work with HTDS.
  • Can execute rule sets in the defined environment.

Insights groups

Table 6. Insights groups
Role User group User registry group Description
Insights Analysts bai_run_analysts Yes Members of this group can access and work with dashboards in Business Performance Center. The insights capability is available only in the production environment.
Insights Administrators bai_run_administrators Yes Members of this group can:
  • Access and work with dashboards in Business Performance Center.
  • Assign permissions to monitoring sources on the Team permissions tab.

Workflow groups

Table 7. Workflow system groups
Role User group User registry group Description
Process App Creators tw_authors No Members of this group have access to the Designer and other interfaces in the Process Designer, including the Workflow Center console. From the Workflow Center console, members of this group can create process applications and toolkits and control access to projects. Access to other process applications and toolkits (projects) and the assets they contain is controlled by Workflow Center repository administrators.

Use the Process Admin Console to manage members of this group. For more information, see Process Admin Console.
Process Administrators tw_admins No Members of this group have full access to all Business Automation Workflow interfaces, assets, servers, and security.

Use the Process Admin Console to manage members of this group. For more information, see Process Admin Console.
Case Administrators baw_env_administrator

Where env is the dev, test, or run environment.

 Yes Members of this group can administer case assets, servers, and security.
Performance Monitor Starters baw_env_monitor

Where env is the dev, test, or run environment.

 Yes Members of this group have full access to historical information about Event Manager processing.
Navigator Administrators ban_env_administrator

Where env is the dev, test, or run environment.

 Yes Members of this group can create desktops, for example, for different case solutions and user groups.

Platform foundation tools groups

Table 8. Groups for the Platform foundation tools, Business Automation Navigator and Team Management
Role User group User registry group Description
Navigator Administrators ban_env_administrator

Where env is the dev, test, or run environment.

 Yes Members of this deploy applications developed in Studio to the test and production environments.
Teams Administrators ums_env_administrator

Where env is the dev, test, or run environment.

 Yes Members of this group create and manage global teams.