User permissions and authentication modes

The decision runtime uses user permission and authentication modes to control access to REST API endpoints and manage decision service archives and their metadata.

User permissions

The following distinct permissions exist to control access to the various REST API endpoints.

Table 1. Permissions
User permissions	Description
`decision service user`	Users with this permission can execute decisions and invoke related endpoints. Examples of what related endpoints can do: List the operations of a decision service. Generate an OpenAPI specification for a decision service. Retrieve an example payload for a decision service. Generate the schemas of the input and output for a decision service. For more information, see the Decision runtime section for the Decision runtime REST API in Reference.
`decision service manager`	Users with this permission can manage the decision service archives and associated metadata by using the create, retrieve, update, and delete operations on their respective storage service. For more information, see the Decision storage management section for the Decision runtime REST API in Reference. Important: If you are using the run service, you must have this permission type to build and deploy a decision service archive to the decision runtime.
`decision runtime monitor`	This role allows users to take a snapshot of the state of the decision runtime on demand. For more information, see the GET /health and GET /snapshot methods in the Decision runtime section for the Decision runtime REST API in Reference.

For more information about how to configure these permissions, see Configuring decision runtime.

Two endpoints are unprotected, that is, they do not require any permission to be used:

/about endpoint - For more information, see the GET /about method in the Decision runtime section for the Decision runtime REST API in Reference.
/health endpoint - For more information, see the GET /health method in the Decision runtime section for the Decision runtime REST API in Reference.

Predefined user roles

Predefined user roles are available for you to use in the IBM Cloud Pak® Platform UI (Zen) console. Each predefined role corresponds to a permission that is defined in the Zen console.

Check Managing user permissions to find more information about predefined user roles and associated permissions, and how you can configure them in the Zen console.

For more general information about the Zen console, see Managing users External link opens a new window or tab in the IBM Cloud® Paks documentation.

Table 2. Predefined user roles
Predefined role	Description	Associated permission
Decision User	Users with this role can perform actions that are allowed with the Execute decision services permission.	Execute decision services
Deployed Decision Manager	Users with this role can perform actions that are allowed with the Manage deployed decision services permission.	Manage deployed decision services
Decision Runtime Monitor	Users with this role can perform actions that are allowed with the Monitor decision runtime permission.	Monitor decision runtime
Decision Runtime Deployment Spaces Manager	Users with this role can perform actions that are allowed with the Manage deployment spaces permission.	Manage deployment spaces

Authentication modes

Two authentication modes are available for the decision runtime. They are specified with the ads_configuration.decision_runtime.authentication_mode parameter:

basic
zen

Table 3. Authentication modes
Authentication mode	Description
`basic`	Users who are authenticated through the basic authentication mode are granted permissions as they are configured.
`zen`	When `zen` mode is used, the decision runtime is accessible through the IBM Cloud Platform proxy (Zen) gateway, and single sign-on (SSO) is managed by Identity Access Management (IAM). Basic authentication can be used as well. Users and associated permissions can be managed in the IBM Cloud Pak Platform UI (Zen). For more information, see Managing user permissions. Client applications must use API keys. For more information about generating the API keys, see Generating API keys for authentication . For more information about invoking a decision service with an API key, see Authorizing HTTP requests by using the Zen API key .