Adding users to IBM Match 360 on IBM Software Hub

After you install the IBM Match 360 service, you must give users access to the service.

Roles and permissions: Instance administrator To complete this task the first time, you must be the instance administrator who installed the IBM Match 360 service. If you add other users as administrators for the service, they can also manage users.

Only the instance administrator who installs IBM Match 360 is granted access to the service by default. To provide other users with access to the service, the administrator user must add them to the appropriate user groups. For example, to create and set up a master data configuration asset, users must belong to the DataEngineer group.

Tip: To mitigate the risk of IBM Match 360 user credentials becoming compromised, it is good practice to connect to IBM Cloud Pak for Data through an identity provider that can provide authentication. For information about configuring Cloud Pak for Data to connect to an identity provider, see Connecting to your identity provider.

About this task

A Cloud Pak for Data administrator can assign users to groups, allowing them to access IBM Match 360. To access IBM Match 360, a Cloud Pak for Data user must belong to one of the following groups:

DataEngineer: DataEngineer group members have full rights to configure a IBM Match 360 service instance, onboard data sources, customize the data model, tune and customize the matching algorithm, run matching, view or create jobs, create pair review requests, and view or edit entities and records in the master data explorer. DataEngineer users can create and set up a master data configuration asset. DataEngineer users can also view and manage governed data.
DataSteward: Data Steward group members can onboard data sources, run matching, view the data model, view ongoing jobs, complete pair review tasks, and view or edit entities and records in the master data explorer.
PublisherUser: PublisherUser group members can publish data from an IBM® InfoSphere® Master Data Management instance, through the MDM Publisher tool, into IBM Match 360. PublisherUser members can onboard data sources, customize the data model, and view or create jobs. PublisherUser users can also view and manage governed data.
EntityViewer: EntityViewer group members have read-only permission in an IBM Match 360 instance. They can view the master data, the model, the results of matching, and ongoing jobs.

Table 1. IBM Match 360 user groups and permissions
Groups	Entity maintenance tasks	Model tasks	Matching tasks	Jobs tasks	Configuration tasks	Pair review tasks
DataEngineer	read, write, manage	read, write, manage	read, write, manage	read, write, manage	read, write, manage	none
DataSteward	read, write	read	read, write	read	none	read, write
PublisherUser	read, write, manage	read, write, manage	none	read, write	none	none
EntityViewer	read	read	read	read	none	none

You must assign at least one of the four IBM Match 360 roles to give a user access to the service. There are two methods of managing IBM Match 360 user access:

By using the Cloud Pak for Data API
By using the Cloud Pak for Data web client

Using the Cloud Pak for Data API to give users access to IBM Match 360

Manage IBM Match 360 user permissions by using the Cloud Pak for Data API and the mdm-assign-user-groups.sh sample script.

Before you begin: Download the sample scripts archive file to help you to manage users and groups through the API. The archive file contains the following sample scripts:

mdm-create-groups.sh
mdm-assign-user-groups.sh

In this procedure, you'll use the mdm-assign-user-groups.sh script to grant IBM Match 360 permissions to users through the Cloud Pak for Data API.

To add users to the IBM Match 360 user groups:

Log in to the Cloud Pak for Data cluster as an administrator user with sufficient permissions to perform this task.
```
oc login ${OCP_URL} --username ${OCP_USERNAME} --password ${OCP_PASSWORD}
```

Create a user and assign them to the IBM Match 360 user groups that you created in the previous step. Run the following command:

./mdm-assign-user-groups.sh -u ADMIN-USER -p ADMIN-PASSWORD -n ${PROJECT_CPD_INST_OPERANDS} -m MATCH360-USER-NAME -w MATCH360-USER-PASSWORD -g MATCH360-USER-GROUP

Replace the following values:

Variable	Replace with
`ADMIN-USER`	The Cloud Pak for Data `admin` user.
`ADMIN-PASSWORD`	The password of the Cloud Pak for Data `admin` user.
`MATCH360-USER-NAME`	The user name of the IBM Match 360 user. If the user does not exist in Cloud Pak for Data, the script will create a new user before assigning them to the IBM Match 360 user group.
`MATCH360-USER-PASSWORD`	The password of the IBM Match 360 user.
`MATCH360-USER-GROUP`	The IBM Match 360 user group that you want to assign the user to. One of: DataEngineer DataSteward EntityViewer PublisherUser You can add a user to only one group at a time. If you wish to assign a user to more than one IBM Match 360 user group, rerun the script for each user group you want to assign the user to.

Using the Cloud Pak for Data web client to give users access to IBM Match 360

By using the Cloud Pak for Data web client's access control tools, you can manage the users for the IBM Match 360 service.

To grant access to additional IBM Match 360 users, use the Cloud Pak for Data web client to add users and assign them to one of the IBM Match 360 user groups:

DataEngineer
DataSteward
EntityViewer
PublisherUser

To create users and manage permissions by assigning groups in the web client, log in to Cloud Pak for Data. From the navigation menu, choose Administration > Access control. For more information, see Managing access to the platform.

What to do next

After you have assigned IBM Match 360 access to users, they can begin using the service. For information about using IBM Match 360, see Managing master data.