Assigning roles to users
When you add users to IBM watsonx who need to perform data governance tasks, you must assign them roles and permissions for the service, the workspace, and in some circumstances, for other areas.
You assign IAM Service access roles to user in your IBM Cloud account. When you assign IAM Service access roles, you must select the IBM Cloud Pak for Data service. The predefined IAM Service access roles provide the required permissions for performing tasks. However, if you create custom roles, you must assign the role that provides the required permissions. See User roles and permissions for IBM watsonx.data intelligence.
IBM watsonx.data intelligence permission assignments might not work properly if the Cloud Pak for Data service is scoped to a resource group.
The workspace roles that users need depend on the type of task and where the tasks are performed:
- Catalog tasks
- Project tasks
- Curation tasks
- Category tasks
- Governance artifact tasks
- Data protection rule tasks
- Data quality SLA tasks
- Reporting tasks
- Workflow tasks
Catalog tasks
The following table lists the roles and permissions that users need for performing catalog tasks.
| Task | IAM Service access roles | Access role permissions | Catalog roles |
|---|---|---|---|
| Create, delete, and manage catalogs | Manager | Manage catalogs | None |
| View list of all catalogs | Manager | Manage catalogs | None |
| Become a collaborator in a catalog | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access catalogs | None |
| Add collaborators to a catalog | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access catalogs | Admin |
| Add assets to a catalog | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access catalogs | Admin or Editor |
| View assets in the catalogs | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access catalogs | Any |
| Create custom asset types | Manager | Manage catalogs + Manage glossary | None |
| Create custom properties and relationships for assets | Manager | Manage catalogs + Manage glossary | None |
Project tasks
The following table lists the roles and permissions that users need for performing general project tasks. The predefined user roles have the required permissions. If you create custom roles, you must assign the role that provides the required permissions.
| Task | IAM Service access roles | Access role permissions | Project roles |
|---|---|---|---|
| Create projects | Reader | ||
| Add assets from catalogs to projects | Any of these roles: - Manager - CloudPak Data Scientist - CloudPak Data Steward |
Add catalog assets to projects | Admin or Editor |
| Add a collaborator in a project | Reader | Manage projects | Admin |
| View all projects in the account | Manager | Manage projects | |
| Join any project as admin | Manager | Manage projects | |
| All other project tasks | Reader | None | Depends on the task |
Curation tasks
The following table lists the roles and permissions that are required for performing curation tasks in projects.
| Task | IAM Service access roles | Access role permissions | Project roles | Other |
|---|---|---|---|---|
| Import metadata | CloudPak Data Steward | Access catalogs + Access governance artifacts | Admin or Editor | Catalog role: Admin or Editor You must also be authorized to access the data sources. |
| Run metadata enrichment: profiling, basic data quality analysis, term assignment | CloudPak Data Steward | Access catalogs + Access governance artifacts | Admin or Editor | Category role: any role in the categories with the used business terms and data classes. You must be authorized to access the connections to the data sources of the data assets to be enriched. |
| Create data quality definitions | CloudPak Data Quality Analyst | Drill down to issue details + Execute data quality rules + Manage data quality assets | Admin or Editor | |
| Create and run data quality rules | CloudPak Data Quality Analyst | Drill down to issue details + Execute data quality rules + Manage data quality assets | Admin or Editor | You must be authorized to access the connections to the data sources of the data assets that are bound to a rule. |
Category tasks
The following table lists the roles and permissions that are required for performing category tasks.
