Access management and governance in watsonx.data
This topic provides details about access management and governance in watsonx.data.
watsonx.data on IBM Software Hub
watsonx.data Developer edition
watsonx.data on IBM Cloud®
watsonx.data on IBM Cloud Pak for Data
watsonx.data SaaS on AWS
This topic also covers the details of the Data Access Service (DAS) and integration with Apache Ranger and IBM Knowledge Catalog (IKC) for data governance.
User authentication (Level 1)
- Access to the platform where watsonx.data is deployed. For example, watsonx.data on Cloud Pak for DataSoftware Hub, IBM cloud, AWS, or software.
- Role Based Access Control within watsonx.data. For example, Admin and User roles with specific access and privileges.
- Level 1 authentication in watsonx.data on Cloud Pak for DataSoftware Hub and software
-
In watsonx.data on CPDSoftware Hub and software, the platform administrators are responsible to decide and implement the best approach for user access management. You can use the internal repository for user records or an enterprise-grade password management solution, such as SAML SSO or LDAP provider for password and access management. For more information, see Connecting to your identity provider.
Roles and users - Administrator and User are two predefined roles at the platform level in watsonx.data. For more information about these roles and permissions that can be associated, see Predefined roles and permissions in watsonx.data.
You can create users or user groups and assign them the required roles.
Note: If a user or user group has multiple roles, the user or group has all the permissions from all the roles that are assigned to them. - Level 1 authentication in watsonx.data on IBM Cloud and AWS
-
Level 1 authentication in watsonx.data on IBM Cloud is aligned with the IBM Cloud authentication framework. For more information, see IBM Cloud IAM roles and Actions and roles for account management services.
You can create access groups, or give access to a trusted profile, user, or service ID access to any of the target and specific permissions as depicted in the following illustration:
In addition to the authentication, in IBM cloud, the IAM platform roles are assigned some privileges and permissions by default. The following table provides the details. These roles are to be assigned to users or user groups.The following table provides the service role details that are specific to watsonx.data on IBM Cloud and AWS. Metastore Admin role is used for Db2, Netezza, and Spark. Metastore Admin has full access to HMS Thrift API. Metastore Viewer role has read access to HMS Rest API. The Data Access role is used only for IKC integration on data profiling.Table 1. IAM platform roles IAM platform roles Actions IAM Platform Administrator lakehouse.metastore.admin
lakehouse.dashboard.view
IAM Platform Operator, Editor, Viewer lakehouse.dashboard.view Others Depends on the actions that are assigned by the administrator Table 2. Service roles Service roles Actions Permissions Manager
- lakehouse.dashboard.view
- lakehouse.metastore.admin
- lakehouse.service.manage
Scoped admin access for resources Metastore Admin
lakehouse.metastore.admin Manage metastore data Metastore Viewer lakehouse.metastore.view View metastore data Data Access (primarily used for service to service integration. For example, IKC integration with WXD) lakehouse.data.access Access data - Level 1 authentication in watsonx.data Developer edition
- In watsonx.data Developer edition, you
have two roles—Admin and User. The following table provides the role-based privileges:
Table 3. Role-based privileges in watsonx.data Developer edition Action Admin User Create Presto (Java) ✓ Restart the internal HMS ✓ Unregister any storage ✓ Unregister any DB Connection ✓ Register and unregister own storage ✓ ✓ Register and unregister own DB connection ✓ ✓ Access the metastore ✓ Read access to HMS API ✓ - Authentication options
-
Users can authenticate (log in to watsonx.data instance, invoke an API, or connect to the CLI) through one of the following options:
- IBM Cloud – IBM API key or IAM token for API or CLI access to watsonx.data API and services. Username and password to access watsonx.data UI console.
- Software or watsonx.data on Cloud Pak for
DataSoftware
Hub – watsonx.data platform API key or token, user’s
instance scope API key or token, user’s username and password.Note:
- To generate an API key, go to your Cloud Pak for DataSoftware Hub profile page and click .
- To generate a token, you can use CPD API. For more information, see Using Authorization: Bearer token.
- Developer edition – Your username and password. For more information about username and password, see user-mgmt.
- Authentication options for
presto-cli -
Users can also use
presto-clior connect to Presto via JDBC with one of the following authentication options:- IBM Cloud – IBM API key or IAM token. For more information, see Connecting to Presto server in watsonx.data on IBM Cloud.
