Managing user access
The Data cataloging environment provides access to users and groups. The role that is assigned to a user or group determines the functions that are available. Users and groups can also be associated with collections that use policies that determine the metadata that is available to view.
User and group access can be authenticated by Data Cataloging, a Lightweight Directory Access Protocol (LDAP) server, the IBM Cloud® Object Storage, or using the Red Hat®OpenShift® credentials. If you use Data Cataloging, LDAP, or IBM COS as authentication methods, then it is required to follow the same authentication process by entering the associated username and password to access the Data Cataloging user interface.
If you use Red HatOpenShift as authentication method, then log in by default via Single-Sign On, unless this option is explicitly disabled. The administrator role can manage the user access functions. For more information, see Initial login.
"<domain>/<user>"
. The domain name is the name that is given to the
external authentication domain in Data cataloging.Roles
Roles determine how users and groups can access records or the Data cataloging environment.
If a user or group is assigned to multiple roles, the least restrictive role is used. For example, if a user is assigned to the Data User role but is also included in a group that is assigned to the Data Admin role, that user has the privileges of the Data Admin role.
The following roles are available:
- Admin
- This role can create users, groups, and collections. This role can also manage connections to Lightweight Directory Access Protocol (LDAP) and IBM Cloud Object Storage domains. This role can use the Application Management APIs to install, upgrade, or delete Data cataloging applications that use the Data cataloging API service.
- Data Admin
- Users with this role can access all metadata that is collected by Data cataloging and
is not restricted by policies or collections. This role can also define tags and policies, including
policies that assign a collection value to a set of records.Note:Users with this role can also edit local users and local groups and assign roles and collections to users and groups.
The built-in
Collection
tag is a special tag. This tag can be set only by users with the Data Admin role. All other tags can be set by any user with the Data User or Data Admin or Collection Admin role. - Collection Admin
- The Collection Admin role is a bridge between the Data
Admin role and the Data User role. Users with the
Collection Admin role can:
- Create, update, and delete the policies for the collections that they administer.
- View, update, and delete policies of data users for the collections they administer. They cannot delete a policy if it has a collection that they do not administer.
- Add users to collections that they administer. These data users can access to a particular collection, which means that they can access to the records marked with that collection value.
- List any type of tag and create or modify
Characteristics
tags. They cannot create, modify, or deleteOpen
andRestricted
tags. These permissions are the same as the ones associated with the Data User role.
- Collection User
- Users with this role can access metadata that is collected by IBM Spectrum
Discover, but metadata access can be restricted by the
collections that are assigned to users in this role.
- Users assigned with the Collection User role can:
- Run scans of collections the user is assigned.
- View policies of the collections the user is assigned.
- List any type of tag.
- Users assigned with the Collection User role cannot:
- Create, update, and delete any policies.
- Create, modify, and delete any tags.
- Users assigned with the Collection User role can:
- Data User
- Users with this role can access metadata that is collected by Data cataloging, but metadata access can be restricted by the collections that are assigned to users in this role. This role can also define tags and policies, based on the collections to which the role is assigned.
- Service User
- This role is assigned to accounts for IBM® service and support personnel.