The predefined Public access user group, which contains all users who have permission to access governance artifacts, is automatically added as a collaborator with the Viewer role to top-level categories.
| Task | IAM Service access roles | Access role permissions | Category roles |
|---|---|---|---|
| Create and manage top-level categories | Any of these roles: - Manager - CloudPak Data Steward |
Any of these permissions: - Administer governance artifacts - Manage glossary - Manage governance categories |
Owner (You become Owner when you create the category.) |
| Create, edit, delete, import, or export subcategories | Any of these roles: - Manager - CloudPak Data Steward |
Any of these permissions: - Access governance artifacts - Administer governance artifacts - Manage glossary - Manage governance categories |
Admin or Owner |
| Manage collaborators in categories | Any of these roles: - Manager - CloudPak Data Steward |
Any of these permissions: - Access governance artifacts - Administer governance artifacts - Manage glossary - Manage governance categories |
Admin or Owner |
| Administer all categories and governance artifacts | Governance Artifacts Administrator | Administer governance artifacts + Manage governance categories |
Governance artifact tasks
The following table lists the roles and permissions that are required for performing governance artifact tasks.
| Task | IAM Service access roles | Access role permissions | Category roles |
|---|---|---|---|
| Create, edit, delete, import, or export governance artifacts | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer |
Any of these permissions: - Access governance artifacts - Administer governance artifacts |
Owner, Admin, or Editor |
| Import or export governance artifacts in a ZIP file | Manager | Manage glossary | |
| Run all API calls for governance artifacts | Governance Artifacts Administrator | Administer governance artifacts + Manage categories | |
| View published governance artifacts | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access governance artifacts | Any role in the primary category for the artifact |
| View draft governance artifacts | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access governance artifacts | Any role in the primary category for the artifact |
| Add relationships or assignments between artifacts and assets | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access governance artifacts + Access catalogs to be able to work with catalog assets | Catalog role: -Catalog Admin -Catalog Editor + Asset Owner |
| Add relationships between artifacts | Any of these roles: - Manager - CloudPak Data Steward - CloudPak Data Engineer - CloudPak Data Scientist |
Access governance artifacts | Owner, Admin, or Editor |
| Create custom properties and relationships for artifacts | - Manage glossary - Manage catalogs for relationships with assets |
Data protection rule tasks
The following table lists the roles and permissions that are required for performing data protection rule tasks.
| Task | IAM Service access roles | Access role permissions | Category roles |
|---|---|---|---|
| Set rule conventions and rule settings | Any of these roles: - Manager - CloudPak Data Steward |
Manage data protection rules | |
| Create, edit, delete data protection rules | Any of these roles: - Manager - CloudPak Data Steward |
Manage data protection rules + Access governance artifacts to be able to include governance artifacts in your rules. | You must be a collaborator in the categories of the governance artifacts that you want to use in the rule. |
Data quality SLA tasks
The following table lists the roles and permissions that are required for performing data quality SLA tasks.
| Task | User roles | User permissions | Category roles |
|---|---|---|---|
| Create, edit, delete data data quality SLAs | Any of these roles: - Administrator - Data Quality Analyst |
Access governance artifacts + Manage data quality SLAs | You must be a collaborator in the categories of the governance artifacts that you want to use in the rule. |
Reporting tasks
The following table lists the roles and permissions that are required for performing reporting tasks.
Assign this privileged role with caution. Users with the Reporting administrator role and the Manage reporting permission can send all metadata from any project, catalog, or category to an external database regardless of membership or access permissions in existing projects, catalogs, and categories. However, when creating or editing a project, catalog or category, you can allow or disallow metadata reporting.
| Task | IAM Service access roles | Access role permissions |
|---|---|---|
| Set up and run reports on IBM watsonx.data intelligence | Reporting administrator | Manage reporting |
Workflow tasks
The following table lists the roles and permissions that are required for performing workflow tasks.
| Task | IAM Service access roles | Access role permissions | Category roles |
|---|---|---|---|
| Create, edit, and delete governance workflow configurations | Manager | Manage governance workflows | None |
| Assign and unassign workflow tasks | Manager | Manage governance workflows | None |
| View workflow tasks | Manager | Manage governance workflows | None |
| Claim and complete a task | Depends on workflow configuration | Depends on workflow configuration | Depends on workflow configuration |
When configuring a workflow you specify which users or user groups are assigned to specific tasks in the workflow.