- Software or watsonx.data on Cloud Pak for
DataSoftware
Hub – User’s platform API key or
token (recommended), user’s instance scope API key or token, user’s username and password. For more
information, see Connecting
to a Presto server.Note:
- To generate an API key, go to your Cloud Pak for DataSoftware Hub profile page and click .
- To generate a token, you can use CPD API. For more information, see Using Authorization: Bearer tokenUsing Authorization: Bearer token.
- Developer edition – hardcoded default user ibmlhadmin/password
User access to resources (Level 2)
With the second-level access control, you can assign roles for watsonx.data users to view, edit, and administer the resources, which include engines, catalogs, storage, and databases.
Controlling access to the engines and other components is a critical requirement for many enterprises. To ensure that the resource usage is under control, IBM® watsonx.data provides the ability to manage access controls on these resources. A user with admin privileges on the resources can grant access to other users.
For more information on L2 access control in:
- watsonx.data software (Red Hat OpenShift) and on Cloud Pak for DataSoftware Hub, see Predefined roles and permissions in watsonx.data.
- watsonx.data on IBM Cloud and AWS, see Managing users and Managing roles and privileges.
Data access (Level 3)
At the data access level, you can define data access policies and grant or restrict access to schema, table, and columns in watsonx.data.
For more information about data access policies in:
- watsonx.data software and on Cloud Pak for DataSoftware Hub, see Data policy.
- watsonx.data on IBM Cloud, see Managing data policy rules.
Default username and password in different watsonx.data deployments
- watsonx.data Developer edition
-
- Username –
ibmlhadminis the default username. Based on your requirements, you can add users with roles, User, and Admin. For more details, see user-mgmt. - Password –
passwordis the default password.
- Username –
- watsonx.data software
-
- Username –
adminis the default username. If IAM is enabled, the default username iscpadmin. - Password –
passwordis the default password. To get the default password, run the following command:ibm-lakehouse-manage get-cpd-instance-details
- Username –
- watsonx.data on Cloud Pak for DataSoftware Hub
-
- Username –
adminis the default username. If IAM is enabled, the default username iscpadmin. - Password –
passwordis the default password. To get the default password, run the following command:cpd-cli manage get-cpd-instance-details \ --cpd_instance_ns=${PROJECT_CPD_INST_OPERANDS} \ --get_admin_initial_credentials=true
Note: For information about adding more users, see Adding users to watsonx.dataAdding users to watsonx.data. - Username –
- watsonx.data on IBM Cloud
-
- Username – Username can either be
ibmlhapikey_<username>oribmlhtoken_<username>. - Password – Password can either be IBM Cloud API key or IBM IAM access token. For more information see, Getting IBM API key and Getting IBM Access Management (IAM) token.
Note: To add new users, you can invite users with IBM Cloud account to watsonx.data service. For more information, see Inviting users in the console. - Username – Username can either be
Data Access Service (DAS)
Data Access Service (DAS) proxy in watsonx.data provides a unified way to access object storage, govern external engines, and audit data access. All of these are accomplished without exposing credentials or requiring complex modifications to engines, which are not controlled by watsonx.data.
For more information, see Data Access Service overview.
Common Policy Gateway (CPG)
CPG is standalone service capable of making or delegating governance decisions (including built-in and external policies) on a per request basis. It is a unified service that allow all applications to leverage a single service to either approve or delegate access control, and governance approval to an external system. it is a key differentiating capability which allows watsonx.data to integrate with any policy engine to provide greater flexibility and ease of integrating with client ecosystem. For more information, see Enabling or disabling common policy gateway engines.
IBM Knowledge Catalog integration for data governance and access control
Integrating watsonx.data with IBM Knowledge Catalog provides self-service access to data assets for knowledge workers who need to use those data assets to gain insights.
For more information, see Integrating with IBM Knowledge Catalog.
Apache Ranger integration for data governance and access control
IBM watsonx.data supports Apache Ranger policies to allow comprehensive data security on integrating with multiple governance tools and engines.
For more information, see Enabling Apache Ranger policy for resources.
Getting connection information
You can see the connection information of watsonx.data from the Connect information tile of the Configurations page and from the Instance details page. For more information about watsonx.data connections, see Getting connection information.