Role-based access control

Data Cataloging provides access to resources based on roles. You can restrict access to information based on roles.

The role that is assigned to a user or group determines the privileges for that user or group. Users and groups can be associated with collections, which use policies that determine the metadata that is available to view.

User and group access can be authenticated by Data Cataloging, an LDAP server, or the IBM Cloud® Object Storage System. The administrator can manage the user access functions.

Roles

Roles determine how users and groups access records or the Data Cataloging environment.
Remember: If a user or group is assigned to multiple roles, the least restrictive role is applicable.
For example, if you are assigned the role of Data User, and you are also assigned the role of a Data Admin, you have the privileges of a Data Admin.
Admin

An admin can create users, groups, collections, manage LDAP, and IBM Cloud Object Storage connections for user access management.

Data Admin

Users with the Data Admin role can access all metadata that is collected by Data Cataloging and is not restricted by collections.

Collection Admin
The Collection Admin role is as a bridge between the Data Admin role and the Data User role.
  • Users with the Collection Admin role can list any type of tag and create or modify Characteristic tags. Users with the Collection Admin role cannot create, modify, or delete Open and Restricted tags. These permissions are the same permissions as the Data User role.
    Note: The built-in Collection tag is a special tag that can be set only by users with the Data Admin role. All other tags can be set by any user with the Data User or Data Admin or Collection Admin role.
  • Users with the Collection Admin role can
    • Create, update, and delete the policies for the collections they administer.
    • View, update, and delete policies of data users for the collections they administer. They cannot delete a policy if it has a collection that they do not administer.
    • Add users to collections that they administer. These data users can access a particular collection, which means that they can access the records that are marked with that collection value.
Collection User
Users with this role can access metadata that is collected by IBM Spectrum® Discover, but metadata access can be restricted by the collections that are assigned to users in this role.
  • Users assigned with the Collection User role can:
    • Run scans of collections the user is assigned.
    • View policies of the collections the user is assigned.
    • List any type of tag.
  • Users assigned with the Collection User role cannot:
    • Create, update, and delete any policies.
    • Create, modify, and delete any tags.
Data User
Users with the Data User role can access metadata that is collected by Data Cataloging. Metadata access might be restricted by policies in the collections that are assigned to users in this role. A user with the Data User role can also define tags and policies based on the collections to which the role is assigned.
Service User
The Service User role is assigned to accounts for IBM® service and support personnel.