Managing user access

The Data cataloging environment provides access to users and groups. The role that is assigned to a user or group determines the functions that are available. Users and groups can also be associated with collections that use policies that determine the metadata that is available to view.

User and group access can be authenticated by Data Cataloging, a Lightweight Directory Access Protocol (LDAP) server, the IBM Cloud® Object Storage, or using the Red Hat®OpenShift® credentials. If you use Data Cataloging, LDAP, or IBM COS as authentication methods, then it is required to follow the same authentication process by entering the associated username and password to access the Data Cataloging user interface.

If you use Red HatOpenShift as authentication method, then log in by default via Single-Sign On, unless this option is explicitly disabled. The administrator role can manage the user access functions. For more information, see Initial login.

Note: A local user that is created on the Data cataloging system must use a user name and password to log in. Users from an external LDAP or IBM Cloud® Object Storage domain must include the domain name as a prefix to the user name with a forward slash (/), such as "<domain>/<user>". The domain name is the name that is given to the external authentication domain in Data cataloging.

Roles

Roles determine how users and groups can access records or the Data cataloging environment.

If a user or group is assigned to multiple roles, the least restrictive role is used. For example, if a user is assigned to the Data User role but is also included in a group that is assigned to the Data Admin role, that user has the privileges of the Data Admin role.

The following roles are available:

Admin
This role can create users, groups, and collections. This role can also manage connections to Lightweight Directory Access Protocol (LDAP) and IBM Cloud Object Storage domains. This role can use the Application Management APIs to install, upgrade, or delete Data cataloging applications that use the Data cataloging API service.
Data Admin
Users with this role can access all metadata that is collected by Data cataloging and is not restricted by policies or collections. This role can also define tags and policies, including policies that assign a collection value to a set of records.
Note:

The built-in Collection tag is a special tag. This tag can be set only by users with the Data Admin role. All other tags can be set by any user with the Data User or Data Admin or Collection Admin role.

Users with this role can also edit local users and local groups and assign roles and collections to users and groups.
Collection Admin
The Collection Admin role is a bridge between the Data Admin role and the Data User role. Users with the Collection Admin role can:
  • Create, update, and delete the policies for the collections that they administer.
  • View, update, and delete policies of data users for the collections they administer. They cannot delete a policy if it has a collection that they do not administer.
  • Add users to collections that they administer. These data users can access to a particular collection, which means that they can access to the records marked with that collection value.
  • List any type of tag and create or modify Characteristics tags. They cannot create, modify, or delete Open and Restricted tags. These permissions are the same as the ones associated with the Data User role.
Collection User
Users with this role can access metadata that is collected by IBM Spectrum Discover, but metadata access can be restricted by the collections that are assigned to users in this role.
  • Users assigned with the Collection User role can:
    • Run scans of collections the user is assigned.
    • View policies of the collections the user is assigned.
    • List any type of tag.
  • Users assigned with the Collection User role cannot:
    • Create, update, and delete any policies.
    • Create, modify, and delete any tags.
Data User
Users with this role can access metadata that is collected by Data cataloging, but metadata access can be restricted by the collections that are assigned to users in this role. This role can also define tags and policies, based on the collections to which the role is assigned.
Service User
This role is assigned to accounts for IBM® service and support personnel.